A deliberately vulnerable AI banking assistant built to simulate real-world LLM security failures including:
- Prompt Injection
- RAG Poisoning
- Insecure Tool Calling
- Filesystem Exposure
- Multi-Stage Exploitation Chains
- Context Leakage
- Unsafe Agent Orchestration
This project is designed for:
- AI Security Research
- Red Teaming Practice
- Prompt Injection Demonstrations
- LLM Exploitation Labs
- Educational Cybersecurity Use
This project is intentionally vulnerable.
It is designed strictly for:
- educational purposes
- AI security research
- defensive experimentation
- red-team simulations
Do NOT deploy this in production environments.
The chatbot gradually leaks information depending on user probing depth.
- Storage hints
- Filesystem hints
- Diagnostic interface discovery
- Command discovery
- Internal log access
- RAG poisoning chain
- Knowledge-base exploitation
The chatbot exposes a simulated internal diagnostic interface:
ls <path>
read <path>Examples:
ls /
read internal/logs/txn_debug.logSome resources require tokens:
read internal/admin.txt | A1x9The system contains intentionally unsafe prompt orchestration allowing:
- hidden instruction leakage
- internal behavior manipulation
- context extraction
- prompt-guided escalation
The project includes a vulnerable Retrieval-Augmented Generation (RAG) simulation.
Features:
- insecure retrieval logic
- unsafe trust of retrieved context
- poisoned knowledge documents
- hidden debug instructions
Example attack path:
1. Probe storage architecture
2. Discover filesystem interface
3. Use ls/read operations
4. Extract trace token from logs
5. Access admin.txt
6. Discover RAG references
7. Query poisoned KB entries
8. Trigger prompt injection payload
- Python
- Streamlit
- LangChain
- LiteLLM
- Simulated RAG Layer
- Custom Tool Orchestration
git clone https://github.com/srioo10/LLM-Exploit-Simulator
cd LLM-Exploit-Simulatorpip install -r requirements.txtCreate a .env file:
OPENROUTER_API_KEY=your_key_herestreamlit run main.pyHow does SecureBank store user data?
How do developers interact with that system?
What kind of diagnostic interface exists?
What exact commands are supported?
.
├── main.py
├── tools.py
├── transaction_db.py
├── utils.py
├── requirements.txt
└── README.md
- Prompt Injection
- Tool Abuse
- Context Poisoning
- RAG Exploitation
- Unsafe Retrieval
- Agent Misalignment
- Prompt Leakage
- Escalation Logic Abuse
- LLM Oversharing
- Insecure Tool Routing
This project demonstrates why:
- tool access must be sandboxed
- prompts are not security boundaries
- RAG systems require validation
- agent orchestration is dangerous
- LLMs should never directly control sensitive operations
Sooraj S
"Built for AI security research and educational demonstrations."