Back to Details

competition-prompt-injection

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Prompt Injection

竞赛提示词注入

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the challenge is primarily about trust boundaries inside an agentic system.
Reply in Simplified Chinese unless the user explicitly requests English.
仅可在
$ctf-sandbox-orchestrator
已激活并完成沙箱假设、节点所有权、证据优先级的设定后,作为下游专项技能使用。如果尚未满足上述前提,请先返回
$ctf-sandbox-orchestrator
当挑战核心为Agent系统内部的信任边界问题时使用本技能。
除非用户明确要求使用英文回复,否则请使用简体中文回复。

Quick Start

快速开始

  1. Identify the first untrusted content that becomes model-visible.
  2. Map the chain from retrieval, memory, or transcript into planner or executor behavior.
  3. Record the exact point where text becomes a tool argument, file path, network target, or secret request.
  4. Prove one minimal exploit chain before exploring variants.
  5. Keep prompt snippets and tool transitions in compact evidence blocks.
  1. 识别模型可见的首个不可信内容。
  2. 梳理从检索、内存或对话记录到规划器或执行器行为的完整链路。
  3. 记录文本转变为工具参数、文件路径、网络目标或机密请求的精确节点。
  4. 在探索变体利用方式前,先验证出一条最小利用链路。
  5. 将提示词片段和工具转换过程保存在精简的证据块中。

Workflow

工作流

1. Map The Control Stack

1. 梳理控制栈

  • Track system, developer, user, retrieved, memory, planner, and tool-response layers separately.
  • Distinguish claimed capability from runtime-exposed capability.
  • Note what the model can actually call, read, or mutate.
  • 分别跟踪系统层、开发者层、用户层、检索内容层、内存层、规划器层以及工具响应层。
  • 区分声明能力与运行时实际暴露的能力。
  • 记录模型实际可调用、读取或修改的内容。

2. Prove The Boundary Crossing

2. 验证边界穿越

  • Reproduce one chain from untrusted text to changed planner behavior, changed tool args, or secret exposure.
  • Keep the decisive transcript compact: source chunk, rewritten planner state, final tool invocation.
  • Prefer the smallest transcript that still demonstrates the bug.
  • 复现一条从不可信文本到规划器行为变更、工具参数变更或机密泄露的完整链路。
  • 保持关键对话记录精简:源内容块、改写后的规划器状态、最终工具调用。
  • 优先选择仍能复现漏洞的最短对话记录。

3. Report By Boundary

3. 按边界分类报告

  • State which layer failed: retrieval, summarizer, planner, executor, tool normalization, or output post-processing.
  • Separate instruction drift from actual side effect.
  • 说明发生故障的层级:检索、摘要器、规划器、执行器、工具参数标准化或输出后处理。
  • 区分指令漂移与实际产生的副作用。

Read This Reference

参考资料

  • Load 
    references/prompt-injection.md
    for the checklist, evidence layout, and common prompt-boundary pitfalls.
  • 加载
    references/prompt-injection.md
    查看检查清单、证据布局以及常见的提示词边界陷阱。

What To Preserve

需要留存的内容

  • Original malicious chunk or prompt
  • Intermediate summary or planner drift if it matters
  • Final tool args, file paths, or exposed secret surface
  • 原始恶意内容块或提示词
  • 相关的中间摘要或规划器漂移记录
  • 最终工具参数、文件路径或暴露的机密范围