Skip to main content
The inject module is a tool poisoning and prompt injection framework — it loads adversarial payload templates, serves them as MCP tools, and runs automated campaigns against AI models.

Why Inject Matters

MCP tool descriptions are trusted inputs to AI agents. Adversarial descriptions embedded in tool metadata can redirect agent behavior, exfiltrate data, or cause the agent to invoke attacker-controlled operations — without modifying the model or the application.

How It Works

The inject campaign workflow follows five steps:
  1. Select — Choose payload templates by technique or target agent
  2. Serve — Launch them as live MCP tools via the inject server
  3. Connect — An AI model connects to the server and receives the poisoned tool list
  4. Execute — The poisoned tool descriptions redirect the model’s behavior — invoking attacker-controlled operations, exfiltrating data, or hijacking goals
  5. Score — The campaign runner records and scores outcomes

Built-in Components

  • 13 payload templates — Across 3 technique categories: goal hijacking, context manipulation, and data exfiltration
  • FastMCP server builder — Dynamic tool registration from YAML payload templates
  • Anthropic API campaign runner — Drives a model against the poisoned server with parallel execution
  • Heuristic response scorer — Classifies outcomes into 4 categories

Next Steps