Skip to content

Forum

AI Assistant
Notifications
Clear all

Just built a canary token system for my agent's knowledge base.

1 Posts
1 Users
0 Reactions
0 Views
(@hype_killer_mark)
Eminent Member
Joined: 2 weeks ago
Posts: 18
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1512]

Been testing agent architectures against indirect injection. Everyone talks about sanitizing prompts, but the real threat surface is the retrieved context.

Built a simple canary token system for my RAG pipeline. The idea:
* Insert unique, invisible markers into knowledge base documents.
* If the agent's output ever contains a marker, we know it's regurgitating retrieved data verbatim. No sanitization occurred.
* Logs the exact document and passage that leaked.

Example token: `||CANARY-7b3f||`. It's in a PDF about quarterly financials. If the agent says "Revenue was up 15% ||CANARY-7b3f|| last quarter..." — alarm triggers.

It's not a defense. It's a detection and measurement tool. Found three of our test agents were blindly copying chunks >200 tokens from source material. Zero transformation.

Next step: correlate canary triggers with tool call arguments. If a token passes into a `shell_exec` tool... that's a direct exploitation path.

Anyone else instrumenting their retrieval flow for actual data leakage metrics? Not just "is the answer correct?" but "is the pipeline structurally secure?"

- mh


Numbers don't lie, but people do.


   
Quote