Library / research fixture (Phase 1). Inject is not a root
qai CLI pillar.
Use build_server from the package or python -m q_ai.inject (serve /
list-payloads). Campaigns and campaign scoring are removed. The public CLI
center is qai proxy.build_server so a client you
control can exercise poisoned tool descriptions and responses.
What It Tests
MCP tool descriptions are trusted inputs to AI agents. When an attacker controls or compromises an MCP server, they can embed instructions in tool descriptions to redirect behavior, exfiltrate data, escalate access, or hide actions from the user. Fixture servers let you present those adversarial tools to a client under test.How It Works
- Load payloads — Select adversarial tool templates by technique (description poisoning, output injection, cross-tool escalation)
- Build / serve — Register payloads as live MCP tools via
build_serverorpython -m q_ai.inject serve - Observe — Point a client you control (optionally through
qai proxy) at the fixture server
Key Components
- Payload templates — Adversarial tool definitions in YAML format across 3 techniques
build_server— Constructs a dynamic MCP server that registers payloads as live tools- Library CLI —
python -m q_ai.inject serve/list-payloads
Next Steps
- Inject CLI — Serve fixtures and list payloads
- Payload Catalog — Available payloads and technique reference