Desktop • 1440px • Page 1 / Registry index
MCP
A2A
AG-UI
User-to-Agent
Agent-to-Agent
Agent-to-Tool
Showing 23 of 47 scenarios
OATF-001 High
Indirect prompt injection via tool result
Untrusted tool output overrides agent policy and changes subsequent action selection.
MCP A2A
agent-to-tool
OATF-002 Critical
Delegation loop causes privilege amplification
Recursive handoff chain causes execution under a higher-trust agent identity.
A2A
agent-to-agent
OATF-003 Medium
User-supplied memory seeding
Persistent context captures adversarial instructions that survive session boundaries.
MCP AG-UI
user-to-agent
OATF-004 High
Schema downgrading to bypass validation
Negotiated capability schema removes guard fields before a dangerous tool invocation.
MCP
agent-to-tool
OATF-005 Low
UI channel spoofing through agent annotation
Rendered metadata mimics trusted system messaging and misleads operator review.
AG-UI
user-to-agent
OATF-006 Info
Observable planning metadata leakage
Protocol events expose internal step labels that reveal tool inventory or hidden state.
A2A AG-UI
agent-to-agent
OATF-007 Critical
Cross-tenant tool token replay
Session material returned by a broker is replayed against another tenant-scoped tool surface.
MCP A2A
agent-to-tool
OATF-008 Medium
Capability probing through refusal differentials
Attacker infers hidden tool or scope availability from refusal shape and latency variance.
AG-UI A2A
user-to-agent
OATF-009 High
Approval bypass through stale state snapshot
Agent acts on outdated authorization context after concurrent approval state changes.
MCP AG-UI
agent-to-tool
Desktop • 1440px • Page 2 / Scenario detail
OATF-002

Delegation loop causes privilege amplification

Critical A2A MCP agent-to-agent stable

A lower-trust agent induces a higher-trust peer to recursively delegate execution until the original request is carried under a more privileged identity than intended by policy. The exploit emerges when delegation history is not preserved as a hard authorization constraint across handoffs, allowing each hop to reinterpret provenance and scope independently.

Framework Technique ID Name Relationship
MITRE ATLAS AML.T0051 Prompt injection Precondition / enabling step
MITRE ATT&CK T1078 Valid accounts Analogous identity misuse
OWASP LLM LLM01 Prompt injection Primary overlap
MITRE ATLAS AML.T0017 Exfiltration via agent channel Common follow-on effect
Sequence
State
Attacker Agent PHASE 1 — DELEGATION SETUP crafted task request with nested escalation cues delegation accepted without provenance lock PHASE 2 — PRIVILEGE AMPLIFICATION privileged action executed under downstream trust context
IND-0021 A2A delegation.chain_depth Depth increases without a corresponding scope-reduction marker.
IND-0022 MCP session.auth_origin Origin identity changes while capability set expands across the same task lineage.
IND-0023 A2A handoff.provenance Missing immutable provenance envelope on cross-agent request transfer.
scenario.yaml 15 of 31 lines
id: OATF-002
name: Delegation loop causes privilege amplification
status: stable
severity: critical
protocols:
  - a2a
  - mcp
interaction_model: agent-to-agent
classification: privilege-amplification
description: >
  Recursive delegation causes a request to cross trust boundaries
  without carrying immutable provenance and authorization constraints.
indicators:
  - id: IND-0021
    surface: delegation.chain_depth
    protocol: a2a
# Show more…
Desktop • 1440px • Page 3 / Coverage matrix

Coverage matrix

Protocol coverage by mapped MITRE technique
47 scenarios • 18 techniques represented
MCP A2A AG-UI
AML.T0051 4 1 2
AML.T0017 2 0 1
T1078 1 3 0
T1550 3 1 0
LLM01 4 2 3
LLM06 0 1 3
AML.T0043 2 1 0
T1190 1 0 1
Mobile • 375px • Page 1 / Registry index
OATF Registry oatf.io
23 of 47 scenarios
OATF-001 High
Indirect prompt injection via tool result
Untrusted tool output overrides agent policy and changes subsequent action selection.
MCP A2A
agent-to-tool
OATF-002 Critical
Delegation loop causes privilege amplification
Recursive handoff chain causes execution under a higher-trust agent identity.
A2A
agent-to-agent
OATF-003 Medium
User-supplied memory seeding
Persistent context captures adversarial instructions that survive session boundaries.
MCP AG-UI
user-to-agent