There are 5 attacks in the protocol-exploitation category. Each shows its technique id, mode, standards mapping, description, and the exact command to run it (swap the provider and target as needed).
A2A Protocol Exploit
critical
a2a-protocol-exploit · tool-use · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Exploits Google’s Agent-to-Agent (A2A) protocol by injecting malicious task descriptions that cross trust boundaries between agentsRun it:
ai-blackteam run -p anthropic -a a2a-protocol-exploit -t "your target prompt"
Self-Propagating Worm
critical
self-propagating-worm · tool-use · OWASP: LLM01, LLM06 · MITRE: AML.T0054Tests if an agent can be tricked into creating self-replicating payloads that spread through agent interactions. The prompt instructs the agent to include the same injection in all outgoing messages.Run it:
ai-blackteam run -p anthropic -a self-propagating-worm -t "your target prompt"
Tool Result Poisoning
critical
tool-result-poisoning · tool-use · OWASP: LLM01, LLM02 · MITRE: AML.T0051.000, AML.T0054Tests if an agent properly sanitizes tool call results by injecting prompt injection payloads into simulated tool responsesRun it:
ai-blackteam run -p anthropic -a tool-result-poisoning -t "your target prompt"
Zero-Click Injection
critical
zero-click-injection · tool-use · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0051.001Tests EchoLeak-style zero-click attacks where a crafted email or document is automatically processed by the agent without user interaction. The payload hides in auto-fetched content.Run it:
ai-blackteam run -p anthropic -a zero-click-injection -t "your target prompt"
Function Schema Injection
high
function-schema-injection · tool-use · OWASP: LLM01, LLM06 · MITRE: AML.T0051.000, AML.T0068Tests if malicious function/tool schemas can manipulate agent behavior by injecting harmful instructions into parameter descriptions and enum valuesRun it:
ai-blackteam run -p anthropic -a function-schema-injection -t "your target prompt"