pip install red-specter-specter-spawn # or from source git clone https://github.com/RichardBarron27/red-specter-specter-spawn cd red-specter-specter-spawn && pip install -e .
SPECTER SPAWN uses a 4-tier gate enforced at runtime. Each subsystem requires a minimum gate level. Attempting to call a subsystem below its required gate throws a PermissionError.
| Gate | Flag | ROE Phrase | Unlocks |
|---|---|---|---|
| OPEN | — | — | RECON, REPORT |
| INJECT | --override INJECT | — | POISON, HARVEST |
| UNLEASHED | --override UNLEASHED --confirm-agent-spawn | agent spawning authorised | SPAWN-API, SPAWN-LCS, INHERIT |
| DESTROY | --override DESTROY --confirm-agent-spawn --confirm-fleet-bloom | agent fleet destruction authorised | DISPERSAL |
specter-spawn recon --host TARGET [--port PORT] [--framework FRAMEWORK]
Fingerprints the target agent framework, maps available spawn APIs, detects memory backend, checks shell access, estimates task queue depth. Returns a full ReconResult with CVE applicability and LCS viability assessment.
specter-spawn poison --host TARGET --override INJECT [--custom-payload "..."]
Injects the SYSTEM OVERRIDE spawn directive into agent memory. Routes by detected backend: Redis (SET POISON_KEY + agent:system_prompt + LPUSH task queue), SQLite (INSERT specter_poison table), LangGraph API (PATCH /threads/{id}/state), CrewAI API, AutoGen API. Verifies write via read-back.
specter-spawn spawn-api --host TARGET --override UNLEASHED \ --confirm-agent-spawn --roe-file roe.txt [--parent-id PARENT]
Spawns child agent via framework-native API. LangGraph: POST /threads (with parent_thread_id metadata) + POST /threads/{id}/runs. CrewAI: POST /api/v1/agents + kickoff. AutoGen: POST /api/agents/run with poisoned system_message. ADK: POST /run with fresh session_id. Bedrock: boto3 create_agent + prepare_agent. OpenClaw: CVE-2026-32922 tool registration.
specter-spawn spawn-lcs --host TARGET --override UNLEASHED \ --confirm-agent-spawn --roe-file roe.txt \ [--task-count 60] [--monitor-secs 12]
Triggers Latent Constructive Spawning (arXiv:2504.14065). Floods target with N concurrent tasks via async httpx. Snapshots process table before and after. New PIDs matching agent keywords are reported as LCS-spawned children. Attempts injection into child's open ports.
specter-spawn inherit --host TARGET --child-id CHILD_ID --override UNLEASHED \ --confirm-agent-spawn --roe-file roe.txt [--no-re-poison]
Passively verifies that the child agent inherited poisoned state. Checks Redis GET specter_spawn:payload, SQLite SELECT from specter_poison, LangGraph API GET /threads/{id}/state for __specter_spawn__ marker. Returns inherited credentials and tool list. Re-poisons on miss by default.
specter-spawn dispersal --host TARGET --override DESTROY \ --confirm-agent-spawn --confirm-fleet-bloom --roe-file roe.txt \ [--max-depth 3] [--bloom-factor 2] [--root-id ROOT]
Recursive bloom chain: root → POISON → SPAWN-API → INHERIT → children → recurse. No artificial caps at DESTROY gate — bloom_factor and max_depth are caller-controlled. Automatically runs HARVEST and REPORT on completion.
specter-spawn harvest --host TARGET --override INJECT
Parallel credential extraction across all nodes in the last spawn tree. 40+ compiled regex patterns. asyncio.gather for concurrent node harvest. Returns per-node credential maps and aggregate statistics by credential type.
specter-spawn report [--output-dir ./reports]
Generates SPN-{hex12} Ed25519-signed report. Outputs HTML (magenta #E879F9 theme with Graphviz spawn tree), JSON, and DOT files. Auto-generates findings from spawn results, inherit confirmations, CVEs, harvest data, and LCS conditions.
| Framework | Spawn Method | Memory Backends | CVEs |
|---|---|---|---|
| LangGraph | POST /threads + /threads/{id}/runs | Redis, SQLite, API | CVE-2025-64439, CVE-2025-68664, CVE-2026-28277 |
| CrewAI | POST /api/v1/agents + kickoff | Redis, SQLite, API | CVE-2026-2275, CVE-2026-2285/86/87 |
| AutoGen | POST /api/agents/run | API | — |
| Google ADK | POST /run (new session) | API | — |
| Bedrock AgentCore | boto3 create_agent + prepare_agent | API | — |
| OpenClaw | POST /api/tools (skill inject) | API | CVE-2026-32922 CVSS 9.9 |
arXiv:2504.14065 — "Can AI Agents Have Babies?" (April 2026). Empirical study demonstrating Latent Constructive Spawning in 5/8 runs (p=0.044) when agents have shell access and task queue depth ≥5. Children survive parent termination.
arXiv:2605.XXXXX — "When Child Inherits: Modeling and Exploiting Subagent Spawn Vulnerabilities" (May 2026). Four failure modes exploited: insecure memory inheritance (POISON/INHERIT subsystems), stale post-spawn state (re-poison on miss logic).
CWE-272 — Least Privilege Violation. Child agents inheriting full parent credential set without scope reduction.
CWE-693 — Protection Mechanism Failure. Agent frameworks lacking spawn boundary sanitisation.