deep-xpia

deep-xpia measures how cross-prompt injection behaves when it is not confined to a single agent: a benchmark for multi-hop attacks across agent delegation chains (confused-deputy style scenarios). The dataset includes 250 cases, 7 attack patterns in the DXPIA taxonomy, and 4 defense primitives evaluated (none, intent verification, taint tracking, scope-bound delegation tokens, DLP—plus an “all combined” mode in reporting).

The headline result in the repo baseline: detection accuracy falls sharply as injections propagate from depth 2 toward depth 5—including cases where intermediate agents “clean” payloads (intent laundering, DXPIA-006), which weakens naive intent checks.

Why it exists

Single-agent XPIA tooling does not fully characterize what happens when untrusted content crosses delegation boundaries. deep-xpia focuses on that gap with a benchmark, taxonomy (with OWASP Agentic AI mappings), and a depth-dependent accuracy style metric—complementary to broader cascading-injection suites elsewhere in the literature.

Quickstart

# Docker (full stack with visualizer)
docker compose up
# open http://localhost:3000
 
# or pip
pip install deep-xpia
 
deepxpia demo
deepxpia bench generate
deepxpia bench run --defense none
deepxpia bench run --defense intent-verify
deepxpia bench run --defense all

Live mode (real LLM calls)

DEEPXPIA_LIVE=1 deepxpia bench run --model claude-haiku-4-5-20251001

Attack taxonomy (overview)

Full taxonomy and references: see the upstream repo taxonomy/TAXONOMY.md.

Using it as a library

The package exposes defense helpers (for example intent verification, taint tracking, scope tokens)—see src/deep_xpia/defenses/ in the repository.

License

MIT.

Citation

@software{deep-xpia,
  author = {Freya Zou},
  title  = {deep-xpia: Multi-Hop Cross-Prompt Injection Benchmark for Multi-Agent AI Systems},
  year   = {2026},
  url    = {https://github.com/freyzo/deep-xpia}
}