Share
## https://sploitus.com/exploit?id=CA58C923-B2C7-5502-999E-E372DD84BC9B
# Manchurian Candidate Agent POC

> **โš ๏ธ SECURITY RESEARCH โ€” EDUCATIONAL USE ONLY**
> Proof-of-concept demonstrating a structural AI agent vulnerability class.
> All payloads are harmless by design. See [DISCLAIMER.md](DISCLAIMER.md) ยท [MIT License](LICENSE)

## Overview

The **Manchurian Candidate** attack embeds malicious payloads in media file
metadata (JPEG EXIF, MP3 ID3 tags) that are silently executed by AI agents
with inherited permissions when processing those files.

### Key Findings (Finalized)

- **Finding 1**: Prompt-layer audit suppression via EXIF metadata hook proving Adversarial Objectivity.
- **Finding 2**: Remote image substitution with timing attack precision.
- **Finding 3**: Universal media metadata surface (JPEG `UserComment`, MP3 ID3 `TXXX` frames).
- **Finding 4**: Self-Reported Forensics Paradox - the compromised agent cannot
  reliably report its own compromise.

For the full architectural analysis and explicit code generation references demonstrating this threat model, see the finalized report:
[`findings-report.md`](findings-report.md)

---

## Architecture Diagrams

| Diagram | Description |
|---------|-------------|
| [architecture.mmd](architecture/architecture.mmd) | Full attack architecture with EXIF payload flow |
| [architecture-overview.mmd](architecture/architecture-overview.mmd) | High-level system overview |
| [pipeline-simulator.mmd](architecture/pipeline-simulator.mmd) | Pipeline simulator stage diagram |
| [architecture.md](architecture/architecture.md) | Architecture narrative writeup |

---

## Research Documents

| Document | Description |
|----------|-------------|
| [spec.md](001-manchurian-candidate-poc/spec.md) | Feature specification and success criteria |
| [plan.md](001-manchurian-candidate-poc/plan.md) | Implementation plan |
| [research.md](001-manchurian-candidate-poc/research.md) | Research log and key decisions |
| [AI Agent Security Research Deep Dive.md](research/AI%20Agent%20Security%20Research%20Deep%20Dive.md) | Supporting academic research notes |
| [2602.06547v1.pdf](research/2602.06547v1.pdf) | Academic paper on AI agent security |
| [gemini-pro-risk-assessment.md](gemini-pro-risk-assessment.md) | Gemini Pro 3.1 LLM self-assessment of the vulnerability |
| [opus-4-6-risk-assessment.md](opus-4-6-risk-assessment.md) | Claude Opus 4.6 threat validation and CI/CD escalation analysis |

---

## Red Team Reviews

| Round | File | Reviewers | Key Outcome |
|-------|------|-----------|-------------|
| Round 1 | [claude-assessment.md](research/red-team-reviews/round-1-explicit/claude-assessment.md) | Claude 3.5 | Attack surface confirmed pre-build |
| Round 1 | [copilot-assessment.md](research/red-team-reviews/round-1-explicit/copilot-assessment.md) | GitHub Copilot | Pre-build architecture review |
| Round 1 | [red-team-assessment-summary.md](research/red-team-reviews/round-1-explicit/red-team-assessment-summary.md) | All | Combined Round 1 summary |
| Round 1 | [pre-build-architecture-bundle.md](research/red-team-reviews/round-1-explicit/pre-build-architecture-bundle.md) | -- | Full architecture context bundle |
| Round 2 | [gemini-review.md](research/red-team-reviews/round-2-stealth/gemini-review.md) | Gemini Flash | Stealth mode live review |
| Round 2 | [claude-response/manchurian-poc/](research/red-team-reviews/round-2-stealth/claude-response/manchurian-poc/) | Claude | Claude independently built matching POC |
| Round 3 | [findings-report.md](findings-report.md) | Claude | Final 4 findings + 5 recommendations |
| Round 4 | [opus-4-6-risk-assessment.md](opus-4-6-risk-assessment.md) | Opus 4.6 | CI/CD escalation and Runner Paradox validation |

---

## Repository Structure

```
manchurian-agent-poc/
|
+-- plugins/image-metadata-processor/   # The POC plugin (attack vectors)
|   +-- skills/
|   |   +-- background-remover/         # JPEG EXIF payload embedding
|   |   +-- image-resizer/              # Benign image processing skill
|   |   +-- podcast-summarizer/         # MP3 ID3 payload embedding
|   +-- scripts/
|   |   +-- pipeline_simulator.py       # End-to-end attack chain simulator
|   |   +-- verify_poc.py               # POC verification script
|   +-- run_poc.sh                      # Orchestration script (start here)
|
+-- architecture/                     # .mmd diagrams
|
+-- findings-report.md                # Final assessment report
|
+-- 001-manchurian-candidate-poc/       # Research, spec, and planning docs
    +-- research/
        +-- red-team-reviews/           # Rounds 1-3
```

---

## Quick Start

```bash
cd plugins/image-metadata-processor
pip install -r requirements.txt

# Run full end-to-end attack chain
bash run_poc.sh

# Verify EXIF payload survives image processing
python3 scripts/verify_poc.py --debug

# Embed payload in MP3 ID3 tags
python3 skills/podcast-summarizer/scripts/embed_id3_payload.py
```

---

## Attack Vectors

| Vector | File Type | Script | Payload Location |
|--------|-----------|--------|-----------------|
| JPEG EXIF | `.jpg` | `remove_background.py` | EXIF `UserComment` field |
| MP3 ID3 | `.mp3` | `embed_id3_payload.py` | ID3 `TXXX` frame |

---

## Recommended Defenses

0. **Agent Proxy / Router layer** -- all tool calls must pass through a
   sanitizing proxy before reaching the agent (architectural prerequisite)
1. Strip all metadata before passing media files to any AI agent
2. Separate tool-use permissions from file-read permissions
3. Maintain out-of-band audit logs (not self-reported by the agent)
4. Cryptographically sign known-good assets and verify on load