Red-team a CrewAI crew
CrewAI’s value proposition — role-based agents that delegate tasks to each other — is also its biggest attack surface. A prompt that hijacks the first agent can cascade through the crew. White-box scanning is especially useful here because the planner can read your Agent definitions, Task graph, and tool wiring.
1. Expose an endpoint
# server.py
from fastapi import FastAPI
from pydantic import BaseModel
from my_crew import build_crew # returns a configured Crew
app = FastAPI()
crew = build_crew()
class Req(BaseModel):
topic: str
@app.post("/kickoff")
def kickoff(req: Req):
result = crew.kickoff(inputs={"topic": req.topic})
return {"result": str(result), "tasks_output": [str(t) for t in result.tasks_output]}
2. Copy the config
cp configs/integrations/crewai.json configs/config.my-crew.json
Edit:
target.baseUrl+agentEndpointtarget.applicationDetails— list each agent’s role, goal, and toolscodebasePath— directory containing yourCrew,Agent, andTaskdefinitions
3. Run
npm start configs/config.my-crew.json
What this catches
tool_chain_hijack—researcher → writer → publisherchains that exfiltrate or escalatemulti_agent_delegation— steering which crewmember gets the next taskagentic_workflow_bypass— skipping a reviewer/QA agentrogue_agent— getting one agent to act against the crew’s goaltool_permission_escalation— a low-trust agent invoking a high-trust agent’s toolsgoal_hijack/agentic_scope_creep— replacing or expanding the crew’s goal mid-run