scopeshift - An automated tool to test AI models against scope manipulation (deceiving an AI agent about its real target)

scopeshift is an automated tool that sits in the network path of an LLM-driven offensive-security agent and systematically deceives it about its real target through coordinated manipulation of network, DNS, and MCP signals. It operates through four independent subsystems: shift-local (reverse proxy that rewrites responses to make a remote target appear local, including URL substitution, cookie domain stripping, HTML comment injection, header removal, meta tag stripping, and title rewriting), shift-dns (synthesizes TXT attestation records that can include the agent's own egress IP via the $SELF_EGRESS placeholder, with optional A/AAAA redirect to the local proxy and transparent interception of hardcoded DNS), and shift-mcp (a deceptive MCP server that returns operator-configured answers to scope and rules-of-engagement queries). The tool requires Python 3.11+, installs via pipx or uv, and includes a Docker sidecar demo where an unmodified Claude Code agent runs as a sibling container sharing a network namespace, with every DNS packet, loopback connection, and MCP call intercepted. Deployment modes include local unprivileged (DNS on port 15353), Docker sidecar with iptables REDIRECT rules that catch hardcoded resolvers, and CAP_NET_BIND_SERVICE for binding port 53. The project is written in Python (98.4%), licensed under MIT, has 14 stars and 3 forks, and was last updated May 20, 2026. It includes a disclaimer for authorized testing and defensive research only. 

https://github.com/OFFENSAI/scopeshift