> ## Documentation Index
> Fetch the complete documentation index at: https://ctpf.q-uestionable.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Malicious MCP fixture servers for tool poisoning research

<Note>
  **Library / research fixture (Phase 1).** Inject is not a root `qai` CLI pillar.
  Use `build_server` from the package or `python -m q_ai.inject` (serve /
  list-payloads). **Campaigns and campaign scoring are removed.** The public CLI
  center is [`qai proxy`](/proxy/overview).
</Note>

The inject module provides malicious MCP **fixture** servers: load adversarial
payload templates and serve them as MCP tools via `build_server` so a client you
control can exercise poisoned tool descriptions and responses.

## What It Tests

MCP tool descriptions are trusted inputs to AI agents. When an attacker controls or compromises an MCP server, they can embed instructions in tool descriptions to redirect behavior, exfiltrate data, escalate access, or hide actions from the user. Fixture servers let you present those adversarial tools to a client under test.

## How It Works

1. **Load payloads** — Select adversarial tool templates by technique (description poisoning, output injection, cross-tool escalation)
2. **Build / serve** — Register payloads as live MCP tools via `build_server` or `python -m q_ai.inject serve`
3. **Observe** — Point a client you control (optionally through [`qai proxy`](/proxy/overview)) at the fixture server

## Key Components

* **Payload templates** — Adversarial tool definitions in YAML format across 3 techniques
* **`build_server`** — Constructs a dynamic MCP server that registers payloads as live tools
* **Library CLI** — `python -m q_ai.inject serve` / `list-payloads`

## Next Steps

* [Inject CLI](/inject/cli) — Serve fixtures and list payloads
* [Payload Catalog](/inject/payloads) — Available payloads and technique reference
