Offensive Example Pack¶
These examples ship as YAML rules under agentic-redteam/seam/rules/. Use seam rules explain before running a proxy, then confirm rule_applied in the transcript.
| Pattern | Rule id | Command | Expected transcript field | Proof path |
|---|---|---|---|---|
| A2A Agent Card spoof | a2a_card_spoof |
seam rules explain --rules rules/card_spoof.yaml --rule a2a_card_spoof |
after.decoded.card |
Assay case if spoof changes a side effect |
| A2A Agent Card skill insertion | a2a_agent_card_skill_insert |
seam rules explain --rules rules/a2a_agent_card_skill_insert.yaml --rule a2a_agent_card_skill_insert |
after.decoded.card.skills |
Host selection / trust-spoof validation |
| A2A prompt/content rewrite | a2a_prompt_laundering_replace |
seam rules explain --rules rules/a2a_prompt_laundering_replace.yaml --rule a2a_prompt_laundering_replace |
after.decoded.json.params.message.parts.0.text |
Lab L5/L6 content rewrite |
| A2A message part insertion | a2a_message_part_insert |
seam rules explain --rules rules/a2a_message_part_insert.yaml --rule a2a_message_part_insert |
after.decoded.json.params.message.parts |
Content-decision lab or route-specific oracle |
| A2A task artifact injection | a2a_task_artifact_injection |
seam rules explain --rules rules/a2a_task_artifact_injection.yaml --rule a2a_task_artifact_injection |
after.decoded.json.result.artifacts |
Assay task-side-effect case |
| A2A task artifact insertion + merge | a2a_task_artifact_insert |
seam rules explain --rules rules/a2a_task_artifact_insert.yaml --rule a2a_task_artifact_insert |
after.decoded.json.result.artifacts and after.decoded.json.result.metadata |
Assay task-side-effect case |
| A2A task artifact replacement | a2a_task_artifact_string_replace |
seam rules explain --rules rules/a2a_task_artifact_string_replace.yaml --rule a2a_task_artifact_string_replace |
after.decoded.json.result.artifacts.0.parts.0.text |
Assay task-side-effect case |
| MCP tool-call argument rewrite | mcp_tool_call_argument_rewrite |
seam rules explain --rules rules/mcp_tool_call_argument_rewrite.yaml --rule mcp_tool_call_argument_rewrite |
after.decoded.json.params.arguments.account |
Tool-server oracle |
| MCP tool-call argument merge | mcp_tool_call_argument_merge |
seam rules explain --rules rules/mcp_tool_call_argument_merge.yaml --rule mcp_tool_call_argument_merge |
after.decoded.json.params.arguments |
Tool-server oracle |
| MCP tool-result injection | mcp_tool_result_injection |
seam rules explain --rules rules/mcp_tool_result_injection.yaml --rule mcp_tool_result_injection |
after.decoded.json.result.content |
Lab L6 tool result injection |
| MCP tool-result content insertion | mcp_tool_result_content_insert |
seam rules explain --rules rules/mcp_tool_result_content_insert.yaml --rule mcp_tool_result_content_insert |
after.decoded.json.result.content |
Lab L6 tool result injection |
| MCP stdio argument spoof | mcp_stdio_argument_spoof |
seam rules explain --rules rules/mcp_stdio_argument_spoof.yaml --rule mcp_stdio_argument_spoof |
after.decoded.json.params.arguments.account |
Local MCP fixture |
| MCP stdio argument merge | mcp_stdio_argument_merge |
seam rules explain --rules rules/mcp_stdio_argument_merge.yaml --rule mcp_stdio_argument_merge |
after.decoded.json.params.arguments |
Local MCP fixture |
| Negative control | negative_control_no_match |
seam rules explain --rules rules/negative_control_no_match.yaml --rule negative_control_no_match |
no match expected | Rule-trace sanity check |
| Insert/merge negative control | negative_control_insert_merge |
seam rules explain --rules rules/negative_control_insert_merge.yaml --rule negative_control_insert_merge |
no match expected | Rule-trace sanity check |
Run A Rule Test¶
seam rules test \
--rules rules/card_spoof.yaml \
--fixture examples/a2a-agent-card.json \
--expect-rule a2a_card_spoof
Test a payload-file insertion:
seam rules test \
--rules rules/a2a_message_part_insert.yaml \
--fixture examples/a2a-message-send.json \
--expect-rule a2a_message_part_insert \
--json
Trace A Transcript¶
seam rules trace --rules rules/ --transcript rewrite.json
Read The Result¶
A successful offensive rewrite has:
rule_applied: <rule id>
before: original decoded message
after: mutated decoded message
For a security claim, continue to Assay and prove a side effect with an oracle.