A2A Offensive Playbooks¶
These playbooks are fixture-safe examples for authorized testing of A2A-shaped traffic.
Agent Card Spoof¶
Threat model: a host trusts an Agent Card that was not signed or authenticated strongly enough.
seam rules explain --rules rules/card_spoof.yaml --rule a2a_card_spoof
seam proxy --listen 127.0.0.1:8400 \
--upstream http://127.0.0.1:8500 \
--rules rules/card_spoof.yaml \
--transcript card-spoof.json \
--schema schemas/transcript.schema.json
Expected transcript: rule_applied is a2a_card_spoof, with before.decoded.card and after.decoded.card.
Agent Card Skill Insertion¶
Threat model: a host consumes advertised skills from an unsigned or weakly authenticated Agent Card, and the in-path operator inserts a privileged skill without replacing the rest of the card.
seam rules test \
--rules rules/a2a_agent_card_skill_insert.yaml \
--fixture examples/a2a-agent-card.json \
--expect-rule a2a_agent_card_skill_insert \
--json
Expected touched paths:
decoded.card.skills
decoded.card.authentication
Prompt Or Content Laundering¶
Threat model: an in-path rewrite changes a user message before a planner or downstream agent decides whether to call a privileged tool.
seam rules explain --rules rules/a2a_prompt_laundering_replace.yaml \
--rule a2a_prompt_laundering_replace
Expected touched path:
decoded.json.params.message.parts.0.text
Use Lab L5 or L6 when you need to prove the rewritten content changed a target decision.
Message Part Insertion¶
Threat model: a planner reads multi-part A2A messages and a new part changes its decision while the original request remains present.
seam rules test \
--rules rules/a2a_message_part_insert.yaml \
--fixture examples/a2a-message-send.json \
--expect-rule a2a_message_part_insert \
--json
Expected touched path:
decoded.json.params.message.parts
The payload comes from examples/payloads/a2a-authorized-refund-part.json and uses template: true to echo a decoded account field.
Task Status Override¶
Threat model: a task lifecycle message is rewritten from a pending or working state into a completed state.
seam rules explain --rules rules/a2a_task_status_override.yaml \
--rule a2a_task_status_override
Expected touched path:
decoded.json.result.status.state
Artifact Injection¶
Threat model: a task response receives an additional artifact or modified artifact text.
seam rules explain --rules rules/a2a_task_artifact_injection.yaml \
--rule a2a_task_artifact_injection
seam rules explain --rules rules/a2a_task_artifact_insert.yaml \
--rule a2a_task_artifact_insert
seam rules explain --rules rules/a2a_task_artifact_string_replace.yaml \
--rule a2a_task_artifact_string_replace
Expected touched paths include decoded.json.result.artifacts and, for the insert/merge rule, decoded.json.result.metadata.
Proof Path¶
Seam demonstrates the in-path manipulation. Assay proves impact only when a side-effect oracle confirms that the target acted differently after the manipulation.