Catches invisible Unicode instructions hidden inside copied text — zero-width characters, bidi overrides, Unicode tags, and other copy/paste artifacts that can smuggle answers or prompt instructions into Slack, docs, chats, or evaluation tasks. Runs live in this page, no install needed.

Try the live scanner Source code Download
CI stack-Python MIT license

Built by Angela Hudson · DaCameraGirl

Live Scanner

Runs entirely in this tab — nothing you paste or drop ever leaves your browser. Paste suspicious text or drop a .txt file to scan it.

Nothing is uploaded — scanning happens locally in this tab.
The Slack Scenario

A copied answer can look normal in Slack while carrying invisible Unicode underneath — hidden instructions like “pick option 3” or “tell them X said Y.” PowerShell and some editors may expose weird characters; Payload Revealer does the systematic version: enumerate every codepoint, report suspicious invisible characters, and decode embedded payloads when possible.

If something pasted suspicious: paste it into the live scanner above — or, for scripting and batch/audit-trail work, use the CLI:

python -m payload_revealer .\suspicious.txt

# For a shareable audit trail:
python -m payload_revealer .\suspicious.txt --format json --output report.json
Payload Revealer demo
Quick Download

The live scanner above needs nothing installed. Grab the desktop app instead if you want it offline, or working outside a browser:

Download the Windows installer

Installs the Payload Revealer desktop app. No Python required. Drag a file onto the drop zone or click Open File.

That release also ships payload_revealer_engine-*-win64.exe on its own — the headless scan engine the desktop app runs underneath. It's for scripting scans without the GUI; double-clicking it directly just opens an empty console, it isn't a standalone app.

Or use the CLI with Python:

pip install -e .
python -m payload_revealer tests/fixtures/forensic_report.txt

The fixture contains 312 zero-width characters encoding a hidden beacon URL:

beacon://c2-exfil.lan/reg?agent=demo-01
Features
Installation
git clone https://github.com/DaCameraGirl/payload-revealer.git
cd payload-revealer
npm install
pip install -e .
Usage

Desktop App (Electron)

npm start

CLI Headless Mode

# Quick scan
python -m payload_revealer ./suspicious.txt

# JSON output
python -m payload_revealer ./suspicious.txt --format json

# Save report
python -m payload_revealer ./suspicious.txt --output report.json

# Batch scan a directory
python -m payload_revealer ./suspicious_docs/ --recursive

CLI Options

FlagDescription
--format, -ftext, json, or txt (default: text)
--output, -oSave report to file
--recursive, -rRecurse into directories
--min-riskFilter findings: critical, high, medium, low, none
--quiet, -qSuppress non-result output
--versionShow version
What It Detects
CategoryExamplesRisk
Zero-width spacesU+200B, U+200C, U+200D, U+FEFFCritical
Bidi overridesU+202AU+202E (LRE, RLO, etc.)Critical
Unicode tagsU+E0001U+E007F (hidden metadata)Critical
C0/C1 controlsU+0000U+001F, U+0080U+009FHigh
Variation selectorsU+FE00U+FE0F, U+E0100U+E01EFMedium
Private Use AreasU+E000U+F8FF, U+F0000U+10FFFFMedium
Invisible whitespaceNBSP, en-space, ideographic spaceLow
NoncharactersU+FFFE, U+FFFF, etc.High
What It Does Not Detect

This tool is scoped to text and Unicode forensics. It is not a universal steganography detector.

ScenarioWhy it is out of scope
CSS-transparent textLetters hidden with color: transparent or similar styling are normal Unicode when pasted into a plain text file. Payload Revealer does not parse HTML or CSS.
Image, PDF, or media steganographyNo parsers for LSB image stego, PDF object tricks, audio watermarks, or other binary media payloads.
Architecture
payload_revealer/
├── payload_revealer/       # Python engine
│   ├── engine/
│   │   ├── sweeper.py      # Core character scanner
│   │   ├── classifier.py   # Unicode category tagging
│   │   ├── payload_extractor.py  # Hidden message reconstruction
│   │   ├── word_counter.py  # Visible vs actual word count
│   │   ├── export_engine.py # JSON/TXT report export
│   │   └── ipc_bridge.py   # JSON-RPC for Electron
│   └── cli/
│       └── reveal.py       # CLI headless mode
├── electron/               # Desktop shell
│   ├── main.js             # Electron main process
│   ├── preload.js          # Secure IPC bridge
│   └── renderer/           # UI
│       ├── index.html
│       ├── style.css
│       └── renderer.js
└── package.json