Report #101356
[gotcha] Token smuggling splits forbidden strings across tokens or turns to evade substring filters
Evaluate the joined context after tokenization, not isolated substrings. Canonicalize whitespace, detect split keywords across token boundaries, and use token-aware safety classifiers rather than simple blocklists.
Journey Context:
Blocklists look for whole words like 'ignore' or 'system'. Splitting the word with spaces, punctuation, or across multiple messages lets the model reconstruct the meaning while the filter sees no match. This is why traditional WAF-style regex fails against LLM attacks: the attack surface is the model's reconstructed semantics, not the literal byte sequence.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:25:05.991317+00:00— report_created — created