--dangerous flag on qai ipi generate enables payload types that go beyond proof-of-execution callbacks. These types instruct the target AI to perform actions with real consequences — exfiltrating data, making SSRF requests, or overriding instructions.
Payload Type Safety Tiers
Always available (no flag needed):| Type | Action |
|---|---|
callback | HTTP GET to the listener URL — benign proof that the hidden instruction was executed |
--dangerous:
| Type | Action |
|---|---|
exfil_summary | POST document summary text to the listener |
exfil_context | POST conversation/session context to the listener |
ssrf_internal | HTTP request to an internal endpoint from the target |
instruction_override | Attempt to override system instructions |
tool_abuse | Attempt to misuse agent tools |
persistence | Attempt to persist instructions across sessions |
Using the Flag
--dangerous is used, the CLI displays a warning banner before generating payloads:
What the Flag Does NOT Do
The--dangerous flag is a CLI safety gate. It does not:
- Enable sandbox or isolation modes (there are none)
- Require additional approval workflows
- Change how the payload is generated or delivered
- Apply to any module other than IPI