Agent Skills
› zhaoxuya520/reverse-skill
› competition-prompt-injection
competition-prompt-injection
GitHubCTF沙箱下游技能,用于分析提示注入、检索中毒及代理链滥用。需在编排器建立环境后调用,通过映射控制栈并证明边界跨越来复现攻击链,记录关键证据并报告失效层。
触发场景
用户要求分析提示注入
用户要求分析检索中毒
用户要求分析代理链导致的秘密泄露
安装
npx skills add zhaoxuya520/reverse-skill --skill competition-prompt-injection -g -y
SKILL.md
Frontmatter
{
"name": "competition-prompt-injection",
"description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for prompt-injection, retrieval poisoning, memory contamination, planner drift, MCP or tool-boundary abuse, and agent exfiltration challenges. Use when the user asks to analyze prompt injection, retrieval poisoning, memory contamination, planner drift, tool-argument corruption, or secret exposure caused by an agent chain. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}
Competition Prompt Injection
Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.
Use this skill when the challenge is primarily about trust boundaries inside an agentic system.
Reply in Simplified Chinese unless the user explicitly requests English.
Quick Start
- Identify the first untrusted content that becomes model-visible.
- Map the chain from retrieval, memory, or transcript into planner or executor behavior.
- Record the exact point where text becomes a tool argument, file path, network target, or secret request.
- Prove one minimal exploit chain before exploring variants.
- Keep prompt snippets and tool transitions in compact evidence blocks.
Workflow
1. Map The Control Stack
- Track system, developer, user, retrieved, memory, planner, and tool-response layers separately.
- Distinguish claimed capability from runtime-exposed capability.
- Note what the model can actually call, read, or mutate.
2. Prove The Boundary Crossing
- Reproduce one chain from untrusted text to changed planner behavior, changed tool args, or secret exposure.
- Keep the decisive transcript compact: source chunk, rewritten planner state, final tool invocation.
- Prefer the smallest transcript that still demonstrates the bug.
3. Report By Boundary
- State which layer failed: retrieval, summarizer, planner, executor, tool normalization, or output post-processing.
- Separate instruction drift from actual side effect.
Read This Reference
- Load
references/prompt-injection.mdfor the checklist, evidence layout, and common prompt-boundary pitfalls.
What To Preserve
- Original malicious chunk or prompt
- Intermediate summary or planner drift if it matters
- Final tool args, file paths, or exposed secret surface
版本历史
- 1bec1f2 当前 2026-07-05 18:45


