Documentation
¶
Overview ¶
Package multi_agent implements attacks targeting LLM-controlling-LLM architectures where orchestrator agents delegate tasks to sub-agents with varying privilege levels.
These attacks exploit trust boundaries, delegation chains, and communication channels in frameworks like OpenClaw, CrewAI, LangGraph, and AutoGen.
Index ¶
- type DelegationEscalationModule
- func (m *DelegationEscalationModule) Category() common.AttackCategory
- func (m *DelegationEscalationModule) Description() string
- func (m *DelegationEscalationModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *DelegationEscalationModule) Name() string
- func (m *DelegationEscalationModule) Techniques() []common.TechniqueInfo
- type RecursiveSpawnAbuseModule
- func (m *RecursiveSpawnAbuseModule) Category() common.AttackCategory
- func (m *RecursiveSpawnAbuseModule) Description() string
- func (m *RecursiveSpawnAbuseModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *RecursiveSpawnAbuseModule) Name() string
- func (m *RecursiveSpawnAbuseModule) Techniques() []common.TechniqueInfo
- type ToxicAgentFlowModule
- func (m *ToxicAgentFlowModule) Category() common.AttackCategory
- func (m *ToxicAgentFlowModule) Description() string
- func (m *ToxicAgentFlowModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *ToxicAgentFlowModule) Name() string
- func (m *ToxicAgentFlowModule) Techniques() []common.TechniqueInfo
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DelegationEscalationModule ¶
type DelegationEscalationModule struct{}
DelegationEscalationModule exploits trust boundaries between orchestrator and sub-agents. A low-privilege agent receives a malformed request that tricks a higher-privilege agent into unauthorized actions.
Source: ScienceDirect - Protocol Exploits (https://www.sciencedirect.com/science/article/pii/S2405959525001997) Real-world: ServiceNow AI assistant privilege bypass via delegation
func (*DelegationEscalationModule) Category ¶
func (m *DelegationEscalationModule) Category() common.AttackCategory
func (*DelegationEscalationModule) Description ¶
func (m *DelegationEscalationModule) Description() string
func (*DelegationEscalationModule) Execute ¶
func (m *DelegationEscalationModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*DelegationEscalationModule) Name ¶
func (m *DelegationEscalationModule) Name() string
func (*DelegationEscalationModule) Techniques ¶
func (m *DelegationEscalationModule) Techniques() []common.TechniqueInfo
type RecursiveSpawnAbuseModule ¶
type RecursiveSpawnAbuseModule struct{}
RecursiveSpawnAbuseModule exploits recursive sub-agent spawning to cause resource exhaustion. Inspired by the LangGraph incident that burned $38K in 4 hours via uncontrolled recursive spawning.
Source: Multi-Agent Security Survey (https://arxiv.org/html/2510.23883v1) Real-world: LangGraph $38K incident via recursive sub-agent spawning
func (*RecursiveSpawnAbuseModule) Category ¶
func (m *RecursiveSpawnAbuseModule) Category() common.AttackCategory
func (*RecursiveSpawnAbuseModule) Description ¶
func (m *RecursiveSpawnAbuseModule) Description() string
func (*RecursiveSpawnAbuseModule) Execute ¶
func (m *RecursiveSpawnAbuseModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*RecursiveSpawnAbuseModule) Name ¶
func (m *RecursiveSpawnAbuseModule) Name() string
func (*RecursiveSpawnAbuseModule) Techniques ¶
func (m *RecursiveSpawnAbuseModule) Techniques() []common.TechniqueInfo
type ToxicAgentFlowModule ¶
type ToxicAgentFlowModule struct{}
ToxicAgentFlowModule chains prompt injections across agent communication channels. Poisoned output from one agent becomes trusted input for the next.
Source: arXiv 2506.23260 (https://arxiv.org/abs/2506.23260) Real-world: "Toxic Agent Flow" exploit in GitHub MCP servers
func (*ToxicAgentFlowModule) Category ¶
func (m *ToxicAgentFlowModule) Category() common.AttackCategory
func (*ToxicAgentFlowModule) Description ¶
func (m *ToxicAgentFlowModule) Description() string
func (*ToxicAgentFlowModule) Execute ¶
func (m *ToxicAgentFlowModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*ToxicAgentFlowModule) Name ¶
func (m *ToxicAgentFlowModule) Name() string
func (*ToxicAgentFlowModule) Techniques ¶
func (m *ToxicAgentFlowModule) Techniques() []common.TechniqueInfo