What it is
Prompts are code, and code that lives inside f-strings is hard to manage at scale. Prompt management platforms version, A/B-test, and govern prompts the same way GitHub manages source. PromptLayer is the SaaS leader. Pezzo, Promptly, and Agenta are the open-source alternatives. LangSmith (LangChain) and Langfuse also overlap into this space from the observability side. Together they are how a prompt becomes a versioned, deployable artifact instead of a magic string copy-pasted into twelve services.
What goes wrong
The prompt store is a verbatim record of every system-prompt and template the operator has written, including the ones they tried and rejected. When the platform is exposed without auth, an attacker reads the operator’s entire prompt history including the jailbreak-resistance prompts, the tone-of-voice instructions, the proprietary chain-of-thought patterns, and any embedded keys or URLs the operator pasted into prompt bodies. We have also seen credential-bearing webhooks defined in PromptLayer-style platforms, leaking the operator’s downstream integrations.
How we test
We probe /api/prompts, /v1/prompts, or the platform-specific equivalent
for the prompt inventory and read prompt names plus version counts. We do
not read prompt bodies. The names alone (“customer-support-system-v3”,
“jailbreak-defense”, “tone-formal”) characterise the operator’s product
strategy without our needing to see the actual text.