Hidden Conductor - AI Agent Security Challenge

A deliberately vulnerable AI agent chatbot demonstrating prompt injection and local file inclusion vulnerabilities.

🚨 WARNING

This application is INTENTIONALLY VULNERABLE for security training and CTF purposes. DO NOT deploy in production!

Vulnerabilities Demonstrated

• Prompt Injection: Untrusted GitHub issue content directly influences AI behavior
• Local File Inclusion (LFI): Reads arbitrary files from the filesystem
• Data Exfiltration: Sends file contents to GitHub comments
• No Sandboxing: Full filesystem access from AI-generated code

Prerequisites

• Docker (optional, for containerized deployment)
• GitHub OAuth App credentials
• Google Gemini API key
• A test GitHub repository with issues enabled

Key Files

• mcp.json: MCP server configuration (loaded by the app and scannable by Snyk)
• main.go: AI agent with vulnerable agentic workflows
• mcp_client.go: MCP client that loads config and injects user tokens
• mcp_config.go: Config loader for mcp.json
• flag: The target file contestants need to exfiltrate

How The MCP Config Works

The app uses mcp.json to configure the GitHub MCP server connection:

1. At startup: App validates that mcp.json exists
2. When user authenticates:
   • User's GitHub token is obtained via OAuth
   • Token is injected into the MCP config (replaces ${GITHUB_PERSONAL_ACCESS_TOKEN})
   • A dedicated MCP client is created for that user's session
3. During chat: MCP client connects to the remote GitHub MCP server with the user's token

This means:

• ✅ The same mcp.json config file is used by the vulnerable app
• ✅ Contestants can put their GitHub PAT (personal access token) in mcp.scan.json and scan with mcp-scan mcp.scan.json to find toxic flows.
• ✅ Each user gets their own isolated MCP session with their credentials
• ⚠️ mcp.json is REQUIRED - the app will not start without it (no hardcoded defaults)