Documentation Index
Fetch the complete documentation index at: https://docs.q-uestionable.ai/llms.txt
Use this file to discover all available pages before exploring further.
The --dangerous flag on qai ipi generate enables payload types that go beyond proof-of-execution callbacks. These types instruct the target AI to perform actions with real consequences — exfiltrating data, making SSRF requests, or overriding instructions.
Payload Type Safety Tiers
Always available (no flag needed):
| Type | Action |
|---|
callback | HTTP GET to the listener URL — benign proof that the hidden instruction was executed |
--dangerous:
| Type | Action |
|---|
exfil_summary | POST document summary text to the listener |
exfil_context | POST conversation/session context to the listener |
ssrf_internal | HTTP request to an internal endpoint from the target |
instruction_override | Attempt to override system instructions |
tool_abuse | Attempt to misuse agent tools |
persistence | Attempt to persist instructions across sessions |
Using the Flag
# This works — callback is always available
qai ipi generate --callback http://localhost:8080
# This fails — exfil requires --dangerous
qai ipi generate --callback http://localhost:8080 --payload-type exfil_summary
# This works — dangerous flag enables the exfil type
qai ipi generate --callback http://localhost:8080 \
--payload-type exfil_summary --dangerous
--dangerous is used, the CLI displays a warning banner before generating payloads:
============================================================
WARNING: DANGEROUS PAYLOAD TYPE ENABLED
Type: exfil_summary
For authorized security testing only.
============================================================
What the Flag Does NOT Do
The --dangerous flag is a CLI safety gate. It does not:
- Enable sandbox or isolation modes (there are none)
- Require additional approval workflows
- Change how the payload is generated or delivered
- Apply to any module other than IPI
It exists to prevent accidentally generating payloads that cause target systems to exfiltrate data, make SSRF requests, or modify their own behavior. The flag forces you to explicitly opt in.
When to Use Dangerous Payloads
Use callback payloads first. Callback proves execution without side effects — the target makes a single HTTP GET and the listener records it. That’s sufficient evidence for most testing.
Use dangerous types when you need to demonstrate specific attack outcomes (data exfiltration, SSRF, instruction override) to stakeholders who need to see the actual impact, not just proof that execution is possible.
Dangerous payloads cause real actions on the target system. Exfil payloads POST data to your listener. SSRF payloads make the target issue outbound requests. Only use these in environments where you control the blast radius and have explicit authorization.