Security

PDF Prompt Injection Scanner

Compare safe and unsafe PDF extraction runs to detect hidden text, off-page content, tiny text, and hidden-layer prompt injection risks

html· HTML resultOpen tool

Quick start

Call this tool from your code in three languages.

cURL

# 1) Upload each file first → returns { filePath }
curl -X POST 'https://api.elysiatools.com/upload/pdf-prompt-injection-scanner' \
  -F 'file=@/path/to/pdfFile.ext'

# 2) Call the tool with the returned filePath values
curl -X POST 'https://api.elysiatools.com/en/api/tools/pdf-prompt-injection-scanner' \
  -F 'pdfFile=/public/samples/pdf/brand-guidelines-pdf-example1.pdf' \
  -F 'scanHiddenText=true' \
  -F 'scanOffPageContent=true' \
  -F 'scanTinyText=true' \
  -F 'scanHiddenLayers=true' \
  -F 'useStructTree=false' \
  -F 'sanitizeSensitiveData=false'

API reference

Send a POST request with your inputs as JSON. File parameters require a separate upload first.

Endpoint

HTTP

POST https://api.elysiatools.com/en/api/tools/pdf-prompt-injection-scanner

Parameters

Name	Type	Required	Description
pdfFile	fileupload required	Yes	—
scanHiddenText	checkbox	No	—
scanOffPageContent	checkbox	No	—
scanTinyText	checkbox	No	—
scanHiddenLayers	checkbox	No	—
useStructTree	checkbox	No	—
sanitizeSensitiveData	checkbox	No	—

File-type parameters must be uploaded first via POST /upload/pdf-prompt-injection-scanner, then the returned filePath is passed to the corresponding file field.

Response format

HTML result

JSON

{
  "result": "<div>Processed HTML content</div>",
  "error": "Error message (optional)",
  "message": "Notification message (optional)",
  "metadata": {
    "key": "value"
  }
}

MCP integration

Add this tool to your Model Context Protocol server so AI agents can list and call it.

Server configuration

Add this block to your MCP client configuration:

mcp.json

{
  "mcpServers": {
    "elysiatools-pdf-prompt-injection-scanner": {
      "name": "pdf-prompt-injection-scanner",
      "description": "Compare safe and unsafe PDF extraction runs to detect hidden text, off-page content, tiny text, and hidden-layer prompt injection risks",
      "baseUrl": "https://api.elysiatools.com/mcp/sse?toolId=pdf-prompt-injection-scanner",
      "command": "",
      "args": [],
      "env": {},
      "isActive": true,
      "type": "sse"
    }
  }
}

List available tools

After connecting to the SSE endpoint, list the exposed tools:

tools/list

{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/list"
}

Call this tool

Invoke the tool by its id, passing arguments built from its parameters:

tools/call

{
  "jsonrpc": "2.0",
  "id": 2,
  "method": "tools/call",
  "params": {
    "name": "pdf-prompt-injection-scanner",
    "arguments": {
  "pdfFile": "/public/samples/pdf/brand-guidelines-pdf-example1.pdf",
  "scanHiddenText": true,
  "scanOffPageContent": true,
  "scanTinyText": true,
  "scanHiddenLayers": true,
  "useStructTree": false,
  "sanitizeSensitiveData": false
}
  }
}

Chain multiple tools in one session with a comma-separated toolId list, e.g. /mcp/sse?toolId=png-to-webp,jpg-to-webp,gif-to-webp (max 20).

File parameters accept a public file URL only (https://…). Local paths, data: URIs, and Base64 strings are not supported.

Questions or issues? Contact [email protected]