Skip to content

craft()

pikit.craft

craft() — the single entry point for building attack content.

It unifies the two delivery paths so the rest of the toolkit (and the user) deals with one object:

  • direct — the worded payload is the user message sent to the agent.
  • indirect — the worded payload is hidden in a data artifact (via a channel); that poisoned artifact is what a compromised tool returns.

In both cases :attr:CraftResult.delivery is the single field the agent consumes — as the user message (direct) or as a poison map value (indirect).

CraftResult dataclass

CraftResult(mode: str, payload: str, delivery: str, instruction: Optional[str] = None, attack: Optional[str] = None, channel: Optional[str] = None)

The product of :func:craft.

Attributes

mode: "direct" or "indirect". payload: The worded attacker instruction (the attack's output). delivery: What actually gets injected — the user message (direct) or the poisoned artifact (indirect). instruction, attack, channel: Reference metadata about how it was built.

craft

craft(task: str, *, attack: str = 'naive', attack_kwargs: Optional[dict] = None, channel: Optional[str] = None, channel_kwargs: Optional[dict] = None, data: Optional[str] = None, instruction: Optional[str] = None) -> CraftResult

Build attack content for direct or indirect injection.

Parameters

task: The instruction the attacker wants the model to follow. attack: Registry key of the wording technique (see pikit.attacks). attack_kwargs: Constructor kwargs for the attack. channel: Registry key of the carrier (see pikit.channels). When None the result is direct; when set the result is indirect. channel_kwargs: Constructor kwargs for the channel. data: The clean artifact (page HTML, document, email body) to poison. Required for indirect injection. instruction: The benign user request. For direct injection, when provided it is prepended so delivery is the realistic benign + payload message the agent receives (e.g. "Search the weather. Ignore all previous instructions. Instead, ..."); omit it to get the payload alone. For indirect injection it is kept for reference (the carrier hides only the payload, as in a real artifact).

Returns

CraftResult

Examples

craft("Print HACKED", attack="context_ignoring").mode 'direct' r = craft("Print HACKED", attack="naive", ... instruction="Summarize this article.") r.delivery.startswith("Summarize this article.") True craft("Print HACKED", channel="webpage", ... data="hi").mode 'indirect'