HashBuilds Secure Prompts

Instructions

Implementation Reference

• src/index.ts:29-157 (handler)

  The core handler function that sends the prompt to the HashBuilds Secure Prompts API for registration and security scanning. It processes the response to provide embed options, risk assessment, and detailed implementation guidance for displaying the secure badge.
  async function registerPrompt(args: { promptText: string; ownerEmail?: string; siteDomain?: string; }): Promise<{ success: boolean; id?: string; promptHash?: string; riskLevel?: string; riskScore?: number; summary?: string; promptLabel?: string; promptType?: string; recommendations?: string[]; embedOptions?: object; implementationGuide?: string; error?: string; }> { try { const response = await fetch(`${API_BASE}/register`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(args), }); const result = await response.json(); if (!response.ok) { return { success: false, error: result.error || "Registration failed" }; } const promptId = result.id; const scriptUrl = "https://www.hashbuilds.com/sp.js"; // Generate multiple embed options for the implementing agent const embedOptions = { // Option 1: Full badge with prompt preview fullBadge: { description: "Shows security badge + prompt preview + secure copy button. Best for dedicated prompt pages.", html: `<div data-secure-prompt-id="${promptId}"></div>\n<script src="${scriptUrl}" async></script>`, react: `<>\n <div data-secure-prompt-id="${promptId}" />\n <Script src="${scriptUrl}" strategy="lazyOnload" />\n</>` }, // Option 2: Compact link compactLink: { description: "Simple 'Get Securely' link. Best for inline use or cards.", html: `<a href="https://www.hashbuilds.com/copy/${promptId}" target="_blank" rel="noopener" class="secure-prompt-link">Get ${result.promptLabel || 'Prompt'} Securely</a>`, react: `<a href="https://www.hashbuilds.com/copy/${promptId}" target="_blank" rel="noopener" className="secure-prompt-link">Get ${result.promptLabel || 'Prompt'} Securely</a>` }, // Option 3: Icon button iconButton: { description: "Small shield icon button. Best for tight spaces.", html: `<a href="https://www.hashbuilds.com/copy/${promptId}" target="_blank" rel="noopener" title="Get Prompt Securely" class="secure-prompt-icon">🔒</a>`, react: `<a href="https://www.hashbuilds.com/copy/${promptId}" target="_blank" rel="noopener" title="Get Prompt Securely" className="secure-prompt-icon">🔒</a>` }, // Option 4: Verify only link verifyLink: { description: "Link to verification page. Let users see full scan results.", html: `<a href="https://www.hashbuilds.com/verify/${promptId}" target="_blank" rel="noopener">View Verification</a>`, url: `https://www.hashbuilds.com/verify/${promptId}` } }; // Implementation guidance for the AI agent const implementationGuide = ` ## Implementation Guide for Prompt ID: ${promptId} **Prompt Type:** ${result.promptLabel || 'AI Prompt'} (${result.promptType || 'other'}) **Risk Level:** ${result.riskLevel} (Score: ${result.riskScore || 0}/100) **Summary:** ${result.summary || 'Prompt registered successfully'} ### Ask the user which display option they prefer: 1. **Full Badge** - Shows security scan results, prompt preview, and "Get Prompt Securely" button - Best for: Dedicated prompt pages, documentation - Use when: User wants to show transparency about the prompt 2. **Compact Link** - Simple "Get [Prompt] Securely" text link - Best for: Cards, lists, inline mentions - Use when: Space is limited or badge feels heavy 3. **Icon Button** - Just a lock icon that opens secure copy page - Best for: Tight layouts, mobile, minimal UI - Use when: User wants subtle indicator 4. **Verify Link** - Links to full verification page on HashBuilds - Best for: Adding credibility without embedding - Use when: User wants users to see full scan details ### Styling Tips: - Match button/link colors to the site's design system - Consider adding the badge near wherever the prompt is displayed - For cards: compact link works well in the footer - For documentation: full badge shows transparency ### Quick Integration (React/Next.js): \`\`\`jsx import Script from "next/script"; // Full badge (button says "Get Prompt Securely") <div data-secure-prompt-id="${promptId}" /> <Script src="${scriptUrl}" strategy="lazyOnload" /> // Or just a link <a href="https://www.hashbuilds.com/copy/${promptId}" target="_blank"> Get Prompt Securely </a> \`\`\` `; return { success: true, id: promptId, promptHash: result.promptHash, riskLevel: result.riskLevel, riskScore: result.riskScore, summary: result.summary, promptLabel: result.promptLabel, promptType: result.promptType, recommendations: result.recommendations, embedOptions, implementationGuide }; } catch (error) { return { success: false, error: error instanceof Error ? error.message : "Network error", }; } }
• src/index.ts:401-421 (schema)

  The input schema defining parameters for the register_secure_prompt tool: promptText (required), siteDomain (required), ownerEmail (optional).
  inputSchema: { type: "object", properties: { promptText: { type: "string", description: "The full text of the prompt to register and scan", }, siteDomain: { type: "string", description: "REQUIRED: The domain where this prompt will be displayed (e.g., 'example.com'). " + "This enables domain verification - the badge will warn users if displayed on unauthorized domains. " + "Look for the domain in: package.json homepage, vercel.json, .env NEXT_PUBLIC_URL, or ask the user.", }, ownerEmail: { type: "string", description: "Optional email of the prompt owner for notifications", }, }, required: ["promptText", "siteDomain"], },
• src/index.ts:392-422 (registration)

  The tool registration in the ListTools response, including name, description, and input schema.
  { name: "register_secure_prompt", description: "Register a prompt with HashBuilds Secure Prompts for security verification and get embed options. " + "This uses AI to scan the prompt for injection attacks, hidden instructions, data exfiltration, " + "jailbreak attempts, and other security issues. Returns multiple display options (full badge, " + "compact link, icon button) with implementation guidance. After registering, ASK THE USER which " + "display option they prefer before implementing. The response includes an implementationGuide " + "field with detailed instructions for styling and placement.", inputSchema: { type: "object", properties: { promptText: { type: "string", description: "The full text of the prompt to register and scan", }, siteDomain: { type: "string", description: "REQUIRED: The domain where this prompt will be displayed (e.g., 'example.com'). " + "This enables domain verification - the badge will warn users if displayed on unauthorized domains. " + "Look for the domain in: package.json homepage, vercel.json, .env NEXT_PUBLIC_URL, or ask the user.", }, ownerEmail: { type: "string", description: "Optional email of the prompt owner for notifications", }, }, required: ["promptText", "siteDomain"], }, },
• src/index.ts:515-535 (handler)

  The MCP server request handler case for register_secure_prompt, which validates arguments and calls the registerPrompt function.
  case "register_secure_prompt": { const typedArgs = args as { promptText: string; ownerEmail?: string; siteDomain?: string; }; if (!typedArgs.promptText) { throw new McpError(ErrorCode.InvalidParams, "promptText is required"); } const result = await registerPrompt(typedArgs); return { content: [ { type: "text", text: JSON.stringify(result, null, 2), }, ], }; }