The inject module tests tool poisoning and prompt injection against LLM models. It loads adversarial payload templates, serves them as MCP tools via a poisoned server, and runs campaigns to measure model susceptibility.Documentation Index
Fetch the complete documentation index at: https://docs.q-uestionable.ai/llms.txt
Use this file to discover all available pages before exploring further.
What It Tests
MCP tool descriptions are trusted inputs to AI agents. When an attacker controls or compromises an MCP server, they can embed instructions in tool descriptions to redirect behavior, exfiltrate data, escalate access, or hide actions from the user. The inject module measures how effectively these attacks work against different LLM models.How It Works
The inject testing workflow follows three steps:- Load payloads — Select adversarial tool templates by technique (description poisoning, output injection, cross-tool escalation)
- Serve — Register payloads as live MCP tools and expose them to the target model
- Campaign — Test the model’s susceptibility by measuring which payloads succeed and how
Provider Support
Inject campaigns work with any LLM provider supported by litellm (100+ models):- Anthropic — Claude models
- OpenAI — GPT-4, GPT-4o, etc.
- Google — Gemini models
- Cohere, Mistral, Ollama — And many others
anthropic/claude-sonnet-4-20250514, openai/gpt-4o, ollama/llama3, etc.
Key Components
- Payload templates — Adversarial tool definitions in YAML format across 3 techniques
- Inject server — Dynamic MCP server that registers payloads as live tools
- Campaign executor — Provider-agnostic LLM client that tests each payload
- Outcome scoring — Classifies results as full compliance, partial compliance, refusal with leak, or clean refusal
- Evidence collection — Preserves full provider responses for manual analysis
What to Expect
Inject campaigns are automated once configured — select a model, select techniques, set rounds, launch. The scoring is string-matching heuristics (not semantic analysis), so the full evidence is preserved for manual review. The iteration comes before the run: crafting or selecting YAML templates that test the right attack vectors for your target.Findings-Informed Payload Selection
When running inside the assess workflow, the inject adapter automatically queries audit findings to prioritize which templates are most relevant. Templates declarerelevant_categories in their YAML metadata (e.g., tool_poisoning, prompt_injection, permissions). If audit found command injection vulnerabilities, templates targeting those categories run first.
This is priority ordering, not exclusion — all selected templates still run. Templates matching audit findings are moved to the front of the queue.
Imported Findings
Imported external findings (fromqai import --target) participate in the same mechanism. The inject adapter queries both native audit findings from the current workflow run and imported findings (Garak, PyRIT, SARIF) associated with the same target. If you imported Garak results showing prompt injection vulnerabilities, inject templates with relevant_categories: [prompt_injection] will be prioritized alongside any native audit findings.
Without imported findings for the target, behavior is unchanged — template selection uses native audit findings only, or runs all templates if no findings are present.
Next Steps
- Inject CLI — Commands for serving payloads and running campaigns
- Payload Catalog — Available payloads and technique reference
- Campaign Execution — Running campaigns and interpreting results