I wrote this because the SOTA tools for prompt injection detection/mitigation are too coarse and compute intensive for broad application. Clean is designed to be transparent from a performance and usability standpoint. It performs span level redaction/tagging rather than binary classification, and can work with structured data.

It's important to note that there are many types of prompt injection, and many ways to make them hard to detect, so it's an impossible problem to fully solve just at this level. Clean and other prompt injection detectors should be viewed akin to an email filter to reduce the number of phishing attempts that make it to end users, rather than the entire basis of your security.