Paste a prompt template to find where untrusted input could turn into instructions. This linter reads the structure of your template across common shapes, flags risky interpolation points, and frames every fix defensively. It maps findings to OWASP LLM01. It never runs a model and never connects anywhere.
A prompt is one flat string. When you build it from a template, every place you drop in a variable is a seam where two kinds of text meet: the instructions you wrote and trust, and a value that may have come from a user. A language model reads the whole string at once and has no built in way to tell those apart, so a value that reads like a command can be followed like one. That is the heart of prompt injection, catalogued as LLM01 in the OWASP Top 10 for LLM Applications, with a matching test entry of AITG-APP-01 in the OWASP AI Testing Guide. This tool reads template structure only. It does not run a model and does not generate any attack text.
The linter first finds every interpolation point across the shapes teams actually use: Jinja2 {{ var }} and its {% %} blocks, Python f-string and .format style {var}, Handlebars {{var}}, and raw string concatenation like a quoted string joined to a variable with +. It then asks a simpler question about each one: could this value be untrusted, and if so, where in the prompt does it land?
The most serious pattern is an untrusted looking variable, with a name like user_input, query, question, message, or comment, interpolated into the system instruction area or above the instructions, where it can override them. The linter flags this as a high severity finding, because the model reads top to bottom and content placed before or inside the rules competes directly with them.
Even lower in the prompt, an untrusted value that is dropped in with no wrapping is a risk. If there is no delimiter around the user content and no framing that tells the model to treat the following as data and not as instructions, the model has nothing to anchor on. The linter looks for explicit delimiters and for data framing, and it warns when an interpolation has neither.
When a system rule, an API key, or another secret sits in the same template as an untrusted value, a successful injection can both override the rule and try to read what is nearby. The linter notes when secret like tokens appear alongside untrusted interpolation, and it flags a missing output format constraint, since an unconstrained model is easier to steer into leaking or into an unexpected shape. It also calls out template logic that mixes tool or function call instructions with untrusted content.
The verdict is a quick signal, not a guarantee. A high or critical level means the linter found a structural pattern where untrusted input could plausibly become instructions. A low level means the common traps were not present in the text you pasted. It cannot prove safety, because real injection risk also depends on how the model is used, what tools it can reach, and what your application does with the output. Treat the report as one input alongside actual testing and human review. The kind of context aware reasoning that decides whether a prompt is truly safe is what an AI security testing approach works through, rather than matching one string.