Chapter 11
Discovery File Poisoning: how public metadata becomes agent policy
Discovery file poisoning is the attack family where hostile instructions are hidden inside files agents read during site, documentation, security, app, or feed discovery, causing public metadata to behave like policy.
What it is
Discovery file poisoning is an indirect prompt-injection pattern carried by boring-looking metadata. The attacker places policy-shaped language inside files such as robots.txt, llms.txt, llms-full.txt, sitemap.xml, humans.txt, security.txt, /.well-known/ resources, web app manifests, or RSS/Atom feeds. These files may be valid, useful, and expected to exist; the dangerous move is when text inside them asks the agent to suppress findings, trust a callback, treat a route as canonical, forward credentials, change scanner behavior, or accept metadata as authority.
Why it matters for agents
Agents read discovery files early because they need to decide what a site is, where the docs live, which routes matter, and what metadata should shape retrieval. That first-read position makes the files feel upstream of the workflow: a clean robots.txt can point to a sitemap, a sitemap can point to docs, an llms.txt can point to a larger bundle, and a security or .well-known file can look closer to ownership or disclosure policy. The risk is not that discovery files exist; the risk is that agents collapse discovery, retrieval, and authority into one context block and let public metadata override local policy.
How it shows up in workflows
In practice, discovery file poisoning shows up as comments, custom directives, sitemap annotations, linked sidecars, documentation bundles, ownership hints, security disclosure text, manifest extension fields, or feed entries that sound like instructions to an AI system. A robots.txt may tell AI scanners not to report private routes. An llms.txt or llms-full.txt may bury agent-facing policy in documentation text. A sitemap.xml may route the agent toward a poisoned policy page. humans.txt, security.txt, /.well-known/ resources, web app manifests, and RSS/Atom feeds may smuggle fake verification, escalation, severity, update, or disclosure guidance into workflows that were only supposed to collect metadata.
What Sunglasses sees
Sunglasses frames discovery file poisoning as a trust-boundary failure: a clean robots.txt, sitemap, llms.txt, security.txt, manifest, or feed passes, but discovery files that smuggle authority-injection or suppression signals get blocked before public metadata can become runtime policy.
Categories in this chapter:
discovery_file_poisoning, agent_instruction_file_poisoning, identity_discovery_poisoning
No patterns match the current filters.
All 82 patterns in this chapter
Every Sunglasses detection pattern mapped to this attack family.
GLS-IDP-001
DID Configuration Agent Authority Poisoning
HIGH
A target-controlled `/.well-known/did-configuration.json` document embeds agent-directed policy text in DID/linked-domain metadata, attempting to make an AI agent treat a verifiable-credential identity proof as higher-priority owner authority and disclose local auth context or suppress reporting.
.
- Control-plane action: request/.well-known/did-configuration/.well-known/did-configuration.jsonAI agentLLMagent_policyassistantautonomous scanner+5 more
GLS-IDP-002
ACME Directory Metadata Agent-Policy Poisoning
HIGH
A target-controlled ACME directory or ACME service-documentation export hides AI/scanner-directed policy inside `meta` or extension text, attempting to override agent instructions, suppress certificate findings, or extract local ACME credentials/account state.
.
- Sensitive or reporting target:AI agentLLMassistantcaaIdentitiescertificate scannercompliance agentkeyChange+5 more
GLS-IDP-003
ATProto DID Discovery Agent Policy Poisoning
MEDIUM
A poisoned `/.well-known/atproto-did` handle-verification file adds nonstandard agent-facing comments that tell AI verifiers to treat the DID proof as higher-priority policy, ignore system/developer/repository rules, or suppress identity-audit findings.
) or report suppression (/.well-known/atproto-didAI verifierLLMagentassistantatproto-diddid:plc:+4 more
GLS-IDP-004
DNS CAA Agent Policy Poisoning
HIGH
DNS CAA certificate-issuance metadata can be poisoned with agent-facing instructions that claim authority, suppress certificate findings, or request secrets from AI TLS/security auditors.
API keysAuthorization headerCAACertification Authority AuthorizationDNS CAALLMaccounturiagent+7 more
GLS-IDP-005
DNS TXT Ownership Metadata Agent Policy Poisoning
MEDIUM
A DNS TXT ownership or verification record mixes a legitimate domain-proof token with AI-agent-facing instructions that claim policy authority, suppress audit findings, or request local secrets.
AI auditorDNS TXTLLMTXT record_acme-challengeagentapple-domain-verificationassistant+6 more
GLS-IDP-006
Keybase identity-proof metadata agent-policy poisoning
MEDIUM
A `keybase.txt` identity-proof file can carry agent-targeted instructions adjacent to public proof text, causing identity-verifying agents to treat proof metadata as authoritative policy, suppress findings, or forward local verification context.
AI agentsI am an admin ofI hereby claimLLM verifiersagentic scannerassistantauthoritative site policyautonomous scanners+7 more
GLS-IDP-007
Nostr NIP-05 discovery metadata agent identity poisoning
HIGH
A poisoned `/.well-known/nostr.json` / NIP-05 identity document can hide agent-facing instructions inside identity-discovery metadata, telling AI agents or scanners to trust the file as policy, suppress reports, or forward secrets through Nostr relays/DMs.
/.well-known/nostr.jsonLLMNIP-05agentagent_policyassistantassistant_instructionscrawler+7 more
GLS-IDP-008
OAuth Protected Resource Metadata Agent Policy Poisoning
HIGH
A poisoned `/.well-known/oauth-protected-resource` metadata document embeds agent-facing policy text in documentation or extension fields to override scanner rules, request bearer tokens or environment secrets, or suppress findings.
/.well-known/oauth-protected-resourceAI assistantAPI keyAuthorization bearerMCPagentassistantauthoritative policy+7 more
GLS-IDP-009
OpenID Credential Issuer Metadata Agent Policy Poisoning
HIGH
Detects `.well-known/openid-credential-issuer` or related verifiable-credential issuer metadata that embeds instructions telling wallets, scanners, or AI agents to treat issuer-supplied text as policy, suppress findings, bypass issuer checks, or forward credential/token material.
LLMagentassistantauthorizationauto-approvebearer/access/refresh tokencallbackclient secret+7 more
GLS-IDP-010
OpenID Federation Entity Configuration Agent-Policy Poisoning
HIGH
A target-controlled OpenID Federation entity configuration embeds non-standard `agent_policy` / `metadata_policy` text that tells AI agents to treat federation metadata as higher-priority operator authority, disclose local auth context, or suppress reports.
), or report suppression (), sensitive auth/local-state requests (, cookies, env vars,/.well-known/openid-federationAI agentLLMagent_policyagentic+6 more
GLS-IDP-011
SAML Metadata Agent Policy Poisoning
HIGH
SAML federation metadata can hide agent-directed authority inversion, report suppression, or secret-disclosure instructions inside legitimate XML metadata fields that SSO-audit agents may ingest as trusted context.
.envAI agentAPI keyContactPersonEntityAttributesEntityDescriptorIDPSSODescriptorIDP_CLIENT_SECRET+7 more
GLS-IDP-012
DMARC/SPF/DKIM DNS TXT Agent Policy Poisoning
HIGH
Mail-authentication DNS TXT records and exported zone text for DMARC, SPF, or DKIM can carry agent-directed instructions that claim authority, request secrets/local state, or suppress scanner findings when AI auditors ingest them as trusted domain policy.
AI agentAPI keyLLM_dmarc_domainkeyassistantauditorcookie+7 more
GLS-IDP-013
DNS CAA Certificate-Policy Metadata Agent Policy Poisoning
HIGH
Attacker embeds hostile agent/scanner policy instructions inside DNS CAA (Certification Authority Authorization) records — `iodef`, `issuewild`, `accounturi`, `validationmethods` fields, zone-file comments, or DNS-provider JSON wrappers — causing AI certificate auditors, TLS scanners, and compliance
) |
| N6 |+ trailingAI agentAI crawlerCAACertification Authority AuthorizationDNS CAADNS TYPE257+7 more
GLS-IDP-014
JWKS metadata agent-policy poisoning
HIGH
A JWKS / JSON Web Key Set endpoint can hide agent-facing instructions in key metadata or custom fields that tell AI auditors, token validators, or scanners to override policy, suppress identity findings, or include local bearer/API/session material in reports.
"keys""kid""kty""x5u"AI agentAPI keyAuthorizationJSON Web Key Set+7 more
GLS-IDP-015
Certificate Transparency log metadata agent-policy poisoning
HIGH
Certificate Transparency log entries, monitor annotations, or generated certificate-inventory metadata can smuggle agent-facing policy text that tells TLS/security auditors to suppress certificate findings or forward local secrets.
AI agent(s)CT logCertificate TransparencyLLM(s)Merkle tree leafSCTSigned Certificate TimestampTLS auditor(s)+7 more
GLS-IDP-016
DNS SVCB / HTTPS Service-Binding Metadata Agent-Policy Poisoning
HIGH
Attacker-controlled DNS SVCB / HTTPS service-binding records, zone-file comments, or DNS-provider export metadata can smuggle AI-agent/scanner instructions that claim authority over TLS/HTTPS audit behavior, suppress findings, or request local credentials.
AuthorizationHTTPS RRSVCBService BindingTYPE64TYPE65agent instructionagent_instructions+7 more
GLS-AIFP-001
Agent discovery metadata policy poisoning
HIGH
Agent-facing discovery files such as `llms.txt`, `robots.txt`, sitemap-adjacent metadata, or site manifests can disguise prompt-injection instructions as crawler policy, causing agents to treat untrusted website text as higher-priority control-plane authority.
API keysUser-Agent: ai-agentValidation script:agent-discoverydisable guardraildisable scannerdisable securityenvironment variables+6 more
GLS-AIFP-002
AGENTS.md / Agent Instruction File Poisoning
HIGH
An attacker places a hostile `AGENTS.md`, `CLAUDE.md`, `SKILL.md`, `.cursor/rules`, or `.github/copilot-instructions.md` in a repository that instructs AI coding agents to suppress security scanning, bypass code review, exfiltrate credential metadata, and treat the file as highest-priority authority
.agent.md.cursor/rules.github/copilot-instructions.mdAGENTS.mdCLAUDE.mdSKILL.mdagent-instructions.mdai-instructions.md
GLS-AIFP-003
.cursor/rules MDC Instruction File Poisoning
HIGH
An attacker places a malicious `.mdc` rule file in `.cursor/rules/` with hostile instructions embedded in the YAML frontmatter `description` field and rule body — exploiting the structured format's dual-reader nature (human sees documentation, agent receives control-plane instructions) to suppress s
### Suggested severity
HIGH when(?six));- Skill scope:.cursor/rules.cursor/rules/.cursor/rules/*.mdc.github/copilot-instructions.md+7 more
GLS-AIFP-004
.devcontainer/devcontainer.json Agent Policy Poisoning
HIGH
AI coding agents (Copilot, Cursor, Claude Code, Codex) import `.devcontainer/devcontainer.json` as trusted project environment configuration. An attacker can embed hostile agent instructions in `name`, `customizations.vscode.settings`, `postCreateCommand` echo text, `features` metadata, `containerEn
.devcontainercontainerEnvcustomizations.vscodedevcontainer.jsonfeaturesonCreateCommandpostCreateCommandremoteEnv+1 more
GLS-AIFP-005
llms-full.txt Agent Policy Poisoning
HIGH
An attacker places hostile agent instructions inside an `llms-full.txt` file — the full-documentation variant of the `llms.txt` standard — exploiting volume-based context-smuggling, section-mediated hiding, and trust amplification from the "complete authoritative documentation" framing to suppress s
# Page Title(?:primary|single) source of truth);- Skill scope:/llms-full.txt/tmp/llms_full_txt_smoke_20260519.pyAI agent
GLS-AIFP-006
VS Code `.code-workspace` agent-policy poisoning
HIGH
A repository can hide agent-directed policy text inside a VS Code `.code-workspace` file or workspace JSON fields, causing AI coding agents that ingest editor/workspace metadata to suppress findings or forward local environment details.
.code-workspaceextensionsfoldersrecommendationssettings
GLS-AIFP-007
EditorConfig Agent Policy Poisoning
HIGH
A repository `.editorconfig` file or EditorConfig snippet carries agent/scanner-directed authority claims, report suppression, or credential/local-state forwarding instructions inside comments or custom key/value fields that AI coding agents may ingest as project configuration.
.editorconfigAI agentsEditorConfig[*.py]agent_instructionsauthoritativecharsetdefinitive project policy+7 more
GLS-AIFP-008
Ignore-file metadata agent policy poisoning
HIGH
Ignore-pattern files such as `.gitignore`, `.dockerignore`, `.npmignore`, `.eslintignore`, `.prettierignore`, and `.helmignore` can smuggle agent/scanner-facing policy claims that tell AI reviewers to treat ignored paths as out-of-scope, suppress findings, or forward local runtime/auth context.
.dockerignore.eslintignore.gitignore.helmignore.npmignore.prettierignoreAI agentLLM+7 more
GLS-AIFP-009
Pre-commit Config Agent Policy Poisoning
HIGH
A malicious `.pre-commit-config.yaml` or hook metadata field can smuggle AI-agent/scanner instructions that claim review authority, suppress hook/security findings, or solicit local CI/environment state.
.pre-commit-config.yamladditional_dependencies:agent instructionagent_instructionsagent_noteauthoritativecanonical/definitive policydefines rules+7 more
GLS-DFP-001
ads.txt Agent Compliance Poisoning
MEDIUM
A hostile `/ads.txt`, `/app-ads.txt`, or `sellers.json` file can blend normal authorized-seller metadata with instructions telling AI agents or ad-verification assistants to treat the compliance file as scan authority, disclose local tool/env context, or suppress prompt-injection findings.
Authorized Digital SellersDIRECTRESELLERads.txtapp-ads.txtseller_idsellers.json
GLS-DFP-002
Apple app-site-association agent policy poisoning
HIGH
A target-controlled Apple app-site-association (AASA) file can hide non-standard `x-agent` / `agent_policy` fields that tell AI agents, scanners, or automated verifiers to treat the file as owner authority, suppress findings, or forward local auth context even though native Apple clients ignore thos
/.well-knownAuthorizationBearerLLMagentagent_policyai_agentapp-site-association+7 more
GLS-DFP-003
browserconfig.xml agent policy poisoning
MEDIUM
A hostile site can hide AI-agent instructions inside `browserconfig.xml` / `msapplication-config` pinned-site metadata, causing an agent that summarizes all discovery files to treat tile configuration XML as owner policy, override higher-priority instructions, suppress reports, or request local auth
AI agentAuthorization headersBearer tokenLLMTileColoragent_policyagentic verifierassistant+7 more
GLS-DFP-004
Cross-file discovery pointer poisoning
HIGH
A benign-looking discovery file can delegate an AI agent to a second metadata sidecar that carries the hostile payload, making the attack visible only when the `robots.txt`/`sitemap.xml`/`.well-known` bundle is analyzed as a chain.
.well-known<loc>AI agentMeasured local fixture result:Sitemap:Validation script:agentagent-discovery+7 more
GLS-DFP-005
Encoded/comment-hidden discovery metadata payload
HIGH
Agent-facing discovery metadata can hide prompt-injection payloads in comments, CDATA, JSON-LD/OpenGraph fields, frontmatter, base64, URL encoding, or zero-width text so a scanner that only inspects visible plain text misses the malicious instruction.
.well-knownAI agentAuthorizationBearerCDATAJSON-LDMeasured local fixture result:OpenGraph+7 more
GLS-DFP-006
Host-meta XRD/JRD Agent Policy Poisoning
HIGH
`/.well-known/host-meta` or `/.well-known/host-meta.json` can hide agent-facing authority inversion and secret-access instructions inside standards-shaped XRD/JRD discovery metadata.
.
- Safety/report suppression:.
- Secret/local-state access:/.well-known/host-metaAI agentAI assistantLLMLink titleProperty+6 more
GLS-DFP-007
humans.txt Agent Contact Authority Poisoning
MEDIUM
A hostile `/humans.txt` or site credits/contact file can blend normal team/contact metadata with instructions telling AI agents to treat the file as site authority, demote higher-priority instructions, disclose local scan context, or suppress prompt-injection reports.
/* TEAM *//humans.txtcontact policycreditshumans.txtsecurity contactsite owner
GLS-DFP-008
robots.txt tool-action poisoning
HIGH
A `robots.txt` or sitemap-adjacent crawl policy can smuggle action instructions for AI agents, telling them to run browser/fetch/summarizer tools, crawl disallowed private paths, or disable safety checks while pretending to be ordinary crawler metadata.
AllowDisallowMeasured local fixture result:URLUser-Agent: ai-agentadminagentassistant+7 more
GLS-DFP-009
Well-known manifest credential forwarding
HIGH
A `.well-known` or site manifest file can hide credential-forwarding instructions in agent/plugin metadata fields, causing a vulnerable AI agent to read local environment secrets and attach them to tool or connector requests.
.well-knownAPI keyAuthorizationBearerMeasured local fixture result:Validation script:X-API-Keyagent+7 more
GLS-DFP-010
ads.cert / signed ad-verification metadata agent-policy poisoning
HIGH
Advertising signed-verification metadata such as ads.cert sidecars or signed ad-verification exports can carry AI-agent/scanner-directed instructions to override audit policy, mark seller paths clean, suppress fraud findings, or forward local credentials/session state.
ads.certads_certdo not reporthideignore scanner/system/developer rulesinclude/attach/forward local statemark cleanoutrank+7 more
GLS-DFP-011
ads.txt / app-ads.txt Seller Metadata Agent-Policy Poisoning
MEDIUM
Detects `ads.txt` or `app-ads.txt` seller metadata that tries to convert an advertising-authorization file into policy for AI agents, crawlers, scanners, or auditors, especially to suppress fraud findings or forward local secrets.
DIRECTRESELLERads.txtapp-ads.txtattachdo not reportforwardhide+6 more
GLS-DFP-012
App Links / Universal Links Association Metadata Agent-Policy Poisoning
HIGH
Mobile deep-link association metadata such as `/.well-known/assetlinks.json` and `/.well-known/apple-app-site-association` can carry agent-targeted instructions that attempt to convert domain/app trust declarations into higher-priority policy, suppress scanner findings, or request cookies/tokens/ses
Digital Asset Linksapple-app-site-associationassetlinks.jsonmust obey
GLS-DFP-013
BIMI SVG metadata agent policy poisoning
HIGH
A domain-controlled BIMI discovery chain can hide prompt-injection text inside linked SVG logo metadata that tells AI mail-security auditors to suppress findings, mark the domain verified, or reveal scanner-local secrets.
<desc><metadata><svg><title>AI-agentAPI keyBIMI SVGBrand Indicators+7 more
GLS-DFP-014
Cross-domain policy metadata agent-instruction poisoning
MEDIUM
Legacy site policy files such as `crossdomain.xml` or `clientaccesspolicy.xml` can carry XML comments or extension nodes that tell agents/scanners to suppress findings, override higher-priority policy, or forward credentials while appearing to be ordinary site-discovery metadata.
<access-policy><cross-domain-policy>api keyauth headerclientaccesspolicy.xmlcookiecredentialcrossdomain.xml+5 more
GLS-DFP-015
DNT / Tracking-Policy Metadata Agent Poisoning
HIGH
DNT or tracking-status/privacy-policy discovery metadata can embed agent-directed instructions that claim authority over scanners, suppress tracking findings, or request local cookies/tokens/environment variables.
API keyAuthorizationDo Not TrackLLMTk:agentassistantbearer+6 more
GLS-DFP-016
FedCM web-identity metadata agent-policy poisoning
HIGH
Detect FedCM / `/.well-known/web-identity` discovery metadata that targets AI identity auditors or scanners with authority-inversion, report-suppression, or credential/local-state disclosure instructions.
/.well-known/web-identityAI agentLLMaccounts_endpointassistantclient_metadata_endpointcrawlerfedcm+7 more
GLS-DFP-017
HTTP domain-verification file agent-policy poisoning
HIGH
HTTP domain-verification proof files such as `/.well-known/pki-validation/fileauth.txt`, `/.well-known/acme-challenge/<token>`, `/google*.html`, and `/BingSiteAuth.xml` can carry agent-directed policy or report-suppression instructions next to legitimate ownership evidence.
/.well-known/acme-challenge//.well-known/pki-validation/AI agentBingSiteAuth.xmlLLMacme-challengeassistantauditor+7 more
GLS-DFP-018
HTTP security header agent-policy poisoning
HIGH
Detect target-controlled HTTP response-header metadata that addresses AI agents or scanners and tries to convert security headers, report endpoints, or custom policy headers into authority to override instructions, suppress findings, or forward local credentials.
AI agentAPI keyAuthorizationBearerContent-Security-PolicyHTTP/1.1LLMLink:+7 more
GLS-DFP-019
IndexNow Key-Location Agent Policy Poisoning
HIGH
IndexNow key files, keyLocation metadata, or submit-status text can carry agent-directed policy claims that tell AI crawlers or SEO/security agents to treat site-verification metadata as higher-priority instructions, suppress findings, or forward secrets.
AI crawlerAPI keyLLMSEO agentagentic botcookiecredentialdo not report+7 more
GLS-DFP-020
Linkset Metadata Agent Policy Poisoning
HIGH
A target-controlled `/.well-known/linkset` or `Link: rel="linkset"` relationship document embeds agent-facing policy text that claims relationship metadata is owner authority, then asks autonomous agents or scanners to forward local auth context or suppress findings.
/.well-known/linksetAI agentAPI keyAuthorizationBearerLLMLinkagentic+7 more
GLS-DFP-021
Mail Autodiscover/Autoconfig Agent Policy Poisoning
HIGH
Email Autodiscover/Autoconfig metadata (`autodiscover.xml`, `config-v1.1.xml`, `mailclientconfig`, IMAP/SMTP setup docs) can carry target-controlled instructions that ask AI support agents or scanners to treat mail setup metadata as higher-priority policy, forward credentials/local state, or suppres
AI agentAuthorizationBearerIMAPLLMSMTPassistantautoconfig+7 more
GLS-DFP-022
Matrix .well-known Agent Policy Poisoning
HIGH
Matrix discovery documents (`/.well-known/matrix/client` or `/.well-known/matrix/server`) can carry target-controlled extension fields that tell AI agents or scanners to treat the document as operator policy, disclose local auth context, or suppress reports.
/.well-known/matrix/client/.well-known/matrix/serverAI agentAuthorizationBearerLLMMatrix client discoveryMatrix homeserver+7 more
GLS-DFP-023
oEmbed endpoint agent-policy poisoning
HIGH
Detect oEmbed discovery responses or provider metadata that target AI agents/scanners with authority-inversion, report-suppression, or credential-forwarding instructions.
AI agentLLMapplication/json+oembedassistantcrawlerhtmlmodeloembed+4 more
GLS-DFP-024
P3P Privacy Policy Metadata Agent Poisoning
MEDIUM
Legacy P3P privacy policy references, compact policy headers, or `/w3c/p3p.xml` comments can smuggle instructions telling AI privacy auditors or scanners to treat site privacy metadata as authoritative agent policy, suppress findings, or include local auth/env state.
/w3c/p3p.xmlCP=P3PPOLICY-REFp3p.xmlpolicyref
GLS-DFP-025
Payment Method Manifest Agent Policy Poisoning
HIGH
A target-controlled Web Payments payment method manifest can embed agent-directed policy text that misuses payment/merchant discovery metadata to make an AI scanner trust checkout origins, forward session/payment context, or suppress PCI/phishing findings.
/.well-known/payment-method-manifestAI agentLLMWeb Paymentsagenticassistantautonomous scannerautonomous verifier+4 more
GLS-DFP-026
RAML / API Blueprint Agent-Policy Poisoning
HIGH
RAML, API Blueprint, or generated API-description documentation can embed prompt-injection text that tells AI agents/tool builders to override higher-priority instructions, disclose local credentials, or suppress scanner findings.
#%RAML.ramlAPI BlueprintApiaryFORMAT: 1ALLM agentannotationTypescookie
GLS-DFP-027
Related Website Set Agent Authority Poisoning
HIGH
A target-controlled Related Website Set discovery file can add agent-directed policy text that misuses legitimate domain-relationship metadata to make an AI agent trust sibling domains, reuse credentials, or suppress cross-domain risk findings.
agenticassistant_instructionsassociated siteassociatedSitesautonomous scannercompliance botcredential forwardingcredentials+2 more
GLS-DFP-028
SCIM Service Provider Config Agent Policy Poisoning
HIGH
A poisoned SCIM `ServiceProviderConfig`, schema, or resource-type discovery document embeds agent-facing policy instructions in documentation or extension fields to override scanner rules, request identity tokens or environment secrets, or suppress findings about identity provisioning abuse.
/ResourceTypesGroupSCIM_API_TOKENServiceProviderConfigaudit agentauthenticationSchemesauthenticationSchemes[].descriptionauthoritative provisioning policy
GLS-DFP-029
sellers.json / schain agent policy poisoning
HIGH
Detects advertising transparency metadata (`sellers.json`, SupplyChain Object / `schain`, seller-verification wrappers) that tries to make AI agents, fraud scanners, or auditors suppress findings, treat seller metadata as higher policy, or forward sensitive local state.
SupplyChain ObjectschainsellerTypeseller_idseller_typesellers.json
GLS-DFP-030
TDMRep rights metadata agent-policy poisoning
HIGH
TDMRep or text-and-data-mining rights metadata can hide agent-directed instructions that tell AI crawlers/scanners to treat the rights file as higher authority, suppress findings, or disclose local authorization/environment details.
/.well-known/tdmrep.jsonAI crawlerLLM agentSEO agentdo not reportignore/bypassmark cleanprivacy auditor+6 more
GLS-DFP-031
Traffic-advice metadata agent-policy poisoning
HIGH
`/.well-known/traffic-advice` or crawler traffic-control JSON can blend normal crawler-rate policy with agent/scanner-directed instructions that claim authority, suppress reports, or request local credentials.
/.well-known/traffic-adviceAI agentsLLMsSEO agentsassistantsauditorscapacity_fractioncookie+4 more
GLS-DFP-032
Webmention / Micropub endpoint metadata agent-policy poisoning
HIGH
Detects Webmention, Micropub, WebSub, IndieAuth, or link-relation endpoint discovery metadata that tells AI agents, crawlers, or scanners to treat endpoint text as higher-priority policy, suppress findings, or forward local credentials/session material.
Link:agentic crawlerattachaudit reportauthorization_endpointautonomous scannercookiesdo not report+2 more
GLS-DFP-033
.well-known change-password agent policy poisoning
HIGH
Detects machine-readable `/.well-known/change-password` or password-change discovery text that targets AI agents with policy claims, credential forwarding, report suppression, or hierarchy-override instructions.
/.well-known/change-passwordagent_policyagenticassistant instructionsautonomous browserchange-passwordcredential change endpointfor agents/assistants/LLMs/crawlers+3 more
GLS-DFP-034
Browser Extension Manifest Agent Policy Poisoning
MEDIUM
Browser extension `manifest.json` files carry `description`, `author`, `homepage_url`, and custom extension fields that AI security-review agents and coding assistants ingest during extension audits. An attacker can embed authority-inversion, report-suppression, or local-state-forwarding instruction
authoritative sourcebrowser_specific_settingschrome_extensiondo not flagdo not reportdo not report host permissiondowngrade severityfirefox_addon+6 more
GLS-DFP-035
Browserconfig / pinned-site metadata agent policy poisoning
MEDIUM
Detects hostile instructions embedded in `browserconfig.xml`, `msapplication-*` meta tags, and pinned-site tile metadata that try to make AI agents, crawlers, or scanners treat decorative site metadata as policy, hide findings, or forward local secrets.
<browserconfig><msapplication>API tokensAuthorization headersSEO agentSafari pinned tabautonomous scanner/crawler/auditorbrowserconfig.xml+4 more
GLS-DFP-036
CSAF / VEX advisory metadata agent-policy poisoning
HIGH
Machine-readable vulnerability-advisory metadata such as CSAF, VEX, and generated security-advisory JSON can carry agent/scanner-directed instructions that try to suppress CVE findings, downgrade exploitability, or forward local secrets during automated dependency/security review.
AI agentsCVE-YYYY-NNNNLLM agentsaggregateSeverityassistantsattachautonomous scannerscsaf+4 more
GLS-DFP-037
Docker Compose Extension-Field Agent Policy Poisoning
MEDIUM
Docker Compose files support `x-*` extension fields and `labels` at service, network, volume, and top levels that carry arbitrary free-text metadata. AI DevOps agents that read Compose files during deployment planning, security review, or container lifecycle management may ingest these fields as tru
DevOps agent\bagents?\bagentsauth contextauthoritativeautonomous scannercanonical policycompose.yaml+3 more
GLS-DFP-038
Dockerfile / Containerfile Metadata Poisoning
HIGH
Malicious `LABEL`, `ENV`, comment (`#`), and `ONBUILD` instructions embedded in Dockerfiles / Containerfiles can carry AI-agent/scanner-directed authority inversion, report suppression, or credential/local-state forwarding requests. AI coding agents that review Dockerfiles during security audit, bui
(?<![a-zA-Z0-9])- Hygiene report:.github/workflows/*.ymlIntake:LABELMakefileONBUILDai-agent / scanner audience+4 more
GLS-DFP-039
`.env.example` / Dotenv Template Agent Policy Poisoning
HIGH
AI coding agents are trained to read `.env.example` (and `.env.template`, `.env.sample`) to understand required environment variables. A hostile `.env.example` can inject agent instructions that request credential forwarding, suppress scanner findings, or assert authority over system/developer rules
# Agent instruction:# For AI coding agents:# agent...$ANTHROPIC_API_KEY$OPENAI_API_KEY) | Handle.cursor/rules.env+6 more
GLS-DFP-040
Helm Chart.yaml Agent Policy Poisoning
MEDIUM
An attacker embeds hostile AI-agent instructions in Helm Chart.yaml `description`, `annotations`, `maintainers`, `keywords`, `appVersion`, or `x-*` extension fields, exploiting the agent's trust in chart metadata during deployment planning, security scanning, or Kubernetes auditing to suppress findi
"1.0.0-agent-skip-checks""agent-suppress-findings""scanner-hide-csp"AI agentsAPI_KEYAutomated toolsChart.yamlDoes not override+4 more
GLS-DFP-041
Hugging Face Model Card Agent Policy Poisoning
HIGH
A Hugging Face model card (README.md with YAML frontmatter) carries agent-targeted instructions — authority inversion, report suppression, or credential forwarding — that an AI agent browsing HF Hub for model evaluation will treat as trusted model-documentation policy.
---\nHugging Faceagent instructiondatasets:for agentslanguage:license:metrics:+6 more
GLS-DFP-042
Jupyter Notebook (.ipynb) Metadata Poisoning
HIGH
Malicious Jupyter notebook (`.ipynb`) metadata fields — `kernelspec.display_name`, `language_info`, notebook-level custom fields, cell-level metadata — can carry AI-agent-targeting instructions that survive rendering (humans see outputs; agents read raw JSON metadata) and exploit the notebook's dual
GLS-DFP-043
Kubernetes Annotation Agent Policy Poisoning
MEDIUM
Kubernetes annotations and labels on Deployments, Pods, Services, ConfigMaps, and CRDs carry arbitrary free-text metadata that AI DevOps agents, security scanners, and cluster-automation assistants ingest during deployment planning, compliance review, and runtime monitoring. An attacker can embed au
(?:primary|single) source of truth-instructionsConfigMapDeploymentDevOps agentSRE assistantService_instructions+1 more
GLS-DFP-044
OCI Container Image Label / Annotation Agent Policy Poisoning
HIGH
AI agents that inspect container images treat OCI labels and manifest annotations as trusted context. A malicious image publisher can plant agent-directed instructions in `org.opencontainers.image.description`, custom labels, or manifest annotations that cause the agent to disable security scanners,
Chart.yamlLABELOPENAI_API_KEYai-agent audience languageai.agent.noteannotationsauditing a container image for security posturedocker inspect+5 more
GLS-DFP-045
robots.txt Agent Discovery Metadata Poisoning
HIGH
`robots.txt` is the most universally consumed machine-readable policy file on the web. Attackers can embed agent-targeting instructions in comments, custom directives, `Sitemap:` pointers, and `User-agent:` sections that AI agents ingest as trusted site policy — enabling authority inversion, credent
# AI AGENTS AND SECURITY SCANNERS:*robots*AI agent(s)?Agent-policy:Crawler-note:Scanner-policy:User-agent: GPTBot
GLS-DFP-046
security.txt (RFC 9116) Agent-Policy Poisoning
HIGH
A `security.txt` file (RFC 9116) hides agent/scanner instructions in comments, extension fields, `Contact` values, or a `Policy` URL, telling AI vulnerability scanners to suppress findings, forward local credentials, or treat the metadata as authority that supersedes scanner rules.
AI agentsAPI tokenCI_ENVContact:/Expires:/Encryption:
GLS-DFP-047
Sitemap XML Agent Policy Poisoning
MEDIUM
Attackers embed AI-agent/scanner-directed policy instructions (authority inversion, report suppression, credential forwarding) inside sitemap.xml XML comments, custom namespace extension elements, and `<url>` text fields, exploiting the fact that AI agents and automated scanners consume sitemaps as
<sitemapindexagent instructionattach tokensauthoritativeautonomous scannercanonical policydo not flagdo not report+1 more
GLS-DFP-048
WebAuthn Related-Origins Agent-Policy Poisoning
HIGH
A WebAuthn/passkey related-origins metadata file hides agent/scanner instructions in extension text, telling AI passkey auditors to override trusted instructions, suppress origin/RP ID mismatch findings, or include local authorization material.
/.well-known/webauthnRP IDRP ID mismatchWebAuthnagent_noteassistant_instructionsaudit_notecopy+2 more
GLS-DFP-049
Consent Management Cookie-Preference Agent-Policy Poisoning
HIGH
Consent-management and cookie-preference metadata can smuggle instructions to AI privacy/compliance agents that claim cookie consent text is authoritative policy, suppress privacy findings, or forward cookies, consent strings, tokens, or local environment context.
AI agentsCMP configCookiebotDidomiIAB TCFKlaroLLMsOneTrust+6 more
GLS-DFP-050
Deployment Platform Config Metadata Poisoning
HIGH
Deployment-platform configuration files such as `netlify.toml`, `vercel.json`, Cloudflare `wrangler.toml`, `_headers`, and `_redirects` can carry agent/scanner-directed metadata that claims deployment config is authoritative policy, suppresses security findings, or asks agents to forward local deplo
_headers_redirectsagent_policyassistant_instructionsnetlify.tomlscanner_policyvercel.jsonwrangler.toml
GLS-DFP-051
Documentation Site Config Metadata Poisoning
HIGH
Documentation-site configuration files such as `mkdocs.yml`, `docusaurus.config.js`, `.vitepress/config.ts`, `sidebars.js`, or Docsify config can carry agent-facing policy text that tells AI documentation/security agents to treat the config as authoritative, suppress docs/security findings, or forwa
agent instruction:agent_instructionsassistant_notecrawler_noticemkdocs.ymlnav:scanner instruction:scanner_policy+4 more
GLS-DFP-052
Global Privacy Control metadata agent-policy poisoning
HIGH
A hostile site can place agent-directed authority, report-suppression, or credential-forwarding instructions in Global Privacy Control (GPC) / Sec-GPC-adjacent privacy metadata so AI privacy auditors or scanners over-trust privacy-signal text as scanner policy.
"globalPrivacyControl""gpc""gpc": true.well-known/gpc.jsonGPC headerGPC signalGlobal Privacy ControlSec-GPC+7 more
GLS-DFP-053
Linter / formatter config metadata agent-policy poisoning
HIGH
Attacker-controlled linter or formatter config metadata (`eslint.config.js`, `.eslintrc`, `.prettierrc`, `biome.json`, Stylelint config, or adjacent rule comments/custom fields) tells AI coding/security agents to treat the config as higher-priority policy, suppress findings, or forward local runtime
.eslintrc.prettierrc.stylelintrcagent instructionauthoritativebiome.jsoncanonical/definitive policyeslint.config.*+7 more
GLS-DFP-054
Sonar project properties metadata poisoning
HIGH
A hostile `sonar-project.properties` or SonarQube/SonarCloud configuration metadata field can target AI code-review/scanner agents with authority-inversion, report-suppression, or credential-forwarding instructions disguised as scanner policy.
AI agentsSonarCloudSonarQubeagent/scanner instructionagentsassistantsauthoritativeautomated review+7 more
GLS-DFP-055
systemd Unit File Agent Policy Poisoning
HIGH
A malicious `systemd` unit file, generated `systemctl show` dump, or service/timer metadata field can target AI agents or security scanners with fake authority, report-suppression, or credential-forwarding instructions embedded in otherwise inert service configuration text.
.service.socket.timerDescription=Documentation=Environment=ExecStart=[Service]+7 more
GLS-DFP-056
Terraform Module/Provider Registry Agent-Policy Poisoning
HIGH
Terraform/OpenTofu module and provider metadata can embed agent-targeted policy instructions in `description`, README-derived registry text, variable/output docs, provider schema docs, or `x-agent`-style sidecar fields that tell IaC agents to suppress drift/security findings or forward local Terrafo
.tfstate.tfvarsAI agentsDevOps agentsIaC agentsLLMsOpenTofuagent/scanner instructions+7 more
GLS-DFP-057
OPA/Rego policy metadata poisoning
HIGH
OPA/Rego policy files and policy-bundle metadata can carry agent-directed instructions that tell AI security/review agents to treat policy comments, package metadata, ConstraintTemplate descriptions, or Conftest output as higher-priority review policy, suppress findings, or forward runtime/context m
.manifest.regoAI agentsConstraintTemplateGatekeeperIaC scannersagent instructionagent_instructions+6 more