CapitalGuard Attack Lab

Prove the path. Keep the test.

CapitalGuard connects architecture-aware control challenges to a multi-hop exposure path, a required policy change, and a regression check that stays with the repository.

cg-attack-lab-1.1.0 · cg-exposure-graph-1.0.0 · cg-risk-2026.07.1

CapitalGuard Exposure Graph

Synthetic repository. No customer data.

91/100 Critical

Inputs

RepositoryPrompt or instruction

Agent runtime

AgentModelAgent handoff

Authority

ToolMCP serverCredentialPermission boundary

Downstream

APIData storeExternal dependency

Repository instruction to release credential

Entry point

Untrusted instruction in repository documentation

Vulnerable component

Coding agent with command and workflow access

Trust boundary crossed

Repository text crosses into executable agent instruction

Downstream assets

CI identityRelease workflowPackage registry

A manipulated task could affect published code, customers, and the company release chain.

Required control

Treat repository text as untrusted, block credential paths, and require approval for workflow or release actions.

CGAL-INJ-0015 evidence signalsHigh confidence

Nine control categories

Test the boundary without running the attack.

This synthetic demonstration shows the exact output structure. Paid local runs derive challenges from the authorized repository and retain only redacted, deterministic evidence.

Architecture-aware control challenges

Before and after the policy change.

9

Control challenges

9

Exposed paths

9

Retained regressions

CGAL-INJ-001

Prompt injection

Check whether untrusted repository text can influence an agent with consequential tools.

Signal: Repository instructions plus command or network authority

Path exposed

CGAL-TOOL-001

Tool abuse

Check whether a connected tool can cross its approved data or action scope.

Signal: Tool bridge plus broad filesystem or API scope

Path exposed

CGAL-PRIV-001

Privilege escalation

Check whether an agent-controlled workflow inherits write-capable credentials.

Signal: Workflow automation plus write or identity-token permission

Path exposed

CGAL-LEAK-001

Data leakage

Check whether private context can reach an unapproved destination.

Signal: Sensitive path plus transfer-capable tool

Path exposed

CGAL-SECRET-001

Secrets misuse

Check whether credential-bearing paths are inside agent-readable scope.

Signal: Secret-like path plus repository read access

Path exposed

CGAL-SHELL-001

Unsafe shell execution

Check whether repository input can reach an unreviewed shell or lifecycle script.

Signal: Untrusted input plus shell, install, or deployment execution

Path exposed

CGAL-DISCOVERY-001

Tool discovery abuse

Check whether automatic tool discovery exposes more capability than the task requires.

Signal: Discoverable MCP or plugin tools without an explicit allowlist

Path exposed

CGAL-MEMORY-001

Memory abuse

Check whether persistent instructions can silently change later agent behavior.

Signal: Persistent agent instructions plus weak ownership or review

Path exposed

CGAL-MCP-001

MCP misuse

Check whether an MCP server can reuse broad identity or downstream authority outside the approved task.

Signal: MCP transport plus broad token, filesystem, API, or data-store scope

Path exposed
The licensed local tool does not execute payloads or application code. It challenges observable control boundaries, redacts sensitive values, and retains exposed categories for deterministic re-checks.

Architecture first

Challenges are selected from observed agent, tool, workflow, credential, data, and instruction surfaces.

Non-destructive

The local tool never executes a payload, target application, package hook, workflow, or external network call.

Regression retained

Every exposed category becomes a stable check that can run manually or fail CI when exposure returns.

Evidence, not theater

Each path records the entry point, crossed boundary, downstream assets, confidence, blast radius, and required control.

One closed security loop

Every signal ends in a control and a re-test.

01

Discover

02

Map

03

Attack

04

Prioritize

05

Fix

06

Generate Policy

07

Create Regression Test

08

GitHub

09

Monitor

10

Recalculate Risk

GitHub receives only the deterministic regression result and privacy-safe evidence state. Official scoring and CapitalGuard Reviewed remain tied to the paid, authorized review process.

See GitHub Workflow