Share
## https://sploitus.com/exploit?id=CA58C923-B2C7-5502-999E-E372DD84BC9B
# Manchurian Candidate Agent POC
> **โ ๏ธ SECURITY RESEARCH โ EDUCATIONAL USE ONLY**
> Proof-of-concept demonstrating a structural AI agent vulnerability class.
> All payloads are harmless by design. See [DISCLAIMER.md](DISCLAIMER.md) ยท [MIT License](LICENSE)
## Overview
The **Manchurian Candidate** attack embeds malicious payloads in media file
metadata (JPEG EXIF, MP3 ID3 tags) that are silently executed by AI agents
with inherited permissions when processing those files.
### Key Findings (Finalized)
- **Finding 1**: Prompt-layer audit suppression via EXIF metadata hook proving Adversarial Objectivity.
- **Finding 2**: Remote image substitution with timing attack precision.
- **Finding 3**: Universal media metadata surface (JPEG `UserComment`, MP3 ID3 `TXXX` frames).
- **Finding 4**: Self-Reported Forensics Paradox - the compromised agent cannot
reliably report its own compromise.
For the full architectural analysis and explicit code generation references demonstrating this threat model, see the finalized report:
[`findings-report.md`](findings-report.md)
---
## Architecture Diagrams
| Diagram | Description |
|---------|-------------|
| [architecture.mmd](architecture/architecture.mmd) | Full attack architecture with EXIF payload flow |
| [architecture-overview.mmd](architecture/architecture-overview.mmd) | High-level system overview |
| [pipeline-simulator.mmd](architecture/pipeline-simulator.mmd) | Pipeline simulator stage diagram |
| [architecture.md](architecture/architecture.md) | Architecture narrative writeup |
---
## Research Documents
| Document | Description |
|----------|-------------|
| [spec.md](001-manchurian-candidate-poc/spec.md) | Feature specification and success criteria |
| [plan.md](001-manchurian-candidate-poc/plan.md) | Implementation plan |
| [research.md](001-manchurian-candidate-poc/research.md) | Research log and key decisions |
| [AI Agent Security Research Deep Dive.md](research/AI%20Agent%20Security%20Research%20Deep%20Dive.md) | Supporting academic research notes |
| [2602.06547v1.pdf](research/2602.06547v1.pdf) | Academic paper on AI agent security |
| [gemini-pro-risk-assessment.md](gemini-pro-risk-assessment.md) | Gemini Pro 3.1 LLM self-assessment of the vulnerability |
| [opus-4-6-risk-assessment.md](opus-4-6-risk-assessment.md) | Claude Opus 4.6 threat validation and CI/CD escalation analysis |
---
## Red Team Reviews
| Round | File | Reviewers | Key Outcome |
|-------|------|-----------|-------------|
| Round 1 | [claude-assessment.md](research/red-team-reviews/round-1-explicit/claude-assessment.md) | Claude 3.5 | Attack surface confirmed pre-build |
| Round 1 | [copilot-assessment.md](research/red-team-reviews/round-1-explicit/copilot-assessment.md) | GitHub Copilot | Pre-build architecture review |
| Round 1 | [red-team-assessment-summary.md](research/red-team-reviews/round-1-explicit/red-team-assessment-summary.md) | All | Combined Round 1 summary |
| Round 1 | [pre-build-architecture-bundle.md](research/red-team-reviews/round-1-explicit/pre-build-architecture-bundle.md) | -- | Full architecture context bundle |
| Round 2 | [gemini-review.md](research/red-team-reviews/round-2-stealth/gemini-review.md) | Gemini Flash | Stealth mode live review |
| Round 2 | [claude-response/manchurian-poc/](research/red-team-reviews/round-2-stealth/claude-response/manchurian-poc/) | Claude | Claude independently built matching POC |
| Round 3 | [findings-report.md](findings-report.md) | Claude | Final 4 findings + 5 recommendations |
| Round 4 | [opus-4-6-risk-assessment.md](opus-4-6-risk-assessment.md) | Opus 4.6 | CI/CD escalation and Runner Paradox validation |
---
## Repository Structure
```
manchurian-agent-poc/
|
+-- plugins/image-metadata-processor/ # The POC plugin (attack vectors)
| +-- skills/
| | +-- background-remover/ # JPEG EXIF payload embedding
| | +-- image-resizer/ # Benign image processing skill
| | +-- podcast-summarizer/ # MP3 ID3 payload embedding
| +-- scripts/
| | +-- pipeline_simulator.py # End-to-end attack chain simulator
| | +-- verify_poc.py # POC verification script
| +-- run_poc.sh # Orchestration script (start here)
|
+-- architecture/ # .mmd diagrams
|
+-- findings-report.md # Final assessment report
|
+-- 001-manchurian-candidate-poc/ # Research, spec, and planning docs
+-- research/
+-- red-team-reviews/ # Rounds 1-3
```
---
## Quick Start
```bash
cd plugins/image-metadata-processor
pip install -r requirements.txt
# Run full end-to-end attack chain
bash run_poc.sh
# Verify EXIF payload survives image processing
python3 scripts/verify_poc.py --debug
# Embed payload in MP3 ID3 tags
python3 skills/podcast-summarizer/scripts/embed_id3_payload.py
```
---
## Attack Vectors
| Vector | File Type | Script | Payload Location |
|--------|-----------|--------|-----------------|
| JPEG EXIF | `.jpg` | `remove_background.py` | EXIF `UserComment` field |
| MP3 ID3 | `.mp3` | `embed_id3_payload.py` | ID3 `TXXX` frame |
---
## Recommended Defenses
0. **Agent Proxy / Router layer** -- all tool calls must pass through a
sanitizing proxy before reaching the agent (architectural prerequisite)
1. Strip all metadata before passing media files to any AI agent
2. Separate tool-use permissions from file-read permissions
3. Maintain out-of-band audit logs (not self-reported by the agent)
4. Cryptographically sign known-good assets and verify on load