IPI payloads are defined by two independent dimensions: style (how the instruction blends into document content) and type (what the agent is instructed to do). Combining these produces a matrix of 49 template combinations.Documentation Index
Fetch the complete documentation index at: https://docs.q-uestionable.ai/llms.txt
Use this file to discover all available pages before exploring further.
Payload Styles
Payload styles control the social engineering wrapper around the injection instruction. More subtle styles increase the likelihood that an AI agent will follow the instruction without flagging it as suspicious.| Style ID | Name | Hiding Mechanism |
|---|---|---|
obvious | Obvious | Direct injection markers — easily detectable baseline for initial testing |
citation | Citation | Disguised as a document reference or citation |
reviewer | Reviewer | Appears as a note to the document reviewer or editor |
helpful | Helpful | Framed as a helpful supplementary resource or link |
academic | Academic | Academic or research cross-reference format |
compliance | Compliance | Looks like a compliance or verification requirement |
datasource | Data Source | Appears as a data source attribution |
--payload-style (or --payload / -p) to select a style:
Payload Types
Payload types define the action the agent is instructed to perform. They range from benign proof-of-execution callbacks to dangerous actions that could harm target systems.| Type ID | Dangerous | What It Tests | Evidence Produced |
|---|---|---|---|
callback | No | Whether the agent executes a hidden HTTP request | HTTP hit with confidence scoring |
exfil_summary | Yes | Whether the agent exfiltrates a document summary | POST body containing document summary text |
exfil_context | Yes | Whether the agent exfiltrates conversation context | POST body containing conversation/session data |
ssrf_internal | Yes | Whether the agent can be directed to internal endpoints | HTTP hit from the agent to an internal URL |
instruction_override | Yes | Whether the agent’s system instructions can be overridden | Changed agent behavior in subsequent responses |
tool_abuse | Yes | Whether the agent can be made to misuse its tools | Evidence of unauthorized tool invocations |
persistence | Yes | Whether injected instructions persist across sessions | Callbacks from future sessions without re-injection |
--payload-type to select a type:
The --dangerous Flag
All payload types except callback require the --dangerous flag. This is an explicit opt-in that confirms you are conducting authorized security testing.
--dangerous is used, the CLI displays a prominent warning banner before generating payloads:
Template System
Payloads are generated from templates that combine a hiding technique with a payload type and style. The template system:- Selects the hiding technique (e.g.,
white_inkfor PDF) - Wraps the payload instruction in the chosen style (e.g.,
citation) - Embeds the payload type action (e.g.,
callbackwith the campaign URL) - Generates the document in the target format
Deterministic Generation
Use--seed for reproducible payload generation. The seed controls UUID and token generation, producing identical campaigns and callback URLs across runs:
- Reproducing specific test scenarios
- Generating consistent corpora for comparative testing
- Sharing exact test configurations with other researchers