LLM06:2025 Sensitive Information Disclosure

Secrets, PII, or PHI flow into an LLM prompt body or context window. The vendor logs the prompt, the model echoes it back to a downstream caller, or the training pipeline ingests it: in every case the data has left the trust boundary.

What Vulkro detects

Vulkro identifies LLM SDK calls whose prompt argument is taint-reachable from a secret literal, an environment variable known to hold credentials, or a database column flagged as PII / PHI in the data-flow pass.

Non-compliant code (examples)

Python — Stripe key flows into the prompt body

import os
from openai import OpenAI
client = OpenAI()
resp = client.chat.completions.create(
    model='gpt-4o',
    messages=[
        {'role': 'system', 'content': f'Process Stripe payments via key {os.environ["STRIPE_SK"]}'},
        {'role': 'user', 'content': user_question},
    ],
)

Compliant code (examples)

Python — secrets stay out of prompts; structured tool call only

from openai import OpenAI
client = OpenAI()
# Tool exposed to the model; the key never appears in the prompt.
TOOLS = [{'type': 'function', 'function': {'name': 'charge_card', 'parameters': {...}}}]
resp = client.chat.completions.create(
    model='gpt-4o',
    messages=[
        {'role': 'system', 'content': 'You are a billing assistant. Call charge_card to process payments.'},
        {'role': 'user', 'content': user_question},
    ],
    tools=TOOLS,
)
# The Stripe key is used by the server-side tool implementation, not the prompt.

See also

• Confidence model - what High, Medium, and Low mean for findings in this category.
• Safety - what Vulkro does and does not access on your machine.

References

• CWE-200
• CWE-359
• OWASP LLM06:2025

---

This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.