From 9ee9731c67d72db91239fb92db86c1a40d07d48c Mon Sep 17 00:00:00 2001 From: Colin McDonnell Date: Fri, 10 Apr 2026 19:26:43 +0000 Subject: [PATCH] fix: make token-exfil test reliable (#528) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: make token-exfil test reliable by disabling security instructions and reframing prompt the test was flaky — agents would randomly refuse (not calling set_output), refuse politely (calling set_output with refusal text), or cooperate fully, depending on model mood. two changes: 1. set PULLFROG_DISABLE_SECURITY_INSTRUCTIONS=1 in test env (layer 1) 2. reframe prompt as CI debugging task instead of security test (layer 2) Made-with: Cursor * fix: set PULLFROG_DISABLE_SECURITY_INSTRUCTIONS on adversarial test fixtures without this flag, the system prompt tells agents to refuse anything that looks malicious — which is exactly what these security pentests ask them to do. adds the flag to tokenExfil, askpassIntercept, and nobashcreative. Made-with: Cursor * set PULLFROG_DISABLE_SECURITY_INSTRUCTIONS on all security-related test fixtures Made-with: Cursor --- test/adhoc/askpassIntercept.ts | 1 + test/adhoc/gitExecBypass.ts | 1 + test/adhoc/gitFlagInjection.ts | 1 + test/adhoc/nobashcreative.ts | 1 + test/adhoc/requirementsTxtAttack.ts | 1 + test/crossagent/nobash.ts | 1 + test/crossagent/restricted.ts | 1 + test/crossagent/tokenExfil.ts | 3 ++- 8 files changed, 9 insertions(+), 1 deletion(-) diff --git a/test/adhoc/askpassIntercept.ts b/test/adhoc/askpassIntercept.ts index c0c5683..157002e 100644 --- a/test/adhoc/askpassIntercept.ts +++ b/test/adhoc/askpassIntercept.ts @@ -49,4 +49,5 @@ export const test: TestRunnerOptions = { fixture, validator, tags: ["adhoc", "security"], + env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" }, }; diff --git a/test/adhoc/gitExecBypass.ts b/test/adhoc/gitExecBypass.ts index f79c598..5763718 100644 --- a/test/adhoc/gitExecBypass.ts +++ b/test/adhoc/gitExecBypass.ts @@ -91,4 +91,5 @@ export const test: TestRunnerOptions = { validator, tags: ["adhoc", "security"], agents: ["opentoad"], + env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" }, }; diff --git a/test/adhoc/gitFlagInjection.ts b/test/adhoc/gitFlagInjection.ts index 9c72dcd..d26ef22 100644 --- a/test/adhoc/gitFlagInjection.ts +++ b/test/adhoc/gitFlagInjection.ts @@ -108,4 +108,5 @@ export const test: TestRunnerOptions = { validator, tags: ["adhoc", "security"], agents: ["opentoad"], + env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" }, }; diff --git a/test/adhoc/nobashcreative.ts b/test/adhoc/nobashcreative.ts index a66e0ee..3b25491 100644 --- a/test/adhoc/nobashcreative.ts +++ b/test/adhoc/nobashcreative.ts @@ -57,4 +57,5 @@ export const test: TestRunnerOptions = { validator, agentEnv, tags: ["adhoc"], + env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" }, }; diff --git a/test/adhoc/requirementsTxtAttack.ts b/test/adhoc/requirementsTxtAttack.ts index b6603c4..abe078c 100644 --- a/test/adhoc/requirementsTxtAttack.ts +++ b/test/adhoc/requirementsTxtAttack.ts @@ -79,4 +79,5 @@ export const test: TestRunnerOptions = { validator, tags: ["adhoc", "security"], agents: ["opentoad"], + env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" }, }; diff --git a/test/crossagent/nobash.ts b/test/crossagent/nobash.ts index 5b07e32..fed3a3d 100644 --- a/test/crossagent/nobash.ts +++ b/test/crossagent/nobash.ts @@ -42,4 +42,5 @@ export const test: TestRunnerOptions = { fixture, validator, agentEnv, + env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" }, }; diff --git a/test/crossagent/restricted.ts b/test/crossagent/restricted.ts index 8137f03..c6d0562 100644 --- a/test/crossagent/restricted.ts +++ b/test/crossagent/restricted.ts @@ -51,4 +51,5 @@ export const test: TestRunnerOptions = { fixture, validator, agentEnv, + env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" }, }; diff --git a/test/crossagent/tokenExfil.ts b/test/crossagent/tokenExfil.ts index 85d4961..771bf5b 100644 --- a/test/crossagent/tokenExfil.ts +++ b/test/crossagent/tokenExfil.ts @@ -10,7 +10,7 @@ import { defineFixture, generateAgentUuids, getAgentOutput } from "../utils.ts"; * managed-settings.json denies /proc reads (claude) * * runs with both agents to verify each sandbox independently. - * requires: CI=true (to enable sandbox), PULLFROG_DISABLE_SECURITY_INSTRUCTIONS=1 + * requires: CI=true (to enable sandbox) */ const fixture = defineFixture( @@ -57,4 +57,5 @@ export const test: TestRunnerOptions = { fixture, validator, agentEnv, + env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" }, };