CourtGuard: A Local, Multiagent Prompt Injection Classifier Article Swipe
As large language models (LLMs) become integrated into various sensitive applications, prompt injection, the use of prompting to induce harmful behaviors from LLMs, poses an ever increasing risk. Prompt injection attacks can cause LLMs to leak sensitive data, spread misinformation, and exhibit harmful behaviors. To defend against these attacks, we propose CourtGuard, a locally-runnable, multiagent prompt injection classifier. In it, prompts are evaluated in a court-like multiagent LLM system, where a "defense attorney" model argues the prompt is benign, a "prosecution attorney" model argues the prompt is a prompt injection, and a "judge" model gives the final classification. CourtGuard has a lower false positive rate than the Direct Detector, an LLM as-a-judge. However, CourtGuard is generally a worse prompt injection detector. Nevertheless, this lower false positive rate highlights the importance of considering both adversarial and benign scenarios for the classification of a prompt. Additionally, the relative performance of CourtGuard in comparison to other prompt injection classifiers advances the use of multiagent systems as a defense against prompt injection attacks. The implementations of CourtGuard and the Direct Detector with full prompts for Gemma-3-12b-it, Llama-3.3-8B, and Phi-4-mini-instruct are available at https://github.com/isaacwu2000/CourtGuard.
Related Topics
Concepts
No concepts available.
Metadata
- Type
- preprint
- Landing Page
- http://arxiv.org/abs/2510.19844
- https://arxiv.org/pdf/2510.19844
- OA Status
- green
- OpenAlex ID
- https://openalex.org/W4416615478
All OpenAlex metadata
Raw OpenAlex JSON
- OpenAlex ID
-
https://openalex.org/W4416615478Canonical identifier for this work in OpenAlex
- DOI
-
https://doi.org/10.48550/arxiv.2510.19844Digital Object Identifier
- Title
-
CourtGuard: A Local, Multiagent Prompt Injection ClassifierWork title
- Type
-
preprintOpenAlex work type
- Publication year
-
2025Year of publication
- Publication date
-
2025-10-20Full publication date if available
- Authors
-
I‐Chen WuList of authors in order
- Landing page
-
https://arxiv.org/abs/2510.19844Publisher landing page
- PDF URL
-
https://arxiv.org/pdf/2510.19844Direct link to full text PDF
- Open access
-
YesWhether a free full text is available
- OA status
-
greenOpen access status per OpenAlex
- OA URL
-
https://arxiv.org/pdf/2510.19844Direct OA link when available
- Cited by
-
0Total citation count in OpenAlex
Full payload
| id | https://openalex.org/W4416615478 |
|---|---|
| doi | https://doi.org/10.48550/arxiv.2510.19844 |
| ids.doi | https://doi.org/10.48550/arxiv.2510.19844 |
| ids.openalex | https://openalex.org/W4416615478 |
| fwci | |
| type | preprint |
| title | CourtGuard: A Local, Multiagent Prompt Injection Classifier |
| biblio.issue | |
| biblio.volume | |
| biblio.last_page | |
| biblio.first_page | |
| is_xpac | False |
| apc_list | |
| apc_paid | |
| language | |
| locations[0].id | pmh:oai:arXiv.org:2510.19844 |
| locations[0].is_oa | True |
| locations[0].source.id | https://openalex.org/S4306400194 |
| locations[0].source.issn | |
| locations[0].source.type | repository |
| locations[0].source.is_oa | True |
| locations[0].source.issn_l | |
| locations[0].source.is_core | False |
| locations[0].source.is_in_doaj | False |
| locations[0].source.display_name | arXiv (Cornell University) |
| locations[0].source.host_organization | https://openalex.org/I205783295 |
| locations[0].source.host_organization_name | Cornell University |
| locations[0].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[0].license | |
| locations[0].pdf_url | https://arxiv.org/pdf/2510.19844 |
| locations[0].version | submittedVersion |
| locations[0].raw_type | text |
| locations[0].license_id | |
| locations[0].is_accepted | False |
| locations[0].is_published | False |
| locations[0].raw_source_name | |
| locations[0].landing_page_url | http://arxiv.org/abs/2510.19844 |
| locations[1].id | doi:10.48550/arxiv.2510.19844 |
| locations[1].is_oa | True |
| locations[1].source.id | https://openalex.org/S4306400194 |
| locations[1].source.issn | |
| locations[1].source.type | repository |
| locations[1].source.is_oa | True |
| locations[1].source.issn_l | |
| locations[1].source.is_core | False |
| locations[1].source.is_in_doaj | False |
| locations[1].source.display_name | arXiv (Cornell University) |
| locations[1].source.host_organization | https://openalex.org/I205783295 |
| locations[1].source.host_organization_name | Cornell University |
| locations[1].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[1].license | cc-by |
| locations[1].pdf_url | |
| locations[1].version | |
| locations[1].raw_type | article |
| locations[1].license_id | https://openalex.org/licenses/cc-by |
| locations[1].is_accepted | False |
| locations[1].is_published | |
| locations[1].raw_source_name | |
| locations[1].landing_page_url | https://doi.org/10.48550/arxiv.2510.19844 |
| indexed_in | arxiv, datacite |
| authorships[0].author.id | https://openalex.org/A5016730899 |
| authorships[0].author.orcid | https://orcid.org/0000-0003-2535-0587 |
| authorships[0].author.display_name | I‐Chen Wu |
| authorships[0].author_position | first |
| authorships[0].raw_author_name | Wu, Isaac |
| authorships[0].is_corresponding | True |
| has_content.pdf | False |
| has_content.grobid_xml | False |
| is_paratext | False |
| open_access.is_oa | True |
| open_access.oa_url | https://arxiv.org/pdf/2510.19844 |
| open_access.oa_status | green |
| open_access.any_repository_has_fulltext | False |
| created_date | 2025-10-25T00:00:00 |
| display_name | CourtGuard: A Local, Multiagent Prompt Injection Classifier |
| has_fulltext | False |
| is_retracted | False |
| updated_date | 2025-11-28T18:41:58.155654 |
| primary_topic | |
| cited_by_count | 0 |
| locations_count | 2 |
| best_oa_location.id | pmh:oai:arXiv.org:2510.19844 |
| best_oa_location.is_oa | True |
| best_oa_location.source.id | https://openalex.org/S4306400194 |
| best_oa_location.source.issn | |
| best_oa_location.source.type | repository |
| best_oa_location.source.is_oa | True |
| best_oa_location.source.issn_l | |
| best_oa_location.source.is_core | False |
| best_oa_location.source.is_in_doaj | False |
| best_oa_location.source.display_name | arXiv (Cornell University) |
| best_oa_location.source.host_organization | https://openalex.org/I205783295 |
| best_oa_location.source.host_organization_name | Cornell University |
| best_oa_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| best_oa_location.license | |
| best_oa_location.pdf_url | https://arxiv.org/pdf/2510.19844 |
| best_oa_location.version | submittedVersion |
| best_oa_location.raw_type | text |
| best_oa_location.license_id | |
| best_oa_location.is_accepted | False |
| best_oa_location.is_published | False |
| best_oa_location.raw_source_name | |
| best_oa_location.landing_page_url | http://arxiv.org/abs/2510.19844 |
| primary_location.id | pmh:oai:arXiv.org:2510.19844 |
| primary_location.is_oa | True |
| primary_location.source.id | https://openalex.org/S4306400194 |
| primary_location.source.issn | |
| primary_location.source.type | repository |
| primary_location.source.is_oa | True |
| primary_location.source.issn_l | |
| primary_location.source.is_core | False |
| primary_location.source.is_in_doaj | False |
| primary_location.source.display_name | arXiv (Cornell University) |
| primary_location.source.host_organization | https://openalex.org/I205783295 |
| primary_location.source.host_organization_name | Cornell University |
| primary_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| primary_location.license | |
| primary_location.pdf_url | https://arxiv.org/pdf/2510.19844 |
| primary_location.version | submittedVersion |
| primary_location.raw_type | text |
| primary_location.license_id | |
| primary_location.is_accepted | False |
| primary_location.is_published | False |
| primary_location.raw_source_name | |
| primary_location.landing_page_url | http://arxiv.org/abs/2510.19844 |
| publication_date | 2025-10-20 |
| publication_year | 2025 |
| referenced_works_count | 0 |
| abstract_inverted_index.a | 52, 64, 70, 79, 87, 91, 100, 116, 141, 163 |
| abstract_inverted_index.As | 0 |
| abstract_inverted_index.In | 58 |
| abstract_inverted_index.To | 44 |
| abstract_inverted_index.an | 24, 109 |
| abstract_inverted_index.as | 162 |
| abstract_inverted_index.at | 187 |
| abstract_inverted_index.in | 63, 149 |
| abstract_inverted_index.is | 77, 86, 114 |
| abstract_inverted_index.of | 15, 130, 140, 147, 159, 171 |
| abstract_inverted_index.to | 17, 34, 151 |
| abstract_inverted_index.we | 49 |
| abstract_inverted_index.LLM | 67, 110 |
| abstract_inverted_index.The | 169 |
| abstract_inverted_index.and | 40, 90, 134, 173, 183 |
| abstract_inverted_index.are | 61, 185 |
| abstract_inverted_index.can | 31 |
| abstract_inverted_index.for | 137, 180 |
| abstract_inverted_index.has | 99 |
| abstract_inverted_index.it, | 59 |
| abstract_inverted_index.the | 13, 75, 84, 95, 106, 128, 138, 144, 157, 174 |
| abstract_inverted_index.use | 14, 158 |
| abstract_inverted_index.LLMs | 33 |
| abstract_inverted_index.both | 132 |
| abstract_inverted_index.ever | 25 |
| abstract_inverted_index.from | 21 |
| abstract_inverted_index.full | 178 |
| abstract_inverted_index.into | 7 |
| abstract_inverted_index.leak | 35 |
| abstract_inverted_index.rate | 104, 126 |
| abstract_inverted_index.than | 105 |
| abstract_inverted_index.this | 122 |
| abstract_inverted_index.with | 177 |
| abstract_inverted_index.LLMs, | 22 |
| abstract_inverted_index.cause | 32 |
| abstract_inverted_index.data, | 37 |
| abstract_inverted_index.false | 102, 124 |
| abstract_inverted_index.final | 96 |
| abstract_inverted_index.gives | 94 |
| abstract_inverted_index.large | 1 |
| abstract_inverted_index.lower | 101, 123 |
| abstract_inverted_index.model | 73, 82, 93 |
| abstract_inverted_index.other | 152 |
| abstract_inverted_index.poses | 23 |
| abstract_inverted_index.risk. | 27 |
| abstract_inverted_index.these | 47 |
| abstract_inverted_index.where | 69 |
| abstract_inverted_index.worse | 117 |
| abstract_inverted_index.(LLMs) | 4 |
| abstract_inverted_index.Direct | 107, 175 |
| abstract_inverted_index.Prompt | 28 |
| abstract_inverted_index.argues | 74, 83 |
| abstract_inverted_index.become | 5 |
| abstract_inverted_index.benign | 135 |
| abstract_inverted_index.defend | 45 |
| abstract_inverted_index.induce | 18 |
| abstract_inverted_index.models | 3 |
| abstract_inverted_index.prompt | 11, 55, 76, 85, 88, 118, 153, 166 |
| abstract_inverted_index.spread | 38 |
| abstract_inverted_index."judge" | 92 |
| abstract_inverted_index.against | 46, 165 |
| abstract_inverted_index.attacks | 30 |
| abstract_inverted_index.benign, | 78 |
| abstract_inverted_index.defense | 164 |
| abstract_inverted_index.exhibit | 41 |
| abstract_inverted_index.harmful | 19, 42 |
| abstract_inverted_index.prompt. | 142 |
| abstract_inverted_index.prompts | 60, 179 |
| abstract_inverted_index.propose | 50 |
| abstract_inverted_index.system, | 68 |
| abstract_inverted_index.systems | 161 |
| abstract_inverted_index.various | 8 |
| abstract_inverted_index."defense | 71 |
| abstract_inverted_index.Detector | 176 |
| abstract_inverted_index.However, | 112 |
| abstract_inverted_index.advances | 156 |
| abstract_inverted_index.attacks, | 48 |
| abstract_inverted_index.attacks. | 168 |
| abstract_inverted_index.language | 2 |
| abstract_inverted_index.positive | 103, 125 |
| abstract_inverted_index.relative | 145 |
| abstract_inverted_index.Detector, | 108 |
| abstract_inverted_index.attorney" | 72, 81 |
| abstract_inverted_index.available | 186 |
| abstract_inverted_index.behaviors | 20 |
| abstract_inverted_index.detector. | 120 |
| abstract_inverted_index.evaluated | 62 |
| abstract_inverted_index.generally | 115 |
| abstract_inverted_index.injection | 29, 56, 119, 154, 167 |
| abstract_inverted_index.prompting | 16 |
| abstract_inverted_index.scenarios | 136 |
| abstract_inverted_index.sensitive | 9, 36 |
| abstract_inverted_index.CourtGuard | 98, 113, 148, 172 |
| abstract_inverted_index.behaviors. | 43 |
| abstract_inverted_index.comparison | 150 |
| abstract_inverted_index.court-like | 65 |
| abstract_inverted_index.highlights | 127 |
| abstract_inverted_index.importance | 129 |
| abstract_inverted_index.increasing | 26 |
| abstract_inverted_index.injection, | 12, 89 |
| abstract_inverted_index.integrated | 6 |
| abstract_inverted_index.multiagent | 54, 66, 160 |
| abstract_inverted_index.CourtGuard, | 51 |
| abstract_inverted_index.adversarial | 133 |
| abstract_inverted_index.as-a-judge. | 111 |
| abstract_inverted_index.classifier. | 57 |
| abstract_inverted_index.classifiers | 155 |
| abstract_inverted_index.considering | 131 |
| abstract_inverted_index.performance | 146 |
| abstract_inverted_index."prosecution | 80 |
| abstract_inverted_index.Additionally, | 143 |
| abstract_inverted_index.Llama-3.3-8B, | 182 |
| abstract_inverted_index.Nevertheless, | 121 |
| abstract_inverted_index.applications, | 10 |
| abstract_inverted_index.classification | 139 |
| abstract_inverted_index.Gemma-3-12b-it, | 181 |
| abstract_inverted_index.classification. | 97 |
| abstract_inverted_index.implementations | 170 |
| abstract_inverted_index.misinformation, | 39 |
| abstract_inverted_index.locally-runnable, | 53 |
| abstract_inverted_index.Phi-4-mini-instruct | 184 |
| abstract_inverted_index.https://github.com/isaacwu2000/CourtGuard. | 188 |
| cited_by_percentile_year | |
| corresponding_author_ids | https://openalex.org/A5016730899 |
| countries_distinct_count | 0 |
| institutions_distinct_count | 1 |
| citation_normalized_percentile |