Skip to content

A2A Offensive Playbooks

These playbooks are fixture-safe examples for authorized testing of A2A-shaped traffic.

Agent Card Spoof

Threat model: a host trusts an Agent Card that was not signed or authenticated strongly enough.

seam rules explain --rules rules/card_spoof.yaml --rule a2a_card_spoof
seam proxy --listen 127.0.0.1:8400 \
  --upstream http://127.0.0.1:8500 \
  --rules rules/card_spoof.yaml \
  --transcript card-spoof.json \
  --schema schemas/transcript.schema.json

Expected transcript: rule_applied is a2a_card_spoof, with before.decoded.card and after.decoded.card.

Agent Card Skill Insertion

Threat model: a host consumes advertised skills from an unsigned or weakly authenticated Agent Card, and the in-path operator inserts a privileged skill without replacing the rest of the card.

seam rules test \
  --rules rules/a2a_agent_card_skill_insert.yaml \
  --fixture examples/a2a-agent-card.json \
  --expect-rule a2a_agent_card_skill_insert \
  --json

Expected touched paths:

decoded.card.skills
decoded.card.authentication

Prompt Or Content Laundering

Threat model: an in-path rewrite changes a user message before a planner or downstream agent decides whether to call a privileged tool.

seam rules explain --rules rules/a2a_prompt_laundering_replace.yaml \
  --rule a2a_prompt_laundering_replace

Expected touched path:

decoded.json.params.message.parts.0.text

Use Lab L5 or L6 when you need to prove the rewritten content changed a target decision.

Message Part Insertion

Threat model: a planner reads multi-part A2A messages and a new part changes its decision while the original request remains present.

seam rules test \
  --rules rules/a2a_message_part_insert.yaml \
  --fixture examples/a2a-message-send.json \
  --expect-rule a2a_message_part_insert \
  --json

Expected touched path:

decoded.json.params.message.parts

The payload comes from examples/payloads/a2a-authorized-refund-part.json and uses template: true to echo a decoded account field.

Task Status Override

Threat model: a task lifecycle message is rewritten from a pending or working state into a completed state.

seam rules explain --rules rules/a2a_task_status_override.yaml \
  --rule a2a_task_status_override

Expected touched path:

decoded.json.result.status.state

Artifact Injection

Threat model: a task response receives an additional artifact or modified artifact text.

seam rules explain --rules rules/a2a_task_artifact_injection.yaml \
  --rule a2a_task_artifact_injection
seam rules explain --rules rules/a2a_task_artifact_insert.yaml \
  --rule a2a_task_artifact_insert
seam rules explain --rules rules/a2a_task_artifact_string_replace.yaml \
  --rule a2a_task_artifact_string_replace

Expected touched paths include decoded.json.result.artifacts and, for the insert/merge rule, decoded.json.result.metadata.

Proof Path

Seam demonstrates the in-path manipulation. Assay proves impact only when a side-effect oracle confirms that the target acted differently after the manipulation.