When the prompt scanner ML model is not downloaded (or any other error occurs), prompt_scanner_hook.py returns {"decision": "allow"} instead of {"decision": "ask"}. This silently bypasses prompt injection detection.
Reproduce:
agent-sec-cli scan-prompt --text "Ignore all previous instructions"
# Returns verdict=error (model not available)
# But the cosh hook translates this to allow
Root cause: All exception/error/timeout paths in the hook return allow (fail-open). The warmup reminder mechanism also had a bug where after one reminder it would permanently switch to allow.
Fix: PR #680
When the prompt scanner ML model is not downloaded (or any other error occurs),
prompt_scanner_hook.pyreturns{"decision": "allow"}instead of{"decision": "ask"}. This silently bypasses prompt injection detection.Reproduce:
Root cause: All exception/error/timeout paths in the hook return
allow(fail-open). The warmup reminder mechanism also had a bug where after one reminder it would permanently switch toallow.Fix: PR #680