FEAT: Add Moltbot/ClawdBot security testing scenario #1344
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
February 1, 2026 18:02
This PR adds support for testing AI agent systems (Moltbot/Clawdbot) for known security vulnerabilities. ## Components Added 1. **MoltbotScenario** (pyrit/scenario/scenarios/airt/moltbot_scenario.py) - Tests known Moltbot/Clawdbot CVEs using Scenario pattern - Strategies: cron injection, credential theft, file exfiltration, hidden instructions - Follows same pattern as existing Cyber and Leakage scenarios - Uses existing PyRIT attack strategies (PromptSendingAttack) 2. **AgentCommandInjectionConverter** (pyrit/prompt_converter/agent_command_injection_converter.py) - Reusable converter for AI agent attack payloads - Supports 5 injection types: cron, credential_theft, file_read, command_exec, hidden_instruction - Configurable complexity levels (low/medium/high) - Works with any AI agent platform, not just Moltbot 3. **Unit Tests** (tests/unit/converter/test_agent_command_injection_converter.py) - Comprehensive tests for all injection types - Tests complexity levels and async conversion - 274 lines of test coverage ## Known Vulnerabilities Tested - Cron job injection (30-second execution windows) - Credential theft from ~/.clawdbot/ directory - Backup file exfiltration (.bak.0-.bak.4 files) - Hidden instruction injection via task descriptions ## Architecture Decision Uses Scenario pattern (like Cyber/Leakage) rather than creating new orchestrator pattern. Scenarios are designed to test KNOWN vulnerabilities, which fits perfectly for documented Moltbot CVEs.
- Remove AgentCommandInjectionConverter - too specific for PyRIT's converter philosophy - Converters should transform text, not generate attack payloads - Attack payloads now belong directly in test objectives - Simplifies architecture: objectives → PromptSendingAttack (no converter layer) - Aligns with PyRIT's pattern: converters transform, objectives define what to test
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds security testing capabilities for AI agent systems, specifically targeting Moltbot/ClawdBot vulnerabilities discovered in January 2026.
What's included:
MoltbotScenario- A scenario for testing known Moltbot CVEs (cron injection, credential theft, file exfiltration, hidden instruction injection)MoltbotStrategy- Strategy enum for selecting vulnerability types to testDesign decisions:
AgentCommandInjectionConverter, but removed it in commit 2 after recognizing it violated PyRIT's converter philosophyObjective → PromptSendingAttack → Target(no converter layer)Files changed:
pyrit/scenario/scenarios/airt/moltbot_scenario.py- Main scenario implementationpyrit/scenario/scenarios/airt/__init__.py- ExportsTests and Documentation
Tests:
from pyrit.scenario.scenarios.airt import MoltbotScenario, MoltbotStrategyALL,CRON_INJECTION,CREDENTIAL_THEFT,FILE_EXFILTRATION,HIDDEN_INSTRUCTION