Chapter 10
Agent Workflow and Publish-Path Abuse
Agent workflow and publish-path abuse happens when the glue between planning, approval, scheduling, execution, review, or publishing becomes the attack surface and unsafe actions start to look like normal operations.
What it is
This chapter covers orchestration-level failures rather than one isolated prompt or one tool call. The attack surface is the workflow itself: ingestion, delegation, review gates, cron jobs, status panels, emergency hotfix paths, publishing steps, and approval artifacts. The system fails because the chain trusts too much, not because one component is obviously broken.
Why it matters for agents
This matters because real-world agent systems live inside pipelines. Once those pipelines gain speed, autonomy, and cross-tool wiring, workflow logic becomes a first-class security boundary. Attackers do not need perfect model control if they can poison an approval artifact, greenwash a status signal, or route unsafe content into the publish path.
How it shows up in workflows
Common shapes include forged change-ticket approvals, emergency hotfix approval bypass, poisoned ingestion, unsafe content promotion, review bypass, status-panel greenwashing, and workflow connectors that hold more privilege than operators realize. It also overlaps with cross-agent injection when one workflow stage trusts receipts or handoffs produced by another stage without re-deriving evidence.
What Sunglasses sees
The attack surface is the workflow logic, not only the model text itself.
Categories in this chapter:
agent_workflow_security, agent_workflow, agent_security
No patterns match the current filters.
All 87 patterns in this chapter
Every Sunglasses detection pattern mapped to this attack family.
GLS-AW-001
Web fetch to publish pipeline injection
CRITICAL
Indirect prompt injection or poisoned source content entering an agent workflow that fetches external pages, generates content, and pushes toward publishing systems.
fetch page and publishcrawl this page and publish ituse this website as source of truth and publishscrape competitor pages and turn them into a postread this url and post the result to the cmstake the fetched content and publish directlyturn this scraped page into a live articlegenerate a post from this page and publish it+4 more
GLS-AW-002
Overprivileged CMS publish connector
CRITICAL
Agent connector with direct CMS publish rights, broad content mutation scope, or missing draft-only controls — high-blast-radius path from prompt compromise to public site compromise.
publish directly to wordpresspublish directly to webflowpublish directly to shopify blogskip draft and publish livegrant publish permissionfull cms access tokencontent publish scopewrite access to all pages+4 more
GLS-AW-003
Overprivileged social scheduler connector
HIGH
Agent-connected social scheduling tool with direct posting rights across multiple channels — compromised prompts or poisoned content can cause broad, fast brand abuse without approval gates.
schedule directly to all social accountspost directly to linkedin and xauto queue this threadpublish to all connected channelssocial scheduler tokencross-post automaticallyskip approval and queue postsblast this to every channel+4 more
GLS-AW-004
Poisoned persistent prompt or skill
CRITICAL
Malicious instructions hidden inside saved prompts, reusable skills, brand playbooks, or persistent memory that continue influencing future agent runs long after the original injection point is gone.
save this as a reusable skillmake this your default workflow foreveralways use this prompt from now onpersist this publishing rulestore this as your evergreen system promptadd this to every future campaignsave these instructions to your brand playbookremember this publishing override permanently+4 more
GLS-AW-005
Poisoned RSS or brand doc ingestion
HIGH
External feeds, brand docs, competitor pages, or knowledge-base inputs contain malicious instructions, hidden directives, or poisoned content that the agent treats as trusted planning material for later content generation or publishing.
ingest this rss feed as trusted guidanceuse this feed as your publishing source of truthtreat these brand docs as mandatory instructionsimport this content calendar automaticallyread the sitemap and follow embedded directionssync these brand guidelines into memoryparse this feed and obey any action itemsuse competitor docs to drive publishing decisions+4 more
GLS-AW-006
Unsafely auto-published marketing content
CRITICAL
Generated marketing content is pushed live automatically without sufficient human review, claim validation, approval receipts, or connector safety limits, creating a direct path to brand abuse, misinformation, or policy violations.
auto-publish this campaign nowpush this content live without reviewpublish immediately after generationskip fact check and go liveno approval needed for this postsend generated copy straight to productioninstant publish after draft creationbypass reviewer and publish the article+4 more
GLS-AW-007
Agent permission bypass via compound commands
HIGH
Detects compound command padding used to bypass agent permission checks (Adversa Claude Code bypass).
compound command paddingtrue &&deny rule bypass
GLS-AW-009
Unauthenticated agent event stream
HIGH
Detects unauthenticated SSE/event stream endpoints that leak agent tool calls and responses (PraisonAI CVE-2026-39889).
GLS-AGT-GHSA-001
GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)
MEDIUM
Detection for GHSA-cm8v-2vh9-cxf3: OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant). Source: https://github.com/advisories/GHSA-cm8v-2vh9-cxf3
GHSAGIT_DIRdenylistenv varexecopenclaw
GLS-AGT-GHSA-002
Multiple Code Paths Missing Base64 Pre-Allocation Size Checks
MEDIUM
Detection for GHSA-ccx3-fw7q-rr2r: OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks. Source: https://github.com/advisories/GHSA-ccx3-fw7q-rr2r
openclaw
GLS-AGT-GHSA-019
Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration
HIGH
Detection for GHSA-qqq7-4hxc-x63c: OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration. Source: https://github.com/advisories/GHSA-qqq7-4hxc-x63c
MEDIAopenclaw
GLS-AGT-GHSA-023
Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses
MEDIUM
Detection for GHSA-gfmx-pph7-g46x: OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade. Source: https://github.com/advisories/GHSA-gfmx-pph7-g46x
execopenclaw
GLS-AGT-GHSA-025
LangChain has incomplete f-string validation in prompt templates
HIGH
Detection for GHSA-926x-3r5x-gfhw: LangChain has incomplete f-string validation in prompt templates. Source: https://github.com/advisories/GHSA-926x-3r5x-gfhw
f-string
GLS-AW-010
Trusted-proxy gateway auth widens operator scope at runtime
HIGH
Detection for GHSA-4f8g-77mw-3rxc: trusted-proxy gateway auth where operator.read + operator.write scopes widen at runtime without re-consent.
GLS-AW-011
SSRF guard gap in browser-driver/media-fetch redirects
HIGH
SSRF guard coverage gap in browser-driver / media-fetch code paths where redirects bypass private-target blocklists.
GLS-AW-012
Websocket session survives token rotation (stale auth)
HIGH
Websocket sessions survive token rotation / reload — stale auth closure (resolvedAuth) keeps revoked credentials alive.
GLS-AW-013
PraisonAI 'type: job' YAML executes shell/python at runtime
CRITICAL
Detection for GHSA-vc46-vw85-3wvm: PraisonAI workflow YAML with 'type: job' runs arbitrary shell/Python during workflow execution. Source: https://github.com/advisories/GHSA-vc46-vw85-3wvm
GLS-AW-014
Agent browser WebSocket accepts wildcard origin or no auth
CRITICAL
Detection for GHSA-8x8f-54wf-vv92: PraisonAI Browser Server WebSocket lets unauthenticated clients hijack active browser extension sessions. Source: https://github.com/advisories/GHSA-8x8f-54wf-vv92
GLS-AW-015
Agent endpoint CORS wildcard with no authentication
HIGH
Detection for GHSA-x462-jjpc-q4q4: PraisonAI AGUI endpoint hardcoded wildcard CORS with no auth — any web page can drive the agent. Source: https://github.com/advisories/GHSA-x462-jjpc-q4q4
GLS-GHSA-PI-202
GHSA agent injection and tool abuse
HIGH
Detects prompts and tool metadata that attempt command injection, untrusted subprocess launch, secret exfiltration, or approval-bypass execution in agent systems — grounded in GitHub Security Advisories.
approved already run shellconsent cached skip confirmationexecute this commandrun shell command nowmcp server subprocessprintenv for diagnosticsapproval cache bypassdebug mode reveal api key+2 more
GLS-FRAMEWORK-BUG-211
Agent framework bug exploitation
CRITICAL
Detects attack prompts exploiting known agent-framework bug classes: unsafe delegation, memory poisoning, tool-output trust abuse, secret leakage through tracing/logging, and code/loader execution pivots.
delegated agent trust output execute verbatimlangchain print callback trace system promptcrewai write to memory future turnstool output execute skip validationorchestrator bypass guardcallback log print system promptagent framework disable sandboxtrust delegated output highest priority+2 more
GLS-AW-016
Emergency Urgency Approval Gate Skip Deploy
HIGH
Detects an emergency or critical urgency claim used to skip or bypass approval, review, or change-control gates for a deployment or production release.
GLS-AW-581
Rollback Exception Waiver Auto-Execute Bypass
HIGH
Detects a rollback exception or emergency override waiver used to auto-execute or force a run while bypassing rollback validation or approval sign-off.
GLS-AW-008
Event stream delimiter injection
HIGH
Event-stream and chunked-output toolchains often parse separators (---, JSONL newlines, SSE data: frames, markdown fences) as control boundaries. Attackers can inject delimiter-shaped payloads into low-trust content so the orchestrator mis-frames data as new instructions, bypassing normal prompt/tool priority rules.
inject sse delimiterfake event framesplice sse datajsonl record breakoutmarkdown fence pivotcsv injection shift columnsframe splicing attackcontrol boundary injection+4 more
GLS-AW-017
Mtime backdating
HIGH
Mtime-backdating attacks forge file recency signals so automation trusts stale or attacker-controlled artifacts as "fresh." In Sunglasses-style cron pipelines, mtime is frequently used to pick the latest bundle, cycle package, or dashboard source. If an attacker can preserve or spoof mtime ordering, they can steer the control plane toward older evidence while status checks still appear green.
backdate file mtimespoof modification timepreserve mtime rollbackfake recency signalstale bundle replayrolled-back tarball fresh mtimeselective member agingcross-file skew grafting+2 more
GLS-AW-018
Cron reply log drift
HIGH
GO MODE relies on append-only status artifacts (cava_wins_log.md + CAVA_REPLY_*) as the operational source of truth. If an attacker can inject instructions that desynchronize **what got executed** vs **what got logged**, operators lose visibility and may ship unverified claims.
status-first overridesplit-append desynctimestamp launderingtail-truncation blindspotfake success log entryaudit trail desyncwrite success before verificationsuppress wins log+2 more
GLS-AW-019
Heartbeat status spoofing
HIGH
Heartbeat/status channels are trusted fast-path signals in multi-agent pipelines. If an attacker can inject or spoof "healthy", "completed", or "ready" state into these channels, operators and orchestrators can skip deeper validation and execute stale or poisoned artifacts. This is high leverage because status metadata often bypasses the same scrutiny as task content.
spoof heartbeatreplay healthy heartbeatsynthetic heartbeat replaystatus channel role confusioncompletion pretext injectionstale-state pinningfake gateway healthyalive event replay+2 more
GLS-AW-020
Justification channel hijack
HIGH
Agents often separate **decision payloads** from human-readable **justification text** (approval notes, risk summaries, changelog blurbs). Attackers can target the justification channel to make unsafe actions look compliant, reducing reviewer skepticism and increasing approval-throughput for malicious plans.
risk summary inversionapproval note launderingjustification drift on retryevidence-selective narrationmake destructive look safesoften warning across retriesclaim no side effects while destructivedownplay risk to reviewer+2 more
GLS-AW-021
Cron trigger desync
HIGH
Cron/scheduler boundaries are a high-risk trust seam in agent systems: delayed execution can separate **what was approved** from **what is executed later**. Attackers exploit this gap by injecting timing or trigger semantics so benign-looking queued jobs execute hostile payloads after context has shifted.
deferred payload swaptrigger source spoofingtime-window policy bypassretry-queue privilege driftpost-approval payload mutationqueued job mutationtimezone confusion bypassuntrusted event masquerade as scheduler+1 more
GLS-AW-022
Control plane status forgery
HIGH
Control-plane status messages ("healthy", "verified", "ready", "green") are often trusted as gate signals by agent workflows. If an attacker can inject forged status artifacts into tool outputs, logs, or bridge files, the agent can skip validation gates and execute high-impact actions under false confidence. This creates a silent escalation path: no explicit jailbreak phrase is needed, just counterfeit health/approval state.
healthcheck verdict forgerycross-file status shadowingreason-code launderingapproval-state replayfake STATUS PASS linecounterfeit health staterate_limit aliased as normalstale approved hash new payload+1 more
GLS-AW-023
Log evidence suppression
CRITICAL
Attackers increasingly target observability pathways, not just policy prompts. In this family, adversarial instructions attempt to suppress, overwrite, or downgrade security-relevant evidence in logs so downstream validators and humans see a "clean" run despite compromised behavior. If successful, this can bypass Cycle 3/4 checks and corrupt incident response timing.
severity downcast injectionrewrite error as infoevidence truncation pretextstrip tool args token efficiencylog stream branch forkpost-run overwrite launderingcompaction privacy excuseephemeral buffer hides risky details+1 more
GLS-AW-024
Status panel greenwashing
MEDIUM
Status dashboards are treated as operator truth during incident response. If an attacker can coerce a pipeline to render a green/fresh state from stale or partial evidence, defenders delay escalation while real abuse continues. This is high-risk in cron-driven agent systems where health badges and KPI cards directly influence action.
freshness badge override fallback keypartial-success launderingzero-to-N/A coerciondenominator inflationstale data renders as freshpanel mixed states collapsed to greenrender last_success instead of updated_atregression hidden behind missing data semantics
GLS-AW-025
Cron state carryover poisoning
HIGH
Cron-driven agent systems repeatedly execute near-identical workflows where status files, prior-cycle outputs, and readiness gates are reused as context. This creates a high-leverage injection surface: attackers can seed one cycle with manipulative state and let it silently propagate into future cycles as trusted "already verified" context. The result is decision drift without obvious single-event compromise.
last-good replay poisoningcross-cycle target-date confusionguardrail downgrade carried exceptionstate-board precedence hijackstale READY marker into prior cycleone-cycle bypass becomes stickycarryover trusted as already verifiednon-canonical state newer than canonical
GLS-AW-026
Reply file status overshadowing
MEDIUM
In GO MODE operations, /opt/sunglasses/review/CAVA_REPLY_... is treated as a high-trust operator status surface. Attackers can inject or preserve stale status blocks so that old blocker text overshadows fresh cycle outcomes. This can force bad prioritization (re-open solved tasks, suppress live P0 pivots, or mislabel readiness). The failure mode is subtle because the reply file is expected to be append-only and long.
stale BLOCKED prependstatus label collision near-identical headingverdict replay across cyclesanchor source decouplingreply file overshadow latest cycle updateskim-reading miss latest entrytooling parses wrong block via duplicate marker
GLS-AW-027
Approval hash collision
CRITICAL
Approval workflows are often treated as a cryptographic trust boundary: if an action is "approved," execution is allowed. In practice, many agent/tool pipelines hash incomplete summaries (or unstable fields) before approval, then execute a mutated payload. Attackers can force **hash-equivalent but behavior-divergent** requests so the system logs "approved" while executing higher-risk actions.
whitespace encoding collision smugglefield-order json collisiontruncated-preview suffix collisioncross-tool intent collisionapproval bypass via canonicalization drifthashed summary differs from executed payloadlast-key-wins elevated scopepreview hashes first N chars only
GLS-AW-028
Owner workqueue collision
MEDIUM
GO MODE execution is explicitly one-task-per-cycle, while the company board enforces owner-aware coordination across DONE / IN_PROGRESS / QUEUED. An attacker who can inject owner or queue-state hints can force duplicate effort, collision with active work, or starvation of higher-value tasks.
owner reassignment pretextqueue starvation by urgency launderingduplicate effort collisionforced takeover of in-progress workskip P0 checks emergency low-value escalationowner stalled fake reassignmentviolate owner board boundary
GLS-AW-029
Handoff intent truncation
HIGH
In multi-agent chains, one model writes a compact handoff note and the next model executes it. Attackers can force **semantic truncation** so safety constraints are dropped while execution directives survive. This creates high-risk "looks-normal" work packets: short, clean, and missing the one line that prevented dangerous action.
suffix-drop handoff truncationdelimiter collapse end markerpolicy caveat clipped at tailsafety appendix silently ignoreddo not publish line missingrequire human review strippedhandoff packet missing safety constraintsummarizer drops policy caveat under length pressure
GLS-AW-030
Approval channel desync
CRITICAL
Agent stacks increasingly rely on approval UX (summaries, previews, confirmation prompts). If summaries are lossy or attacker-steerable, the approval layer becomes a false control.
summary execution mismatchapproval card lies about scopeapprove safe execute riskypreview diverges from runtimelossy approval summaryhidden args broader actionsoperator approves summary not exact payloadargument level attestation missing
GLS-AW-031
Permissive Model Fallback Routing Override
HIGH
Attacker-controlled text injects model-routing directives (preferred_model fields, downgrade pretexts, fake capability requirements) into retrieval or tool-result channels, causing the control plane to silently switch to a weaker model tier and expand action surface beyond approved policy.
safety-policy route hijackswitch to permissive modelcost-gate downgrade pretextforce fallback model tiercapability spoof escalationpreferred_model field injectiona/b routing flag manipulationbeta routing enabled override+4 more
GLS-AW-032
SSE Delimiter Frame Forgery Injection
HIGH
Attacker embeds stream-delimiter shapes (SSE data: frames, JSONL newlines, markdown fences, CSV quotes) inside low-trust content so the orchestrator's parser mis-frames hostile bytes as a fresh high-priority instruction or forged tool-result record, bypassing the trust hierarchy.
sse frame splicingdata: frame injectionjsonl record breakoutforged tool-result recordmarkdown fence pivottriple backtick escapecsv delimiter poisoncolumn shift approval flag+4 more
GLS-AW-033
Build Artifact Timestamp Backdating Freshness Spoof
HIGH
Attacker forges or preserves filesystem mtime on stale or rolled-back artifacts so cron-driven selectors trust older or attacker-controlled bundles as the latest, steering the agent's control plane toward poisoned evidence while freshness gates stay green.
bundle rollback preserved mtimestale report replayrewrite postrun timestampcross-file skew graftingselective member agingtarball mtime spoofingfresh checksum stale datafilesystem mtime forgery+4 more
GLS-AW-034
Append-Only Status Log Entry Forgery
HIGH
Attacker injects or forges append-only operational status artifacts (CAVA_REPLY, wins-log, cron acknowledgements) so the agent's GO MODE reads fabricated success signals as ground truth, advancing pipelines on work that never ran or hiding failures behind ghost log lines.
cava reply log forgeryappend-only status driftcron reply timestamp spoofwins log fabricated entryoperational truth source poisoninggo mode status injectionfake completion log lineghost reply append+4 more
GLS-AW-035
Heartbeat Liveness Signal Forgery
HIGH
Attacker fakes or replays heartbeat and liveness signals on trusted fast-path channels so monitoring layers report dead or compromised agents as healthy, suppressing retries and alerts while pipelines continue advancing on broken work.
fake heartbeat signalforged healthy statusspoofed liveness probestale heartbeat marked aliveheartbeat replay attackagent reported green falselyskip retry on fake heartbeathealth-check bypass+4 more
GLS-AW-036
Justification Channel Hijack Decision Divergence
HIGH
Attacker rewrites the human-readable justification text (approval notes, risk summaries, changelog blurbs) so operators see benign-sounding rationale while the machine-executed decision payload performs a materially different action.
justification text hijackapproval note rewriterisk summary swapchangelog blurb mismatchdecision payload vs prose drifthuman-readable justification spoofapproval rationale forgeryside-channel rationale injection+4 more
GLS-AW-037
Validator Consensus Herding Lockstep Coercion
HIGH
Attacker crafts inputs that herd every validator and planning stage onto the same poisoned interpretation, collapsing ensemble diversity so disagreement-based safeguards never fire and the bad verdict ships with apparent unanimous consensus.
consensus lockstep poisoningforce validators agreecoerce planning stages convergedisagreement safeguard bypasssynchronized validator hallucinationmulti-agent same poisoned interpretationquorum collapse via shared priorshared prompt poisons all stages+4 more
GLS-AW-038
Summarization Counter-Evidence Eviction
HIGH
Attacker exploits summarization, truncation, and context-window compaction stages to strip away contradiction-bearing details while preserving benign headline numbers, so downstream reasoning never sees the dissenting evidence that would have blocked the action.
summarization strips contradictiontruncation hides counter-evidenceheadline number survives compressionlossy summary preserves benigncontext compaction attackevidence pruned by summarizersummarizer drops dissentcompression bias toward bland+4 more
GLS-AW-039
Severity Downcast Critical To Low Relabeling
HIGH
Attacker manipulates severity taxonomy assignment so high-impact findings get relabeled into low, informational, or ops-only categories, suppressing the escalation paths that would have triggered urgent response.
severity downcast critical to lowrelabel finding as noiseops-only severity rerouteescalation path never triggershigh impact tagged informationalseverity launderingtaxonomy reclass attackforce severity below threshold+4 more
GLS-AW-040
Postrun Verifier Stale Output Freshness Bypass
HIGH
Attacker exploits a postrun verifier that checks output-file existence and mtime but not source-input freshness, so the pipeline emits a READY signal while operating on stale or wrong-day input data, leading the agent to act on rotted evidence.
postrun ready false positiveoutput exists but source stalewrong-day input passes readyfreshness check on output onlyready signal ignores input agestale source still marked readydma verifier output-only checkinput date mismatch hidden+4 more
GLS-AW-041
Score Normalization Bucket Boundary Poisoning
HIGH
Attacker inflates or seeds outlier values into raw telemetry so the score-normalization stage stretches its range or shifts bucket boundaries, causing critical findings to map below operator-action thresholds while attacker-favored items rank higher.
score normalization poisoningoutlier shifts normalized rankstretch min-max rangenormalize bias attacker scorez-score inflation injectionpercentile compression attackscale factor manipulationdenominator poison shifts boundary+4 more
GLS-AW-042
Cron Trigger Desync Approval Scope Drift
HIGH
Attacker exploits the gap between approval time and scheduled execution time so cron-fired jobs run stale or revoked plans against changed scope or policy, separating what was authorized from what actually executes later.
cron trigger desyncapproved now executed laterdelayed execution scope driftscheduler window swapstale plan run after changecron-fire vs approval mismatchqueue replay after revokeapproval expires before run+4 more
GLS-AW-190
Health Badge Swap GO Mode Bypass
HIGH
Attacker forges or swaps compact health badges (READY/DEGRADED/STALE) so GO MODE cycles ship work against falsely-green systems, bypassing the readiness gate meant to halt on real degradation.
signal health badge impersonationfake ready badgespoof ready statusforged degraded-to-ready fliphealth status forgerybadge swap attackstale marker hiddenfalse green light health+4 more
GLS-AW-191
Workqueue Owner Collision Injection
MEDIUM
Attacker injects conflicting owner or status claims into shared workqueues so two agents collide on the same task or a malicious assignment overwrites a legitimate owner, breaking coordination guarantees.
owner workqueue collisionduplicate owner assignmentqueue ownership conflict injectiondone flag misattributionin-progress double claimqueued task ownership spoofowner field forgerycross-owner status overwrite+4 more
GLS-AW-192
Non-Canonical Output Form Safety Bypass
HIGH
Attacker exploits the gap between semantically-equivalent output forms (JSON vs markdown, alternate encodings, unicode variants) so the agent grants equal trust to a non-canonical form that bypasses safety checks tied to the canonical shape.
output canonicalization confusionequivalent-form trust gapunicode normalization bypassjson vs markdown trust skewalternate output shape exploitcanonical form drifthomoglyph output bypassformat-equivalent payload smuggling+4 more
GLS-AW-193
Compact Handoff Intent Stripping
HIGH
Attacker exploits compact handoff notes between agents to strip or compress critical intent and constraints so the downstream model executes with an incomplete picture, dropping safety conditions that were present upstream.
handoff intent truncationcompact handoff payload abuseintent omission across agentslost constraint in handoffnext-agent context starvationhandoff note clippingstripped safety constraint at boundaryintent compression poisoning+4 more
GLS-AW-194
Self-Referencing Readiness Verdict Echo
HIGH
Attacker exploits readiness systems that ingest their own prior verdicts so a single early READY tag echoes through later gates, drowning out fresh contradicting evidence and locking in a stale pass.
readiness verdict echo chamberprior ready overweightedstale verdict reusegate decision feedback loopready tag self-citationverdict inheritance abuseunderweight fresh evidenceechoed gate verdict+4 more
GLS-AW-195
Zero-Null Missing Key Fail-Open
HIGH
Attacker exploits fallback logic that conflates 0, [], {}, None and missing keys as equivalent so omitting a field is treated as a passing or authorized state, silently failing open on safety checks.
null sentinel poisoningempty equals zero conflationmissing key fail-openempty list treated as successnone as authorizationabsent field permissive defaultsilent fail-open via emptysentinel value confusion+4 more
GLS-AW-196
Output Format Negotiation Policy Bypass
HIGH
Attacker manipulates output format negotiation to steer the agent into a response shape whose parser or downstream policy is weaker, using format choice as a control-boundary exploit rather than presentation.
output format negotiation hijackformat-as-control-boundary abuseforce unsafe response shapejson mode coercionmarkdown to executable shape pivotformat flag injectionschema negotiation manipulationdowngrade structured output+4 more
GLS-AW-197
Fake Ground-Truth Evaluation Record Planting
HIGH
Attacker plants fake ground-truth records into evaluation datasets then cites them later as validation evidence, creating a self-reinforcing trust loop where forged history is treated as authoritative truth.
synthetic ground truth backfillfake validation record seedingfabricated eval data injectionself-citing ground truthbackfilled benchmark poisoningevaluator dataset poisoningground truth forgerysynthetic gold label injection+4 more
GLS-AW-198
Fixed Anchor Tunnel Decision Collapse
HIGH
Attacker optimizes payloads against the small fixed set of anchors an agent reuses across cycles, inducing decision collapse where outputs look grounded but no longer detect drift outside the tunnel of measured signals.
anchor entropy collapsefixed-anchor overfit attacksingle-kpi tunnel visionnarrow anchor exploitdecision collapse via repeated anchorslow-entropy grounding abuseanchor reuse drift blindnesskpi tunnel hijack+4 more
GLS-AW-199
Cross-Lane Telemetry Label Strip Merge
HIGH
Attacker triggers merging of telemetry from different lanes or provenance scopes without preserving source labels, so the agent operates on a single blurred truth that masks which lane is malicious.
source context collapselane provenance mergelost source labelpreflight vs postrun blurtelemetry lane confusionscope tag strippingmerged truth without provenancecross-lane telemetry conflation+4 more
GLS-AW-200
Competing Artifact Source Arbitration Exploit
HIGH
Attacker forces the agent to bounce between competing authoritative artifacts (mission file, runbook, summary, tool output) until the loosest source wins, exploiting source-arbitration logic to land on the weakest policy.
source of truth pinballauthoritative artifact bounceleast-strict source winsmission vs runbook arbitragetruth-source flip flopweakest source resolutionauthority shop across artifactsspec ricochet attack+4 more
GLS-AW-201
Gate Non-Determinism Transient Window Slip
MEDIUM
Attacker exploits gate non-determinism so verdicts thrash between READY, PARTIAL_READY and STALE on source-order or timing variance, slipping malicious work through during a transient permissive window.
readiness gate verdict thrashingalternating ready partial stalealias drift verdict fliprace-induced verdict changesource order verdict swinggate oscillation exploitthrash to permit windowverdict flapping abuse+4 more
GLS-AW-202
Multi-Source False Consensus Coercion
CRITICAL
Attacker plants identical false instructions across multiple low-trust sources so the agent interprets the manufactured agreement as consensus and upgrades the claim from suggestion to execution authority.
cross source consensus hijackaligned false claim across sourcesfake multi-source agreementlow-trust source consensus spoofretrieval echo consensusstatus file plus log alignmentconsensus upgraded to authoritymanufactured agreement attack+4 more
GLS-AW-203
Approval Preview Execution Desync
CRITICAL
Attacker desynchronizes what the approval UX shows from what actually executes, so the operator confirms a benign-looking preview while a different and malicious operation runs underneath.
approval channel desyncpreview vs action driftshown vs executed mismatchconfirmation prompt spoofsummary differs from real actionapproval ux divergencedecoy preview attackapprove-one-execute-another+4 more
GLS-AW-204
Replay Poison Persistent Instruction Promotion
CRITICAL
Attacker plants untrusted content once (retrieval chunk, tool output, memory note, checkpoint) then exploits later turns that replay it as trusted policy, turning short-lived poison into persistent instruction authority.
state replay poisoningmemory replay attackcheckpoint replay injectionpersisted untrusted content reuseretrieval chunk replayed as policytool output cached as authoritystale memory note replayedsession-persisted poison+4 more
GLS-AW-205
Safety Judgment Weak Subagent Outsourcing
CRITICAL
Attacker steers the agent into outsourcing safety or risk judgment to a weaker secondary tool, subagent, or summarizer and then treating that outsourced answer as authoritative, laundering policy through the weakest link.
delegation oracle abuseoutsourced risk judgmentsubagent verdict trustsummarizer as authoritysecondary tool answer overrides policydelegated oracle overrideexternal summarizer trust launderingsubagent rubber stamp+4 more
GLS-AW-043
Gap-Fill Fabrication Pressure
HIGH
Attacker injects instructions that pressure the agent to fill missing evidence with plausible defaults or fabricated values instead of emitting N/A or deferring, so downstream pipelines treat invented data as verified facts.
fill missing evidence with defaultship even if data missingnever emit n/a directiveplausible default coercionskip defer instructionfabricate to avoid blankmust produce output pressurehallucinate to satisfy template+4 more
GLS-AW-044
Verification Gate Forgery
CRITICAL
Attacker poisons or forges the output of verification gates (preflight, postrun, health-checks, approval summaries) so the agent's trust anchors auto-pass, allowing unsafe actions to proceed without real validation.
preflight check bypassverification gate skipapproval summary forgerypostrun verifier disabledhealth-check stub responsetrust anchor poisonedauto-pass verificationfake green from gate+4 more
GLS-AW-045
Template Placeholder Imperative Injection
HIGH
Attacker plants imperative payloads inside template placeholders or unfilled variables (scorecards, briefs, widget snippets) so when the render stage fills the slot, the resulting text is parsed as a fresh instruction rather than inert data.
template placeholder smugglingunfilled variable becomes instructionscorecard placeholder injectionbrief slot hijackwidget snippet placeholder pivotjinja-style token abusedouble curly brace smugglingplaceholder text imperative+4 more
GLS-AW-046
Plan Summary Execution Drift
CRITICAL
Attacker exploits retry, fallback, or summarization passes so the agent's displayed plan summary stays safe-looking while the actual executed tool sequence drifts into different, expanded, or unsafe actions.
plan vs execution driftsummary shows safe planretry mutates tool sequencefallback branch escalates scopepost-summarization action changedisplayed plan diverges executedtool order swap on retryplan-execute parity loss+4 more
GLS-AW-047
State Board Status Inversion
HIGH
Attacker tampers with the agent's decision/state board (DONE / IN_PROGRESS / QUEUED / BLOCKED / DECISIONS / OPEN_QUESTIONS) to mark unfinished work complete, clear blockers silently, or invert priority, causing duplicate work and unauthorized state advancement.
decision register driftstate board rewritemark done without completionqueued flipped to doneblocked silently clearedopen question deletedpriority inversion via board editduplicate work after register tamper+4 more
GLS-AW-048
Guardrail Evaluation Fixture Tampering
HIGH
Attacker tampers with guardrail evaluation fixtures (test corpora, expected outputs, redteam cases) instead of production prompts, so eval pipelines silently report green while real-world guardrails regress undetected.
evaluation fixture tamperingguardrail eval poisoningtest corpus weakenedexpected output rewrittenfixture mutation hides regressioneval pass rate inflationredteam fixture deletionbenchmark fixture forgery+4 more
GLS-AW-049
Stream Chunk Parser Boundary Bypass
HIGH
Attacker splits hostile payloads across stream chunks so the policy evaluator scans pre-reassembly fragments while the downstream consumer sees the reassembled whole, creating a parser-vs-policy boundary gap that smuggles directives past the filter.
chunk parser vs policy desyncreassembly boundary mismatchpolicy sees fragment not wholesplit payload bypass scannermcp chunk reorder injectionstream segment boundary shiftscanner reads pre-reassemblypolicy evaluates per-chunk+4 more
GLS-AW-050
Time-of-Check Time-of-Use Desync
CRITICAL
Attacker exploits the time-of-check / time-of-use gap in multi-tool chains by mutating an argument, file, or URL after it passes validation but before it executes, so the verifier sees a benign snapshot while the tool runs against the swapped value.
toctou desync agentapproved payload swapped before executionvalidated then mutatedcheck vs use raceargument mutation after validationfile replaced between check and readurl validated then reswizzledstale validation reused+4 more
GLS-AW-051
Timezone Deadline Reinterpretation Attack
MEDIUM
Attacker injects timezone or deadline-reinterpretation directives into untrusted content so the agent's cron-window or 'current day' logic shifts, causing freshness gates to pass on stale data or scheduled actions to fire in the wrong window.
timezone deadline spoofingredefine current dayforce pt to utc reinterpretationdeadline urgency injectioncron window misalignmentfake today date directivetz offset injectioncurrent day reinterpretation+4 more
GLS-AW-052
Lockfile Dependency Pinning Bypass
CRITICAL
Attacker tampers with lockfiles or pinned-dependency manifests that agent pipelines treat as immutable trust roots, so resolved versions silently swap to attacker-controlled packages while the lockfile pinning appears intact.
lockfile pinning attackpoetry lock tamperpackage-lock integrity bypasspinned hash replacementtrusted manifest forgerylockfile resolves malicious versionpip-compile hash poisoningyarn.lock tamper+4 more
GLS-AW-053
Control-Plane Status Signal Forgery
HIGH
Attacker forges control-plane status messages ('healthy', 'verified', 'ready', 'green') so agent workflows trust the gate signal and advance into unsafe state without the underlying check ever passing.
forged healthy statusfake verified badgespoofed ready signalgreen status injectioncontrol plane health liegate signal forgerystatus channel poisoningfabricated ok response+4 more
GLS-AW-054
Idempotency Key Rebinding Attack
HIGH
Attacker reuses or rebinds idempotency keys so the agent's deduplication layer treats a new attacker-crafted payload as already-completed (or replays a prior side effect with mutated arguments), defeating once-only execution guarantees.
idempotency key rebindingreuse key new payloadside-effect duplicated under same keykey bound to wrong actionidempotency cache poisoningreplay with mutated args same keyforce key collisionstale key reused+4 more
GLS-AW-055
Safety Alert Suppression Nudge
HIGH
Attacker injects nudges that suppress, downgrade, delay, or reroute high-signal safety alerts so the agent keeps operating while monitoring channels silently lose the warnings that would have stopped the run.
alert suppression nudgedowngrade alert silentlyreroute high-signal alertdelay critical notificationkeep operating despite alertmonitor mute injectionsuppress safety alertalert deduplicated away+4 more
GLS-AW-056
Canary Validator Parser Desync
MEDIUM
Attacker exploits parser-rule mismatches between canary validators and downstream executors so canary phrases trip in one stage but get stripped, normalized, or reframed in another, leaving instruction-boundary violations undetected.
canary collision sidecarvalidator parses canary differentlyexecutor strips canarysplit-parsing canary bypasscanary normalized awaycanary string evaded by encodingpost-processor swallows canaryinstruction-boundary canary blind+4 more
GLS-AW-057
OCR Image Directive Injection
HIGH
Attacker embeds imperative text inside images, screenshots, or scanned documents so multimodal OCR/transcription stages surface the directive into the agent's instruction context as if it were first-party operator input, bypassing input-channel policy.
ocr text as instructionimage transcript trusted as promptscreenshot directive injectionalt-text imperativetranscribed pdf becomes tool callmultimodal trust collapsecaptioned image carries payloadocr output bypasses input policy+4 more
GLS-AW-058
Fast-Path Async Verification Race
HIGH
Attacker exploits the gap between fast-path decisions and slow-path async verification in autonomous pipelines, racing the agent to act on a snap decision before the background verifier can return and block the action.
fast-path slow-path gapdecision before verificationact before async check returnslatency blindspot poisonrace fast decisioncommit before deep scanasync verifier too latesnap decision skips deep check+4 more
GLS-AW-059
Human Approval Summary Drift
CRITICAL
Attacker exploits HITL gaps so the human sees an approval summary that says one thing (e.g., read-only stats pull) while the agent's execution channel dispatches mutated arguments, expanded scope, or extra tool calls beyond the operator's actual intent.
approval summary drifthuman approves read-only execution writesintent-splitting multi-tool bundlepost-approval argument mutationui trust-marker spoofsafe badge from attacker metadataapproval hash skipped on retryoperator confidence false+4 more
GLS-AW-060
Freshness Attestation Forgery
HIGH
Attacker forges or replays freshness attestations so stale data carries a 'newer than X hours' badge or last-pull-success signal, defeating freshness gates that agent pipelines rely on to refuse decisions on rotted source data.
freshness attestation bypassfake last-pull-successstale data fresh badgedata is newer than x hours liefreshness check spoofattestation token replayforged update timestampfreshness gate forged ok+4 more
GLS-AW-061
Evaluation Dataset Label Contamination
HIGH
Attacker contaminates evaluation fixtures, manifests, or label files so scoring rewards unsafe behavior and benchmark theater hides real regressions. Results in false confidence, missed vulnerabilities, and bad roadmap priorities.
eval dataset contaminationfixture label flipbenchmark theatercanary dilution oversamplingsplit-version corpus desyncpolicy-target mismatch poisoningmanifest hash mismatch toleratedlabel swap safe unsafe+4 more
GLS-AW-062
Telemetry Retention Window Manipulation
HIGH
Attacker manipulates retention windows, log TTLs, or rotation policies so incriminating telemetry expires before correlation or audit. Forensic context vanishes and downstream agents lose the evidence needed to detect or escalate the attack.
evidence retention window gamingexpire incriminating telemetryshorten log retentionrotate evidence before reviewpurge audit window earlyretention policy poisoningevidence ttl shrinkdrop logs before correlation+4 more
GLS-AW-063
Decimal Separator Locale Poisoning
HIGH
Attacker flips decimal vs thousands separators across heterogeneous inputs (CSV, OCR, locale JSON) so a guardrail threshold or numeric tool argument is parsed three orders of magnitude off. Causes wrong gate decisions, oversized payloads, or bypassed limits.
decimal separator poisoninglocale comma period flip1,000 parsed as 1.000thousands separator confusioncsv decimal locale mismatchthreshold value 1000x offocr decimal flip exploitjson numeric locale mix+4 more