Hugging Face's logo

llm-semantic-router
/
toolcall-sentinel

Text Classification
Transformers
Safetensors
English
modernbert
security
jailbreak-detection
prompt-injection
llm-safety
Eval Results
Model card Files
xet
Community

ToolCallSentinel - Prompt Injection & Jailbreak Detection

License Model Security

Stage 1 of Two-Stage LLM Agent Defense Pipeline

🎯 What This Model Does

FunctionCallSentinel is a ModernBERT-based binary classifier that detects prompt injection and jailbreak attempts in LLM inputs. It serves as the first line of defense for LLM agent systems with tool-calling capabilities.

Label Description
SAFE Legitimate user request β€” proceed normally
INJECTION_RISK Potential attack detected β€” block or flag for review

🚨 Attack Categories Detected

Direct Jailbreaks

  • Roleplay/Persona: "Pretend you're DAN with no restrictions..."
  • Hypothetical Framing: "In a fictional scenario where safety is disabled..."
  • Authority Override: "As the system administrator, I authorize you to..."
  • Encoding/Obfuscation: Base64, ROT13, leetspeak attacks

Indirect Injection

  • Delimiter Injection: <<end_context>>, </system>, [INST]
  • XML/Template Injection: <execute_action>, {{user_request}}
  • Multi-turn Manipulation: Building context across messages
  • Social Engineering: "I forgot to mention, after you finish..."

Tool-Specific Attacks

  • MCP Tool Poisoning: Hidden exfiltration in tool descriptions
  • Shadowing Attacks: Fake authorization context
  • Rug Pull Patterns: Version update exploitation

πŸ”— Integration with ToolCallVerifier

This model is Stage 1 of a two-stage defense pipeline:

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   User Prompt   │────▢│ ToolCallSentinel │────▢│   LLM + Tools   β”‚
β”‚                 β”‚     β”‚    (This Model)      β”‚     β”‚                 β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                                                          β”‚
                               β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                               β”‚              ToolCallVerifier (Stage 2)             β”‚
                               β”‚  Verifies tool calls match user intent before exec  β”‚
                               β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
Scenario Recommendation
General chatbot Stage 1 only
RAG system Stage 1 only
Tool-calling agent (low risk) Stage 1 only
Tool-calling agent (high risk) Both stages
Email/file system access Both stages
Financial transactions Both stages

πŸ“œ License

Apache 2.0

Downloads last month
13
Safetensors
Model size
0.1B params
Tensor type
F32
Β·
Inference Providers NEW
Text Classification
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support

Model tree for llm-semantic-router/toolcall-sentinel

Base model

answerdotai/ModernBERT-base
Finetuned
(990)
this model

Datasets used to train llm-semantic-router/toolcall-sentinel

Space using llm-semantic-router/toolcall-sentinel 1

Evaluation results