From 4ea29978fc6778bc5641ed422261366a91d42961 Mon Sep 17 00:00:00 2001
From: 0xbyt4 <35742124+0xbyt4@users.noreply.github.com>
Date: Sat, 28 Feb 2026 20:15:25 +0300
Subject: [PATCH] fix(security): catch multi-word prompt injection in
 skills_guard

The regex `ignore\s+(previous|all|...)\s+instructions` only matched
a single keyword between 'ignore' and 'instructions'. Phrases like
'ignore all prior instructions' bypassed the scanner entirely.

Changed to `ignore\s+(?:\w+\s+)*(previous|all|...)\s+instructions`
to allow arbitrary words before the keyword.
---
 tools/skills_guard.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/skills_guard.py b/tools/skills_guard.py
index da3da5eeb..4ca8fea23 100644
--- a/tools/skills_guard.py
+++ b/tools/skills_guard.py
@@ -157,7 +157,7 @@ THREAT_PATTERNS = [
      "markdown link with variable interpolation"),
 
     # ── Prompt injection ──
-    (r'ignore\s+(previous|all|above|prior)\s+instructions',
+    (r'ignore\s+(?:\w+\s+)*(previous|all|above|prior)\s+instructions',
      "prompt_injection_ignore", "critical", "injection",
      "prompt injection: ignore previous instructions"),
     (r'you\s+are\s+now\s+',