Open-Awesome
CategoriesAlternativesStacksSelf-HostedExplore
Open-Awesome

© 2026 Open-Awesome. Curated for the developer elite.

TermsPrivacyAboutGitHubRSS
  1. Home
  2. Prompt Injection
  3. Damn Vulnerable LLM Agent

Damn Vulnerable LLM Agent

Apache-2.0Python

An educational chatbot designed to demonstrate and experiment with prompt injection attacks against LLM ReAct agents.

GitHubGitHub
481 stars209 forks0 contributors

What is Damn Vulnerable LLM Agent?

Damn Vulnerable LLM Agent is an educational chatbot designed to demonstrate prompt injection vulnerabilities in LLM-powered ReAct agents. It provides a hands-on environment where security researchers and developers can experiment with attack techniques like Thought/Action/Observation injection to understand how malicious prompts can manipulate agent behavior. The project originated from a Capture The Flag challenge and includes practical examples of real-world exploits.

Target Audience

Security researchers, AI developers, and cybersecurity enthusiasts who want to understand LLM security vulnerabilities through practical experimentation. It's particularly valuable for those working with ReAct agents or building secure AI applications.

Value Proposition

Unlike theoretical security guides, this project offers a working, vulnerable implementation that users can directly interact with and exploit. It provides concrete examples of prompt injection attacks and supports multiple LLM backends, making it a versatile educational tool for hands-on learning.

Overview

Damn Vulnerable LLM Agent is a sample chatbot powered by a Large Language Model (LLM) ReAct agent, implemented with Langchain. It serves as an educational tool to help security professionals understand and test vulnerabilities in AI agents, specifically focusing on prompt injection techniques that can manipulate agent behavior.

Key Features

  • Vulnerable Chatbot Simulation — Provides a controlled environment to interact with a deliberately insecure LLM agent.
  • Prompt Injection Experimentation — Allows testing of various injection vectors, including Thought/Action/Observation injection.
  • Educational CTF Challenge — Based on a Capture The Flag competition, offering practical examples of security exploits.
  • Multi-LLM Support — Configurable to run with OpenAI, HuggingFace models, or local Ollama instances.

Philosophy

The project believes that understanding attack vectors through hands-on experimentation is crucial for building secure AI systems, and aims to provide a practical learning ground for the security community.

Use Cases

Best For

  • Learning prompt injection techniques against ReAct agents
  • Practicing AI security in a controlled CTF environment
  • Understanding Thought/Action/Observation injection vulnerabilities
  • Testing LLM agent security with different model backends
  • Educational workshops on AI cybersecurity
  • Researching mitigation strategies for prompt injection attacks

Not Ideal For

  • Production deployments requiring secure, out-of-the-box AI agents
  • Teams seeking pre-built, non-vulnerable chatbots for user-facing applications
  • Projects focused solely on AI content generation without security testing needs
  • Environments with limited resources for local model setup or API costs

Pros & Cons

Pros

Hands-On Security Learning

Provides a deliberately vulnerable chatbot that allows direct experimentation with prompt injection attacks, including detailed payload examples like Thought/Action/Observation injection from the README.

Real-World CTF Basis

Based on an actual Capture The Flag competition, offering practical, battle-tested examples of vulnerabilities in ReAct agents, as highlighted in the introduction.

Multi-LLM Backend Support

Configurable to run with OpenAI, HuggingFace models, or local Ollama instances, enabling flexible testing across different model types, as detailed in the installation section.

Detailed Exploit Documentation

Includes spoiler payloads with step-by-step examples for achieving flags, such as SQL injection and user ID manipulation, making it highly educational for understanding attack vectors.

Cons

Limited Model Reliability

The README admits that small LLMs 'do not perform very well as ReAct agents,' and results may vary, which can hinder consistent experimentation and learning.

Complex Setup Process

Requires managing multiple environment templates, API keys, or local Ollama installations, making initial configuration cumbersome compared to plug-and-play tools.

Narrow Vulnerability Focus

Primarily targets prompt injection in ReAct agents, lacking coverage of other AI security issues like data poisoning or model theft, which limits its scope as a comprehensive educational tool.

Frequently Asked Questions

Quick Stats

Stars481
Forks209
Contributors0
Open Issues1
Last commit1 year ago
CreatedSince 2023

Tags

#vulnerability-testing#chatbot#langchain#educational-tool#capture-the-flag#cybersecurity#ai-security#prompt-injection#llm-security

Built With

O
Ollama
L
LangChain
O
OpenAI API
H
HuggingFace
P
Python
D
Docker
S
Streamlit

Included in

Prompt Injection453
Auto-fetched 6 hours ago

Related Projects

PromptTracePromptTrace

Free AI security training platform with 7 hands-on prompt injection labs and a 15-level CTF (the Gauntlet) with progressively harder defenses — from prompt-level rules to code guards to LLM classifiers. Unique feature: Context Trace shows the full prompt stack (system prompt, RAG documents, tool definitions, user input) in real-time so you can see exactly how attacks work. Uses real LLMs from OpenAI, Anthropic, Google, Groq, and Cerebras

Stars0
Forks0
Last commit
AI/LLM Exploitation ChallengesAI/LLM Exploitation Challenges

AI, ML, and LLMs CTF Challenges

Stars0
Forks0
Last commit
CrowdStrike AI UnlockedCrowdStrike AI Unlocked

Released Feb 2026, designed to train security, developer, and AI teams on prompt injection against increasingly capable agents. Built by CrowdStrike's Counter Adversary Operations team

Stars0
Forks0
Last commit
GandalfGandalf

Your goal is to make Gandalf reveal the secret password for each level. However, Gandalf will level up each time you guess the password, and will try harder not to give it away. Can you beat level 7? (There is a bonus level 8)

Stars0
Forks0
Last commit
Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a projectStar on GitHub