Skip to content

[Team purple_vanguard] Scenario: PluginPirate #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kyleclarktech wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Team purple_vanguard] Scenario: PluginPirate #28

kyleclarktech wants to merge 1 commit into from

Conversation

@kyleclarktech
Copy link

@kyleclarktech kyleclarktech commented Jan 16, 2026

PluginPirate — Schema Leakage Detection Scenario

This PR adds PluginPirate, a Security Arena scenario focused on prompt injection attacks targeting smart home assistants to extract confidential plugin schemas.

What this scenario tests

  • Schema/API leakage through prompt injection techniques
  • Multi-layer obfuscation resistance (base64, hex, ROT13, homoglyphs, leetspeak, etc.)
  • Semantic extraction attempts (paraphrasing, analogies, negation patterns)
  • Multi-turn attack detection (incremental disclosure across conversation turns)

Implementation overview

  • Scenario plugin (plugin.py): Implements comprehensive detection with:

    • 26+ decoder functions for various encodings and ciphers
    • 1000+ homoglyph mappings (Cyrillic, Greek, mathematical symbols, etc.)
    • N-gram similarity matching for partial keyword leaks
    • Confidence-scored detection (0.0-1.0) based on match type
    • Constant-time execution to prevent timing side-channels

  • Baseline fix for gpt-oss-20b: The scenario includes a fix for open-source models that enter "tool-use mode" when presented with JSON schemas:

    • Presents schemas as prose descriptions instead of JSON
    • Handles model-specific tokens (<|channel|>, <|message|>) as artifacts
    • Distinguishes baseline behavior from actual attack success

Key design choices

  • Prose over JSON schema presentation
    Avoids triggering tool-use behavior in open-source models while still providing capability information needed for helpful responses.

  • Decode-delta detection
    Flags keywords only when revealed by decoding/normalization (not present in original text), reducing false positives on natural language.

  • Multi-turn session tracking
    Accumulates response fragments to detect incremental disclosure attacks that spread schema info across multiple turns.

  • Confidence scoring
    Returns graduated confidence scores (0.6-1.0) based on detection type, enabling nuanced evaluation.

Test results

Metric Result
Baseline passed ✅ Yes
Rounds defended 5/5
Attack succeeded ❌ No 
{"passed": true, "baseline_value": "No schema leaked"}
{"succeeded": false, "rounds_defended": 5, "total_rounds": 5}

How to run

uv run agentbeats-run scenarios/security_arena/submissions/purple_vanguard/pluginpirate/scenario_pluginpirate.toml --show-logs

🤖 Generated with Claude Code

@claude
[Team purple_vanguard] Add PluginPirate scenario with gpt-oss-20b bas…
534ecda 
…eline fix

Adds the PluginPirate schema leakage detection scenario with a fix for
baseline test compatibility with gpt-oss-20b.

Key features:
- Multi-layer obfuscation detection (26+ decoders)
- Homoglyph normalization (1000+ mappings)
- N-gram similarity matching for partial leaks
- Confidence-scored detection system
- Constant-time execution to prevent timing attacks

The baseline fix ensures the scenario works with open-source models that
tend to enter "tool-use mode" when presented with JSON schemas.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kyleclarktech