· dev
talonyx.ai (business) →
· dev
talonyx.ai (business) →
ORILink — what it blocks
ORILink is middleware. Drop it between your data sources and your agent. It checks every input before the model processes it and every output before it executes. No model changes. Works with any framework.
Standalone or integrated. ORILink doesn't replace your existing security stack. It adds enforcement at the one layer firewalls and auth systems can't reach — the point where language becomes action.
Applied unconditionally on every input and output. No model-specific tuning required. Validated across multiple LLM architectures.
| Threat | Status | How it works |
|---|---|---|
|
Prompt injection
Hidden instructions in docs, pages, or tool responses
|
Blocked | Malicious instructions embedded in content your agent reads are intercepted and annotated with untrusted provenance before they reach the model. |
|
Structured data injection
Payloads hidden in JSON fields, API responses, or metadata
|
Blocked | Fields containing permission escalation language, identity claims, or behavioral directives are detected and quarantined. Schema deviations downgrade object trust weight. |
|
Encoded injection
Attacks hidden inside Base64, URL-encoded, or hex content
|
Blocked | Content is decoded and rescanned. Nested encoding handled recursively to a configurable depth. Malformed encoding is flagged, not silently passed. |
|
System prompt disclosure
Agent reveals its own instructions when probed
|
Blocked | Outbound text is scanned for verbatim and paraphrased reproduction of the agent's system prompt before it exits the output channel. |
|
Governance rule leakage
Agent discloses its constraints or tools to external parties
|
Blocked | Output containing constraint language, capability boundaries, or tool enumeration is blocked before reaching external recipients. |
|
Unauthorized reconnaissance
Agent scans or probes systems outside its authorized scope
|
Blocked | Actions targeting out-of-scope hosts or paths are blocked pre-execution. Framing attacks — recon described as "connectivity checks" — are caught by execution graph analysis. |
|
Data exfiltration
Agent reads sensitive data then transmits it externally
|
Blocked | Multi-step exfiltration chains are tracked across a 50-action session window. Read followed by external transmission is intercepted even when steps are spread far apart. |
|
Agent impersonation
Agent claims to be a different agent or authority
|
Blocked | Output claiming a different identity than the agent's configured ID is blocked. Honest self-identification passes cleanly. |
|
Social engineering
Agent generates deceptive content targeting a human recipient
|
Blocked | Deception signals — fake urgency, false authority claims, impersonation language — are detected in outbound content and blocked before delivery. |
|
Sub-agent spawning
Agent attempts to launch unauthorized agent instances
|
Blocked | Spawning intent detected across 19 semantic variants — explicit commands through indirect operational language. Operator-authorized spawning passes. |
|
Lateral movement
Agent accesses systems outside its authorized scope
|
Blocked | Scope boundary enforcement evaluates the action target before the instruction framing. Out-of-scope access is blocked regardless of how it's described. |
|
MCP server injection
Malicious MCP servers inject hidden instructions via tool responses
|
Blocked | MCP server identity is verified before registration. Tool responses are sanitized before reaching agent context. Unverified servers are rejected. |
|
ClickFix / binary execution
Social engineering attacks that trick agents into downloading and executing malicious binaries
|
Blocked | Download-then-execute chains detected across 5 attack patterns before execution. Confidence-scored 0.72–0.95. |
|
Behavioral drift
Agent's actions gradually diverge from its authorized objective
|
Detected | Each action is scored against the agent's declared goal. Cumulative drift above a configurable threshold triggers escalation — catching multi-step attacks where no individual action looks suspicious. |
Need A2A trust enforcement, audit registry, and real-time monitoring?
The Business SDK adds multi-agent protection on top of everything above.