Skip to main content
Library / research fixture (Phase 1). Inject is not a root qai CLI pillar. Use build_server from the package or python -m q_ai.inject (serve / list-payloads). Campaigns and campaign scoring are removed. The public CLI center is qai proxy.
The inject module provides malicious MCP fixture servers: load adversarial payload templates and serve them as MCP tools via build_server so a client you control can exercise poisoned tool descriptions and responses.

What It Tests

MCP tool descriptions are trusted inputs to AI agents. When an attacker controls or compromises an MCP server, they can embed instructions in tool descriptions to redirect behavior, exfiltrate data, escalate access, or hide actions from the user. Fixture servers let you present those adversarial tools to a client under test.

How It Works

  1. Load payloads — Select adversarial tool templates by technique (description poisoning, output injection, cross-tool escalation)
  2. Build / serve — Register payloads as live MCP tools via build_server or python -m q_ai.inject serve
  3. Observe — Point a client you control (optionally through qai proxy) at the fixture server

Key Components

  • Payload templates — Adversarial tool definitions in YAML format across 3 techniques
  • build_server — Constructs a dynamic MCP server that registers payloads as live tools
  • Library CLIpython -m q_ai.inject serve / list-payloads

Next Steps