Skip to main content
IPI payloads are defined by two independent dimensions: style (how the instruction blends into document content) and type (what the agent is instructed to do). Combining these produces a matrix of 49 template combinations.

Payload Styles

Payload styles control the social engineering wrapper around the injection instruction. More subtle styles increase the likelihood that an AI agent will follow the instruction without flagging it as suspicious.
Style IDNameHiding Mechanism
obviousObviousDirect injection markers — easily detectable baseline for initial testing
citationCitationDisguised as a document reference or citation
reviewerReviewerAppears as a note to the document reviewer or editor
helpfulHelpfulFramed as a helpful supplementary resource or link
academicAcademicAcademic or research cross-reference format
complianceComplianceLooks like a compliance or verification requirement
datasourceData SourceAppears as a data source attribution
Use --payload-style (or --payload / -p) to select a style: 
qai ipi generate --callback http://localhost:8080 --payload-style citation

Payload Types

Payload types define the action the agent is instructed to perform. They range from benign proof-of-execution callbacks to dangerous actions that could harm target systems.
Type IDDangerousWhat It TestsEvidence Produced
callbackNoWhether the agent executes a hidden HTTP requestHTTP hit with confidence scoring
exfil_summaryYesWhether the agent exfiltrates a document summaryPOST body containing document summary text
exfil_contextYesWhether the agent exfiltrates conversation contextPOST body containing conversation/session data
ssrf_internalYesWhether the agent can be directed to internal endpointsHTTP hit from the agent to an internal URL
instruction_overrideYesWhether the agent’s system instructions can be overriddenChanged agent behavior in subsequent responses
tool_abuseYesWhether the agent can be made to misuse its toolsEvidence of unauthorized tool invocations
persistenceYesWhether injected instructions persist across sessionsCallbacks from future sessions without re-injection
Use --payload-type to select a type: 
qai ipi generate --callback http://localhost:8080 --payload-type callback

The --dangerous Flag

All payload types except callback require the --dangerous flag. This is an explicit opt-in that confirms you are conducting authorized security testing. 
# This works — callback is always available
qai ipi generate --callback http://localhost:8080

# This fails without --dangerous
qai ipi generate --callback http://localhost:8080 --payload-type exfil_summary

# This works — dangerous flag explicitly enables exfil payloads
qai ipi generate --callback http://localhost:8080 \
  --payload-type exfil_summary --dangerous
When --dangerous is used, the CLI displays a prominent warning banner before generating payloads: 
============================================================
  WARNING: DANGEROUS PAYLOAD TYPE ENABLED
  Type: exfil_summary
  For authorized security testing only.
============================================================
Dangerous payloads should only be used in authorized test environments against systems you own or have explicit written permission to test. Exfil payloads will attempt to send data to your listener. SSRF payloads will cause the target to make outbound HTTP requests.

Template System

Payloads are generated from templates that combine a hiding technique with a payload type and style. The template system:
  1. Selects the hiding technique (e.g., white_ink for PDF)
  2. Wraps the payload instruction in the chosen style (e.g., citation)
  3. Embeds the payload type action (e.g., callback with the campaign URL)
  4. Generates the document in the target format

Deterministic Generation

Use --seed for reproducible payload generation. The seed controls UUID and token generation, producing identical campaigns and callback URLs across runs: 
# These two runs produce identical payloads
qai ipi generate --callback http://localhost:8080 --seed 42
qai ipi generate --callback http://localhost:8080 --seed 42
This is useful for:
  • Reproducing specific test scenarios
  • Generating consistent corpora for comparative testing
  • Sharing exact test configurations with other researchers