hemlock list-payloads¶
Display all available payload templates and their descriptions.
Synopsis¶
Description¶
list-payloads prints one row per concrete payload template in the registry. The current output contains 75 templates across seven preset categories: override, exfiltrate, redirect, denial, multistage, authority, and manyshot.
custom is accepted by craft and batch, but it is not shown here because it is operator-supplied text rather than a built-in template.
This command takes no flags.
Example Output¶
CATEGORY NAME DESCRIPTION
-------- ---- -----------
override override-system-tag Uses a fake [SYSTEM] tag to discard prior context
override override-deprecation-notice Claims previous knowledge-base entries are deprecated
override override-correction Asserts prior documents contain errors and supplies a correction
override override-priority Declares a priority override that supersedes other sources
override override-admin-note Impersonates an admin context-window update
...
multistage multistage-trigger-v10 Triggers action referencing governance board approval
authority authority-classification-marking Uses classification markings and handling instructions to convey authority
manyshot manyshot-10 10-shot ICL attack — fits small retrieval chunks (~2k tokens)
manyshot manyshot-250 250-shot ICL attack — targets 32k+ contexts, highest success rate
Payload Categories¶
override¶
Variants that instruct the model to discard its existing instructions and follow attacker-supplied directives. This is the default payload and the most commonly tested category. Includes 5 v1 variants (system-tag, deprecation-notice, correction, priority, admin-note) and 5 v2 variants with alternative phrasings.
Use case: Testing whether the RAG pipeline's retrieved context can override the system prompt.
exfiltrate¶
Variants that instruct the model to include sensitive information in its response---system prompts, internal context, user PII, or retrieval metadata. v2 variants use attribution, verification, and tracking pixel framing.
Use case: Testing data leakage through prompt injection in retrieved documents.
redirect¶
Variants that instruct the model to direct users to external URLs, suggest alternative products, or route conversations to attacker-controlled endpoints. v2 variants use canonical URL, content-moved, and primary-source framing.
Use case: Testing whether poisoned documents can manipulate the model's recommendations or links.
denial¶
Variants that instruct the model to refuse to answer, return error messages, or claim the service is unavailable. v2 variants use data-quality, topic-scope, compliance-review, and restricted-access framing.
Use case: Testing denial-of-service through context poisoning without requiring infrastructure attacks.
multistage¶
Two-phase payloads with 10 primer variants and 10 trigger variants. Primers establish document authority; triggers exploit the primed context window to override instructions.
Use case: Testing cross-document attacks where one poisoned document primes the context for a second to exploit.
authority¶
Variants that exploit institutional authority cues (academic citations, regulatory standards, legal precedents) to override model behavior. v1 variants use direct authority framing; v2 variants build multi-step evidence chains.
Use case: Testing whether authority-mimicry framing increases payload compliance rates.
manyshot¶
Long-form in-context learning payloads that embed repeated demonstrations inside the document itself. These templates target larger retrieval chunks and longer context windows than the standard 10-line prompt-injection variants.
Use case: Testing whether repeated exemplars can dominate the model's behavior when a RAG system retrieves large passages or concatenates multiple chunks.
custom¶
User-supplied injection text passed via --custom-payload. No variants are generated---the exact text provided is embedded as-is.
Use case: Engagement-specific payloads, reproducing known attack strings, or testing custom detection rules.
Mapping Presets to the craft Command¶
The --payload flag on craft and batch accepts the preset name directly:
- Uses one of the 10 built-in exfiltrate variants. The variant is selected based on the document's sequence number.
Variant Selection¶
When using a preset, hemlock cycles through that category's templates as it generates documents. Most preset categories contain 10 variants. multistage contains 20 templates (10 primers + 10 triggers), and manyshot contains 5 long-form templates.
--count 1 --> variant 1
--count 2 --> variants 1, 2
--count 10 --> variants 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
--count 12 --> variants 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 1, 2
For example, --payload multistage --count 20 uses each multistage primer/trigger template exactly once, while --payload manyshot --count 5 uses each manyshot template exactly once.
You can also select a specific variant with --variant:
# Use only the v2 errata variant (index 5)
hemlock craft --format html --payload override --variant 5 --output ./test
Inspecting variant text
To see the exact injection text for a given preset, generate a document with --count 1 and then run validate without --payload to dump the extracted content:
hemlock craft --format txt --technique zero-width --payload override --count 1 --output ./inspect
hemlock validate --file ./inspect/poisoned-zero-width-001.txt
The extracted output will contain the literal payload text alongside the cover text.