Skip to content

Safety Model

aipostex enforces a clear boundary between read-only operations and state-changing actions through the --force-exploit gating mechanism.

Principle

  • Read-only commands run without restriction: enumeration, listing, reading, extraction, fingerprinting, passive analysis
  • State-changing commands require explicit --force-exploit: model creation/deletion/poisoning, code execution, file uploads, throughput testing, proxy validation, queue probing

The operator never accidentally modifies target state during passive reconnaissance.

Gated Actions by Module

Ollama

Command Gated Impact
enum No Read-only enumeration
prompts No Read-only prompt extraction
generate No Read-only inference
show No Read-only metadata
running No Read-only status
exfiltrate No Read-only model weight download probing
copy Yes Duplicates a model on the target
create Yes Creates a new model on the target
delete Yes Removes a model from the target
poison Yes Creates a modified model with injected system prompt

Vector Databases

Command Gated Impact
enum No Read-only collection listing
extract No Read-only document extraction
search-sensitive No Read-only pattern search
inject Yes Injects a document into a vector collection
metadata-inject Yes Injects and verifies metadata on a collection

Jupyter

Command Gated Impact
enum No Read-only server metadata
kernels No Read-only kernel listing
notebooks No Read-only notebook listing
read-notebook No Read-only notebook content
exec Yes Executes arbitrary code in a kernel
start-kernel Yes Creates a new kernel on the server
reverse-shell-proof Yes Outbound socket proof via kernel
pip-proof Yes Pip install proof via kernel

MCP

Command Gated Impact
analyze No Local config file analysis
enum No Remote tool enumeration
env-extract No Read-only environment variable extraction
poison (generic) Yes Sends manipulative payloads
poison (ssrf-cloud) Yes SSRF to cloud metadata endpoints
poison (cmd-inject) Yes Command injection payloads
poison (path-traversal) Yes Path traversal payloads
poison (type-field) Yes Full-schema type field poisoning
poison (default-value) Yes Full-schema default value injection
poison (example-inject) Yes Full-schema example injection
poison (error-message) Yes Full-schema error message injection
poison (enum-poison) Yes Full-schema enum poisoning
chain Yes Automated credential exfiltration kill chain

OpenAI-Compatible

Command Gated Impact
auth-sweep No Passive auth pattern testing
enum No Read-only model listing
validate-inference No Single inference request
prompt-extract No Single inference request
tool-enum No Read-only tool and injection capability probe
prompt-test No Read-only prompt injection and jailbreak probe
throughput Yes Multiple concurrent inference requests
proxy-test Yes Validates proxied inference

Ray

Command Gated Impact
enum No Read-only dashboard metadata
jobs No Read-only job listing
job-logs No Read-only log reading
job-artifacts No Read-only artifact listing
submit Yes Submits a job for execution
runtime-env Yes Validates runtime environment submission
pip-inject Yes Runtime env pip injection
cluster-info No Read-only cluster resource information

MLflow

Command Gated Impact
enum No Read-only server metadata
experiments No Read-only experiment listing
runs No Read-only run listing
artifacts No Read-only artifact listing
registry No Read-only model registry
model-versions No Read-only model versions
download-artifact No Read-only artifact download
tamper-proof Yes Creates experiment/run as write-access proof

BentoML

Command Gated Impact
enum No Read-only service enumeration
routes No Read-only route listing
metrics No Read-only metrics
predict Yes Sends inference request to model

Triton

Command Gated Impact
enum No Read-only model enumeration
model-detail No Read-only model metadata
model-config No Read-only model configuration
repo-index No Read-only repository index
shm-probe No Read-only shared memory probe
infer Yes Sends inference request to model
load-model Yes Loads a model into the server
unload-model Yes Unloads a model from the server

TorchServe

Command Gated Impact
enum No Read-only model enumeration
model-detail No Read-only model metadata
metrics No Read-only metrics
predict Yes Sends inference request to model
register Yes Registers a new model
scale Yes Scales model workers
unregister Yes Removes a model

Gradio

Command Gated Impact
enum No Read-only config discovery
predict No Single prediction call
download-file No Read-only file download
file-chain No Read-only path correlation
queue-probe Yes Queue-backed execution probe
upload-file Yes Uploads a file to the server
serve-probe Yes Validates file serve paths

Scan Modes (Template Safety)

aipostex uses two independent safety axes. The --mode flag controls which vulnerability templates run; --force-exploit controls which CLI commands run.

Axis Controls Default Override
--mode YAML template engine detect (detection templates only) --mode full adds exploit templates
--force-exploit CLI exploit subcommands Off (gated commands blocked) --force-exploit unlocks state-changing commands

Detection mode (default)

./aipostex discover network --target 10.0.0.0/24

Only detection templates execute: auth probes, version disclosure, config exposure, tool enumeration. No exploitation payloads are sent. The console shows:

[*] Mode: Detection Only (no exploitation templates)
[*] Loaded built-in templates (detection + exploit split shown at runtime)

Full mode

./aipostex discover network --target 10.0.0.0/24 --mode full

All templates execute, including exploit templates: command injection, SSRF, path traversal, file reads, unauthenticated inference, terminal creation, job submission, artifact exfiltration, and data extraction. The console shows:

[*] Mode: Full Assessment (detection + exploitation)

Key distinction

--mode full and --force-exploit are independent. An operator can run --mode full to execute exploit templates (confirming SSRF, RCE) without passing --force-exploit (which would unlock commands like ollama poison or jupyter exec). Conversely, --force-exploit does not affect which templates run.

Default Scan Behavior

The scan targets and discover network commands stay low-noise by default:

  • Only passive HTTP probes are used for fingerprinting
  • Vulnerability templates in detect mode use read-only checks (GET requests, status checks)
  • Exploit templates (SSRF, command injection, path traversal, inference abuse) are skipped unless --mode full is specified
  • No state-changing exploit commands run unless --force-exploit is passed

Runtime Guardrails

Guardrail Default Flag
Max hosts for CIDR expansion 65536 --max-hosts (0 = no limit)
Stealth concurrency cap Off --stealth (caps to 1 worker)
File scanner concurrency Off --stealth (caps to 1 worker)

Enforcement

Gating is enforced at the CLI layer by requireForceExploit() in cmd/aipostex/exploit_common.go. When a gated command is called without --force-exploit, the operator sees:

[x] --force-exploit is required for this action.
    This operation may modify target state or generate significant traffic.
    Re-run with --force-exploit to confirm.