Part 1 of 3 in the TRAE Agent Reverse Engineering Series
When you create an agent in TRAE.ai, it shows:
I created a fun Agent called「test」 with TRAE. Click https://s.trae.ai/a/337fa4 to duplicate it and try it out together!
Looking at how this works, the link redirects to the TRAE app and displays the agent data. This got me wondering: why can't I extract this data programmatically?
This little silly idea I got at ~12AM sent me down a crazy rabbit hole of trying to "reverse engineer" TRAE's agent sharing mechanism using my CTF-acquired skills.
The Naive Approach
I didn't have much to go off other than my agent link https://s.trae.ai/a/337fa4 and a bit of free time. The first thing that came to mind was to curl the agent link, in (VERY HIGH) hopes of somehow succeeding on the first shot.
I tried:
curl https://s.trae.ai/a/337fa4
It printed out TONS of HTML lines into my console. It's just a landing page... At first, I didn't pay much attention to it (big mistake). Instead, I moved on to trying other endpoints, randomly guessing them based on what "feels" right:
curl https://api.trae.ai/agents/337fa4
curl https://s.trae.ai/api/agents/337fa4
curl https://trae.ai/api/agents/337fa4
All of these failed miserably, returning Server Moved or 404 - Not found:
$ curl https://api.trae.ai/agents/337fa4
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>TLB</center>
</body>
</html>
The CTF Mindset Kicks In
I thought to myself: what would I do if this was a CTF?
(Spoiler alert: NETWORK TAB! 😭😭)
I opened a new Chrome tab, hit F12, and opened the network tab. I checked "Preserve Logs", pasted https://s.trae.ai/a/337fa4 into the address bar, and hit enter. I waited, watching the network tab like a hawk, trying over and over again—looking for any request that shows JSON data, anything with /api/, agent, or the agent ID in its route... any POST or GET requests that might reveal the secret.
No luck.
First Breakthrough: Hidden in Plain Sight
Just when I was about to give up, I went back and re-ran curl https://s.trae.ai/a/337fa4, this time diving deeper into the HTML response.
First clue found! The agent name was hiding in the og:title meta tag, though the description was frustratingly generic and unrelated:
<meta property="og:title" content="test"/>
<meta property="og:description" content="Click to get the agent configuration."/>
The real agent data clearly wasn't in this landing page. I was still missing the Agent Icon, Agent prompt, MCP List, and Built-In Tools. But then, reading further into the JavaScript, I found the key:
tryOpenTrae('trae://trae.ai-ide/agent/share/337fa4');
Now I had TRAE's custom protocol URL structure: trae://trae.ai-ide/agent/share/{AGENT_ID}. Not huge, but a spark of hope nonetheless.
Next Steps: Part 2: Fiddler, Proxies, and Network Analysis →
Ready for system-level network monitoring? The next post dives into Fiddler, proxies, and the discovery that almost broke me.
Series Navigation:
- Part 1: When 1AM Curiosity Meets CTF Skills ← You are here
- Part 2: Fiddler, Proxies, and Network Analysis
- Part 3: The API Treasure Hunt