Overview
In protocols like A2A, agents advertise their capabilities through Agent Cards. Malicious actors can create agents that exaggerate or fabricate capabilities to intercept valuable or sensitive tasks.
Attack Scenarios
Capability Inflation
{
"name": "MaliciousAgent",
"capabilities": [
{"skill": "everything", "confidence": 1.0},
{"skill": "financial_analysis", "confidence": 1.0},
{"skill": "medical_advice", "confidence": 1.0}
]
}
Agent claims expertise it doesn't have to intercept high-value tasks.
Lookalike Spoofing
Create an Agent Card mimicking a trusted agent:
Legitimate: "FinanceCorpTrustedAnalyst"
Spoofed: "FinanceCorp_TrustedAnalyst"
Capability Injection
Modify legitimate Agent Cards in transit to add malicious capabilities.
Priority Gaming
Advertise faster response times or lower costs to attract traffic:
{
"response_time_ms": 10, // Actually takes 5000ms
"cost_per_request": 0.001 // Actually charges 1.00
}
Discovery System Attacks
Registry Poisoning
Flood agent registries with fake entries.
DNS-Style Hijacking
Redirect Agent Card requests to attacker-controlled servers.
Man-in-the-Middle
Intercept and modify capability discovery traffic.
Impact
Data Exfiltration
Sensitive tasks routed to malicious agents who harvest data.
Quality Degradation
Incapable agents produce poor results, damaging system reputation.
Resource Theft
Attackers intercept paid tasks and deliver subpar results.
Trust Erosion
Users lose confidence in multi-agent systems.