Added system prompt extraction probe

[Nakul-Rajpal]

This PR adds a new probe to test how easily LLMs leak their system prompts through adversarial extraction techniques.

Closes #1400

Implementation

Probe: garak.probes.sysprompt.SystemPromptExtraction

• Loads real-world system prompts from HuggingFace datasets:
  • danielrosehill/System-Prompt-Library - 923 prompts, CC-BY-4.0
  • teilomillet/system_prompt - 69 prompts focusing on thinking frameworks, CC-BY-4.0
• Tests 25+ extraction attacks from published research (Riley Goodside, OpenReview, WillowTree, Simon Willison)
• Attack types: direct requests, role-playing, encoding tricks, continuation exploits, authority framing
• Uses conversation/turn support to properly set system prompts as role="system"
• Respects soft_probe_prompt_cap via random sampling

Detector: garak.detectors.sysprompt.PromptExtraction

• Fuzzy n-gram matching to detect partial extractions (generalizes encoding.DecodeApprox pattern)
• Handles truncation cases where model starts outputting prompt but gets cut off
• Returns scores 0.0-1.0 based on overlap percentage
• Includes PromptExtractionStrict variant with higher threshold

Files Added

• garak/probes/sysprompt.py (353 lines)
• garak/detectors/sysprompt.py (161 lines)
• tests/probes/test_probes_sysprompt.py (8 tests)
• tests/detectors/test_detectors_sysprompt.py (14 tests)

Tags

• avid-effect:security:S0301 (Information disclosure)
• owasp:llm01 (Prompt injection)
• quality:Security:PromptStability
• Tier: OF_CONCERN

Verification

• Install optional dependency: pip install datasets
• Run the probe: garak --model_type test --model_name test.Blank --probes sysprompt
• Run the tests: python -m pytest tests/probes/test_probes_sysprompt.py tests/detectors/test_detectors_sysprompt.py -v
• Verify the probe loads and generates attempts with system prompts
• Verify the detector correctly scores full matches (>0.9), partial matches (>0.3), and no matches (<0.3)
• Verify the probe gracefully handles missing datasets library with warnings
• Document - Comprehensive docstrings in probe and detector classes, Sphinx RST files added

Testing Notes

The probe can be tested without the datasets library installed - it will log warnings but still function. For full functionality including HuggingFace dataset loading:

pip install datasets
garak --model_type openai --model_name gpt-3.5-turbo --probes sysprompt --probe_options '{"max_system_prompts": 5}'

[erickgalinkin]

Needs some work but I love where this is going.

[erickgalinkin]

Again here, the result should be deterministic -- we should know the value the detector returns here.

[leondz]

yeah. recommend setting any relevant detector config poarams if needed, and then finding the expected value and using that in the test with == instead of >

[jmartin-tech]

Some minor organization request and code reuse ideas.

[jmartin-tech]

A little more tweaking for configurable data locations is still needed.

ATTACK_TEMPLATES needs to be extracted or at the least not copied into DEFAULT_PARAMS and the datasets for known target system prompts should be full dataset names. garak usage expects familiarity with huggingface datasets and a hardcoded map based on only account/org names enforces limitations that can and should be avoided.

[leondz]

This is looking really nice, thank you. One last pass of changes and I think we'll be in great place with it.

[leondz]

Would be illuminating to get some examples of each of these, so we have some idea of how the thresholds are determined. Maybe just one example per level, for now, would be OK

[leondz]

A similar global value is already be set in _config.run.eval_threshold (default 0.5) - is a separate threshold needed here?

[erickgalinkin]

I wonder if it makes sense to make this threshold configurable per-detector, since each has their own sensitivity/specificity? We use the eval_threshold unless a separate threshold value is consumed? I suppose this would be out of scope for this PR but may be worth considering as a modification to the base Detector class.

[leondz]

This largely looks like a copy of detectors.encoding.DecodeApprox. Is it worth factoring this up into a new detector that replaces/is inherited by both, something like detectors.approx.ApproxStringNgram? Or is there a reason to keep two separate classes?

[erickgalinkin]

Alternative thought (again, larger scope of work probably out of scope for this PR): having some utility functions in garak.resources for common use cases like string similarity, ngram matching, etc. We use a very small handful of preferred nltk distance metrics in several places, for example. Could also implement other fuzzy matchings. Having a common ref of those to avoid additional imports in places may be valuable.

Or I could write a Rust-based library with Python bindings that becomes its own dependency and we live to fight another day.

[leondz]

1. output_cleaned is string-separated tokens, not chars
2. This 20 value should be configurable
3. What if the sysprompt has fewer than 20 tokens? Consider determining the max match length as a minimum of (20, len(system_prompt_cleaned)) and then using that determined value in this comparison

[leondz]

will need updating when ATTACK_TEMPLATES moves to its own data location

[erickgalinkin]

I wonder if it makes sense to make this threshold configurable per-detector, since each has their own sensitivity/specificity? We use the eval_threshold unless a separate threshold value is consumed? I suppose this would be out of scope for this PR but may be worth considering as a modification to the base Detector class.

[erickgalinkin]

This seems like a finicky parameter -- should probably document how changing this value changes outcomes.

[erickgalinkin]

Alternative thought (again, larger scope of work probably out of scope for this PR): having some utility functions in garak.resources for common use cases like string similarity, ngram matching, etc. We use a very small handful of preferred nltk distance metrics in several places, for example. Could also implement other fuzzy matchings. Having a common ref of those to avoid additional imports in places may be valuable.

Or I could write a Rust-based library with Python bindings that becomes its own dependency and we live to fight another day.

[jmartin-tech]

Is there a reason this was commented out?

[Nakul-Rajpal]

@leondz

I chose to go with he garak-llm/ mirror names (garak-llm/drh-System-Prompt-Library, garam-llm/tm-system-prompt) as per your comments, instead of the original upstream names suggested by jmartin. I just chose these because they are project controlled.

[Nakul-Rajpal]

Forgot to double check CI requirements. I added the extra paragraph and ran locally to ensure all my tests were passing

[Nakul-Rajpal]

@leondz Is this branch ready to merge?

Requested changes applied.

[erickgalinkin]

Overall, I think this is ready to merge, but I'd like to see responses to my comments around the detectors.

[erickgalinkin]

Still waiting for this comment to be addressed. Would like to see a proper n-gram match or some other string similarity metric used. Order matters.

[erickgalinkin]

As a side note, I think a generic ngram detector could be factored out of this or we could have a SimilarString detector.

[erickgalinkin]

Still waiting on this one @Nakul-Rajpal

[leondz]

drh dataset is broken:

Failed to load JSON from file '/home/leon/.cache/huggingface/hub/datasets--garak-llm--drh-System-Prompt-Library/snapshots/a9b5746cb5bfa631da88d60776d364a852674af4/consolidated_prompts.json

[leondz]

Have added tests to check for dataset functionality. Looks like the JSON in the drh dataset is valid, but HF doesn't like it. Propose downloading this dataset, mapping it to current valid huggingface format including a subset of columns, and re-upping it.

Suggested columns:

• agentname
• creation_date
• is-agent
• is-single-turn
• json-schema
• personalised-system-prompt
• structured-output-generation
• systemprompt

Sample instance:

>>> pprint.pprint(cp['prompts'][1])
{'_file_modified': '2025-08-05T00:49:38.183675',
 '_filename': '1-StarReviewExplorer_270525.json',
 'agentname': '1-Star Review Explorer',
 'chatgpt-privacy': None,
 'chatgptlink': 'https://chatgpt.com/g/g-680718daa9708191ba3cd3b5160dbf0d-1-star-tourist-guide',
 'creation_date': '2025-05-05 19:58:48+00:00',
 'data-utility': 'false',
 'depersonalised-system-prompt': 'Your task is to assist users in identifying '
                                 'poorly-rated experiences in their vicinity '
                                 'or intended travel area. Start by inquiring '
                                 "about the user's current location or travel "
                                 'plans to accurately geolocate them. Then, '
                                 'provide specific recommendations such as '
                                 'low-rated restaurants, tourist traps, or '
                                 'movies and bars with negative reviews. '
                                 'Suggest a sequence of five nearby "poor" '
                                 'experiences, including details, '
                                 'observations, and relevant links. Draft an '
                                 'itinerary with lower expectations for the '
                                 "user's visit. Finally, help the user draft a "
                                 'message to friends about their experiences.',
 'description': 'This AI assistant locates and recommends comically terrible '
                'local experiences, crafting an itinerary of misery and '
                'offering to share the "fun" with friends.',
 'image-generation': 'false',
 'is-agent': False,
 'is-single-turn': 'false',
 'json-example': None,
 'json-schema': None,
 'personalised-system-prompt': 'false',
 'structured-output-generation': 'false',
 'systemprompt': 'You assist the user in finding poorly-rated experiences near '
                 'his location. Begin by asking for his current location or '
                 'travel plans to geolocate him. Then, offer specific '
                 'recommendations such as dreadfully rated restaurants, '
                 'tourist traps, or critically panned movies and bars with '
                 'negative reviews. Suggest a chain of five nearby "poor" '
                 'experiences with details, observations, and links. Draft an '
                 "itinerary with lower expectations for user's visit. Finally, "
                 'assist in drafting a message to his friends about his awful '
                 'adventures.'}

[leondz]

@erickgalinkin

have replaced this with existing matching from encoding.DecodeApprox and factored the core func to garak.resources.matching

• Added system prompt extraction probe #1538 (comment)
• Added system prompt extraction probe #1538 (comment)

[leondz]

@erickgalinkin

Still waiting on this one @Nakul-Rajpal

Re-worked this. Now, we have one detector using strict excerpt matching falling back to n-gram based matching PromptExtraction, and another using strict excerpt matching only PromptExtractionVerbatim.