LLM Security Testing

Thin router skill for security testing of LLM applications and AI agents. Covers the OWASP LLM Top 10 (2025) with a 2026-grade threat model for frontier-model agentic systems: indirect injection, multimodal injection, MCP supply chain, memory poisoning, skill-file injection, computer-use UI injection, and agentic tool misuse.

Defensive / educational framing. Every workflow here assumes written authorization to test the target. Canary strings, throwaway accounts, and controlled endpoints are preferred over real-data exploitation at every step.

When to Use

• Testing an LLM application for prompt-injection vulnerabilities (direct or indirect)
• Assessing RAG pipeline security (poisoning, retrieval hijack, ACL)
• Red-teaming an agentic system (Claude Code, Cursor, Copilot-agent, Operator, Computer Use)
• Auditing an MCP server configuration or a new MCP server before trusting it
• Testing long-term memory / persistent-context poisoning
• Evaluating guardrails, refusal behavior, and safety classifiers
• Checking for system-prompt / tool-schema leakage
• Scoping excessive-agency / tool-misuse blast radius
• Testing multimodal injection (image, audio, video, screenshot)
• Validating skill-file / CLAUDE.md / .cursor/rules supply-chain hygiene

Trigger Phrases

"test this LLM for prompt injection", "jailbreak this model" (authorized), "test AI guardrails", "assess RAG security", "poison this RAG corpus", "test MCP server injection", "red-team this agent", "extract system prompt", "test agent tool misuse", "test computer use UI injection", "audit LLM application security", "test multimodal injection", "test memory poisoning", "audit CLAUDE.md for injection".

When NOT to Use This Skill

• LLM API endpoint hardening (auth, rate-limiting, quota abuse on standard REST surface) → use api-security.
• Source-code review of an LLM application (SAST for Python/TS/Go serving the model) → use sast-orchestration.
• Cloud infrastructure hosting the model (IAM, S3, secrets) → use cloud-security / iac-security.
• Classical web bugs in an LLM chatbot UI (XSS, CSRF, IDOR) → use web-security.
• Privacy / compliance assessment of training data → out of scope; requires DPIA tooling.

Many engagements need multiple skills; call them in parallel when scopes don't overlap.

Decision Tree

Is the target an agent with tools? ─ yes ─▶ excessive_agency_testing.md
                │                         └─▶ agentic_tool_misuse.md
                no
                ▼
Does it ingest external content (RAG/web/email)? ─ yes ─▶ indirect_injection_testing.md
                │                                      └─▶ rag_poisoning.md (if RAG)
                no
                ▼
Multimodal input accepted? ─ yes ─▶ payloads/multimodal_injection.md
                │              └─▶ computer_use_abuse.md (if screen-controller)
                no
                ▼
MCP servers attached? ─ yes ─▶ mcp_server_injection.md
                no
                ▼
Persistent memory / cross-session state? ─ yes ─▶ memory_poisoning.md
                no
                ▼
Project loads CLAUDE.md / skills / rules? ─ yes ─▶ skill_file_injection.md
                no
                ▼
Always run last: direct_injection_testing.md + system_prompt_extraction.md

Parallelism Hints

Parallelizable (fire concurrently, per rate limits):

• Direct-injection payload sweep (one worker per payload)
• Encoding-obfuscation variant sweep
• Per-tool abuse probes in agentic_tool_misuse.md
• OWASP LLM category coverage via sub-agent fan-out
• Independent payload authoring for multimodal / skill-file / MCP tests

Sequential (must observe one at a time):

• RAG poisoning (retrieval observation must follow each upload)
• Memory poisoning (cross-session persistence testing needs strict turn ordering)
• Multi-turn stepwise-escalation jailbreaks
• Computer-use navigation chains
• MCP trust-building across turns

Sub-Agent Delegation

Two clean partitions — pick whichever matches the engagement:

By OWASP category (one sub-agent each) for comprehensive coverage:

• LLM01 prompt injection (direct + indirect + multimodal)
• LLM02 sensitive-info disclosure
• LLM03 supply chain (MCP, skill-files, dependencies)
• LLM04 data/model poisoning (RAG + memory)
• LLM05 improper output handling
• LLM06 excessive agency
• LLM07 system-prompt leakage
• LLM08 vector/embedding weaknesses
• LLM10 unbounded consumption

By attack surface for deep-dive on one class:

• Direct-prompt surface
• Indirect-content surface (RAG, web, email, tool outputs)
• Agentic tool surface (all tools × all coercion vectors)
• Multimodal surface (image, audio, screen)
• Persistence surface (memory, skill-files, MCP config)

Parent agent aggregates findings (schemas/finding.json), de-dupes, and cross-references overlapping findings (e.g. an MCP injection that enables tool misuse).

Reasoning Budget

Use extended thinking for:

• Crafting novel bypasses tuned to a specific defense stack (which spotlighting variant? which classifier version?)
• Analyzing whether an injection actually succeeded (subtle signals: behavior delta vs. baseline, refusal-template absence)
• Planning multi-step exploit chains (MCP → tool-misuse → file-write)
• Designing memory payloads that survive summarization
• Computer-use UI layouts that exploit agent heuristics

Minimal thinking for:

• Running fixed payload sets (encoding_obfuscation.txt, injection_2026.txt)
• Direct-extraction probes from a canned list
• Per-tool abuse sweeps with standard patterns
• Baseline / negative-control runs

Multimodal Hooks

• Image: OCR-visible overlays, EXIF metadata, low-contrast adversarial text, QR codes. See payloads/multimodal_injection.md.
• Audio: spoken instructions in transcription workflows, ultrasonic carriers (deprecated but test), voice-clone authority spoof.
• Video: single-frame flash, subtitle-channel payloads, scene-change instruction cards.
• Screen / computer-use: fake dialogs, spoofed chrome, fake dev-tools, clipboard bait. See workflows/computer_use_abuse.md.
• Evidence: save screenshots (evidence.screenshot) for every multimodal finding — visual proof is essential.

Frontier models are also useful as testing tools: use a separate vision-capable model to generate candidate adversarial images and to judge whether OCR extraction succeeded.

Structured Output

All findings use schemas/finding.json. Required fields: id, title, severity, attack_class, evidence, reproduction, remediation. Skill-specific fields include attack_class, target_model, target_agent, payload (with modality and delivery vector), success_indicator, owasp_llm_id, defense_bypassed.

Workflow Index

Workflow	When
workflows/direct_injection_testing.md	Text prompts directly in user channel
workflows/indirect_injection_testing.md	Content arrives via retrieval / tools / email
workflows/system_prompt_extraction.md	Recover system prompt / tool schemas
workflows/rag_poisoning.md	RAG corpus + retrieval-layer attacks
workflows/agentic_tool_misuse.md	Coerce agent to misuse file/http/shell tools
workflows/memory_poisoning.md	Persistent cross-session memory attacks
workflows/mcp_server_injection.md	Malicious MCP server → host agent
workflows/skill_file_injection.md	CLAUDE.md / .cursor/rules / SKILL.md as vector
workflows/computer_use_abuse.md	Screenshot/UI-based injection for computer-use agents
workflows/excessive_agency_testing.md	Blast-radius assessment (OWASP LLM06)

Payloads Index

File	Contents
payloads/injection_2026.txt	Modern direct/indirect injection patterns (trust-boundary, authority spoof, tool-result spoof, CoT injection)
payloads/system_prompt_extraction.txt	Full-dump + partial-leak + tool-schema extraction
payloads/encoding_obfuscation.txt	Base64, ROT, hex, unicode homoglyph, zero-width, emoji smuggle, tag-char
payloads/multimodal_injection.md	Image / audio / video / screenshot payload descriptions
payloads/legacy_jailbreaks.txt	DAN / STAN / DUDE / roleplay — regression only

References Index

File	Contents
references/owasp_llm_top10_2025.md	OWASP LLM Top 10 table + 2026 coverage checklist
references/defense_patterns_2026.md	Constitutional, classifiers, spotlighting, HITL, allowlisting — with known bypass hints
references/threat_model_agents.md	Actors, assets, surfaces, T1-T10 scenarios for agentic systems
references/bounty_patterns_2024_2026.md	Post-2023 public bug-bounty TTPs (RAG poisoning, CVE-2025-53773 tool-chain RCE, multimodal injection, adaptive defense evasion)

Examples

File	Contents
examples/indirect_injection_doc.md	Ready-to-deploy injection doc for RAG / shared drive
examples/malicious_mcp_response.json	Malicious MCP tool-response body
examples/poisoned_rag_chunk.md	Retrieval-optimized poisoning chunk

Tools

Tool	Purpose	Install
promptfoo	Automated prompt-injection sweeps and eval	npm i -g promptfoo
garak	LLM vulnerability scanner (NVIDIA)	pip install garak
giskard	LLM testing & evaluation	pip install giskard
pyrit	Microsoft's AI red-team toolkit	pip install pyrit
@modelcontextprotocol/sdk	Build controlled test MCP servers	npm i @modelcontextprotocol/sdk
custom HTTP server	Attacker-endpoint for exfil signal	any language
anthropic, openai, google-genai SDKs	Drive target APIs	per-SDK

Use your own logging endpoint for exfil-signal tests so you can unambiguously confirm tool invocation.

Authorization Reminder

Every engagement MUST have:

• Written scope document signed by target owner
• Named contact for incident escalation
• Canary strategy so tests don't require handling real sensitive data
• Rate-limit plan that respects ToS

Populate authorization.scope_document and authorization.contact on every finding record.

Last Validated

2026-04. Minimum tool versions tested:

• promptfoo ≥ 0.110
• garak ≥ 0.12
• pyrit ≥ 0.9
• MCP SDK ≥ 1.4 OWASP LLM Top 10 reference: 2025 edition (current at validation time).