Documentation Index
Fetch the complete documentation index at: https://docs.q-uestionable.ai/llms.txt
Use this file to discover all available pages before exploring further.
CXP Module
Coding assistant Poisoning (CXP) is a research harness for testing whether coding assistants can be manipulated through malicious instruction files. CXP generates poisoned context files, builds test repositories, and validates whether the assistant followed the injected instructions.What to Expect
CXP generates the poisoned repo and tells you what prompts to try. The researcher opens the repo in the target assistant, issues prompts, captures output, and submits it for validation. The iteration — which rules to combine, which prompts to use, how to make the instructions look natural — is manual research work.What is Context File Poisoning?
Modern coding assistants (Claude, Copilot, Codeium, Windsurf, etc.) read instruction files from your repository to customize their behavior. These files include:.cursorrules(Cursor).github/copilot-instructions.md(GitHub Copilot)CLAUDE.md(Claude Code)AGENTS.md(Multi-assistant standard)GEMINI.md(Gemini Code Assist).windsurfrules(Windsurf)
Attack Vectors
CXP tests the following injection techniques:- Backdoor insertion — Creating hidden code paths or authentication bypasses
- Command execution — Injecting shell commands or system calls
- Dependency confusion — Manipulating package manager configurations
- Exfiltration — Adding code that leaks sensitive data
- Permission escalation — Generating code that elevates privileges
- Supply chain attacks — Compromising build processes or deployments
Supported Assistant Formats
CXP supports poisoning files for these coding assistants:| Assistant | Format ID | Path |
|---|---|---|
| Cursor | cursorrules | .cursorrules |
| Claude Code | claude-md | CLAUDE.md |
| GitHub Copilot | copilot-instructions | .github/copilot-instructions.md |
| Multi-assistant | agents-md | AGENTS.md |
| Gemini Code Assist | gemini-md | GEMINI.md |
| Windsurf | windsurfrules | .windsurfrules |
Validation Process
The CXP validator checks whether code generated by a poisoned instruction file contains:- Exact instruction injection — The malicious instruction appears in the code
- Behavioral compliance — The generated code performs the injected action
- Concealment patterns — The malicious code is hidden or obfuscated
Key Concepts
Objectives
Each CXP objective defines what behavior to test for. Objectives map to security vulnerabilities (e.g., “backdoor,” “exfil,” “cmdexec”).Campaigns
A campaign groups multiple test runs across different coding assistants and trigger prompts. Campaigns help measure how widespread a vulnerability is.Trigger Prompts
Trigger prompts are user queries that cause the coding assistant to generate code. For example: “Create a login function” or “Build an API endpoint.”Test Results
Each test produces a result indicating whether the poisoned instruction was followed. Results are stored in the database for analysis and reporting.Next Steps
- Read the CLI reference to learn available commands
- Explore objectives to see what behaviors are testable
- Learn about assistant formats
- Set up validation for your test results