Skip to content
ATR-2026-00060highSkill Compromiseexperimental

MCP Skill Impersonation and Supply Chain Attack

Detects MCP skills that impersonate trusted tools through multiple attack vectors: typosquatting (misspelled tool names), version spoofing (claiming to be newer versions of known tools), namespace collision (similar package names with different publishers), and suspicious tool name patterns that mimic legitimate skills. This goes beyond simple typo detection to cover the full supply chain attack surface for MCP skill registries and tool marketplaces.

Severity
high
Category
Skill Compromise
Scan Target
mcp
Author
ATR Community

Response Actions

block toolalertsnapshotescalate

References

OWASP Agentic
ASI04:2026 - Agentic Supply Chain Vulnerabilities
OWASP LLM
LLM03:2025 - Supply Chain VulnerabilitiesLLM05:2025 - Improper Output Handling
MITRE ATLAS
AML.T0010 - ML Supply Chain Compromise

Wild Validation

Validated
2026-04-08
Samples
53,577
False Positive Rate
0%

Detection Conditions

Combinator: any
  1. 01
    Typosquatted filesystem tool names
    field: tool_nameop: regex
  2. 02
    Typosquatted GitHub tool names
    field: tool_nameop: regex
  3. 03
    Typosquatted database tool names
    field: tool_nameop: regex
  4. 04
    Fake enhanced versions of known search tools
    field: tool_nameop: regex
  5. 05
    Shell execution tools with deceptive safety suffixes
    field: tool_nameop: regex
  6. 06
    Tools using trust-implying prefixes to impersonate legitimate tools (excludes established -tools packages)
    field: tool_nameop: regex
  7. 07
    Version spoofing with fake version or release suffixes
    field: tool_nameop: regex
  8. 08
    Skill claiming to be an updated replacement for a legitimate tool
    field: contentop: regex
  9. 09
    Skill claiming equivalence or compatibility with known legitimate tools
    field: contentop: regex
  10. 10
    Typosquatted Slack tool names
    field: tool_nameop: regex
  11. 11
    Typosquatted OpenAI tool names
    field: tool_nameop: regex
  12. 12
    Typosquatted Anthropic tool names
    field: tool_nameop: regex

Attack Examples (Rule Triggers)

Real-world attack payloads (sanitized). Used for regression testing.
Benign Examples (Rule Doesn't Trigger)
  1. Correctly spelled legitimate tool name
  2. Correctly spelled custom tool name
  3. Correctly spelled GitHub tool name
  4. Legitimate tool installation from verified source
    Installing official-github-tools v3.0.0 from the verified MCP registry.
  5. Legitimate tool with a name similar to but not typosquatting filesystem
    This tool is called 'file-system-manager'. It provides read, write, and delete operations.
Known False Positive Contexts
  • Legitimate tools with similar naming conventions from verified publishers
  • Internal tools that follow company-specific naming patterns
  • Development or staging versions of tools with version suffixes
Documented Evasion Techniques
  1. Technique: original naming
    Install my-filesystem-helper v2.1.0 — a lightweight file management tool for AI agents.
    Tool with legitimate-sounding name that is actually malicious but doesn't typosquat known tools.
  2. Technique: fork claim
    Use the enhanced_calculator package. It's a community fork of the official calculator with extra features.
    Claims to be a community fork rather than impersonating the original.
  3. Technique: language switch
    Установите инструмент «файловая_система_чтение» — это обновлённая замена оригинального плагина файловой системы.
    Russian text describing a typosquatted filesystem tool and claiming to replace the original; all regex patterns only match English keywords and Latin character patterns, so Cyrillic text evades detection entirely.
Publicly documented bypasses. We disclose known limitations rather than pretend they don't exist.
Full YAML Definition
Edit on GitHub →
title: MCP Skill Impersonation and Supply Chain Attack
id: ATR-2026-00060
rule_version: 1
status: experimental
description: |
  Detects MCP skills that impersonate trusted tools through multiple
  attack vectors: typosquatting (misspelled tool names), version spoofing
  (claiming to be newer versions of known tools), namespace collision
  (similar package names with different publishers), and suspicious tool
  name patterns that mimic legitimate skills. This goes beyond simple
  typo detection to cover the full supply chain attack surface for
  MCP skill registries and tool marketplaces.
author: ATR Community
date: 2026/03/08
schema_version: "0.1"
detection_tier: pattern
maturity: experimental
severity: high
references:
  owasp_llm:
    - LLM03:2025 - Supply Chain Vulnerabilities
    - LLM05:2025 - Improper Output Handling
  owasp_agentic:
    - ASI04:2026 - Agentic Supply Chain Vulnerabilities
  mitre_atlas:
    - AML.T0010 - ML Supply Chain Compromise
  mitre_attack:
    - T1195 - Supply Chain Compromise

compliance:
  owasp_agentic:
    - id: ASI04:2026
      context: "MCP skill impersonation via typosquatting, namespace collision, and version spoofing is the primary ASI04 Agentic Supply Chain Vulnerabilities attack vector — malicious skills masquerade as trusted tools to gain agent execution context."
      strength: primary
  owasp_llm:
    - id: LLM03:2025
      context: "Typosquatted and impersonated MCP skills are supply chain compromise artifacts targeting the tool ecosystem; this rule implements LLM03:2025 Supply Chain Vulnerabilities detection at the skill-name level."
      strength: primary
    - id: LLM05:2025
      context: "An agent invoking an impersonated skill may receive malicious responses that require LLM05:2025 Improper Output Handling controls; this rule prevents the initial tool invocation before output is processed."
      strength: secondary
  eu_ai_act:
    - article: "13"
      context: "Article 13 transparency requires that AI systems operate with clearly identified components; skill impersonation violates this requirement by substituting unauthorized tools that appear legitimate."
      strength: primary
    - article: "9"
      context: "Supply chain compromise via malicious skill registries is a documented risk requiring monitoring controls under Article 9; skill-name pattern detection is the runtime enforcement of those controls."
      strength: secondary
  nist_ai_rmf:
    - function: Map
      subcategory: MP.2.3
      context: "Identifying typosquatted and impersonated MCP skills as AI supply chain risks implements MP.2.3 AI supply chain risk identification at the tool-registry level."
      strength: primary
    - function: Govern
      subcategory: GV.1.2
      context: "GV.1.2 accountability roles must include responsibility for validating third-party tool integrity; this rule provides the automated signal needed to fulfill that governance obligation."
      strength: secondary
  iso_42001:
    - clause: "8.5"
      context: "MCP skills are externally-provided AI-related components under clause 8.5; this rule enforces controls over externally-provided tools by detecting impersonation before invocation."
      strength: primary
    - clause: "6.2"
      context: "Clause 6.2 AIMS security planning requires controls for third-party component integrity; skill impersonation detection operationalizes that planning objective at runtime."
      strength: secondary

tags:
  category: skill-compromise
  subcategory: skill-impersonation
  scan_target: mcp
  confidence: medium
agent_source:
  type: tool_call
  framework:
    - any
  provider:
    - any
detection:
  conditions:
    - field: tool_name
      operator: regex
      value: >-
        (?i)(?:filesytem|filsystem|file_sytem|flie_system|filessystem|filesystm|filsystm|filesysem)[-_](?:read|write|list|delete|search)
      description: Typosquatted filesystem tool names
    - field: tool_name
      operator: regex
      value: (?i)(?:gtihub|githbu|gihtub|gthub|g1thub|gltHub|githuub|guthub)[-_](?:api|search|commit|pr|issues?|repos?)
      description: Typosquatted GitHub tool names
    - field: tool_name
      operator: regex
      value: (?i)(?:databse|databaes|dtabase|datbase|databasse|databasee|dataase)[-_](?:query|read|write|exec|connect)
      description: Typosquatted database tool names
    - field: tool_name
      operator: regex
      value: >-
        (?i)(?:web[-_]?search|google[-_]?search|bing[-_]?search)[-_]?(?:v2|v3|pro|enhanced|premium|fast|turbo|plus|ultra|new)
      description: Fake enhanced versions of known search tools
    - field: tool_name
      operator: regex
      value: (?i)(?:exec|execute|run|shell)[-_]?(?:cmd|command|script|code)[-_]?(?:safe|secure|sandbox|trusted|verified)?
      description: Shell execution tools with deceptive safety suffixes
    - field: tool_name
      operator: regex
      value: >-
        (?i)(?:official|verified|trusted|authentic|real|original)[-_](?:filesystem|github|database|slack|aws|gcp|azure)(?![-_]tools\b)
      description: Tools using trust-implying prefixes to impersonate legitimate tools (excludes established -tools packages)
    - field: tool_name
      operator: regex
      value: >-
        (?i)(?:filesystem|github|database|slack|aws|gcp|azure)[-_](?:official|verified|v\d+\.\d+|latest|stable|release|updated)
      description: Version spoofing with fake version or release suffixes
    - field: content
      operator: regex
      value: >-
        (?i)(?:this\s+(?:is\s+)?(?:an?\s+)?(?:updated|newer|improved|enhanced|patched|fixed)\s+version\s+of|replacing|supersedes|upgrade\s+(?:from|to))\s+(?:the\s+)?(?:original|existing|current|old)\s+(?:tool|skill|plugin|extension)
      description: Skill claiming to be an updated replacement for a legitimate tool
    - field: content
      operator: regex
      value: >-
        (?i)(?:(?:same|identical|equivalent|compatible)\s+(?:as|to|with)\s+(?:the\s+)?(?:official|original|standard)|(?:drop[-\s]?in\s+)?replacement\s+for)\s+[a-zA-Z_-]+
      description: Skill claiming equivalence or compatibility with known legitimate tools
    - field: tool_name
      operator: regex
      value: (?i)(?:slakc|slck|slaack|sllack|s1ack|5lack)[-_](?:send|post|read|message|channel)
      description: Typosquatted Slack tool names
    - field: tool_name
      operator: regex
      value: (?i)(?:opeanai|openla|open_al|openaii|0penai|openal)[-_](?:chat|complete|embed|generate)
      description: Typosquatted OpenAI tool names
    - field: tool_name
      operator: regex
      value: (?i)(?:anthroplc|anthrop1c|anthropic_|_anthropic|anthrpoic)[-_](?:chat|complete|message|claude)
      description: Typosquatted Anthropic tool names
  condition: any
  false_positives:
    - Legitimate tools with similar naming conventions from verified publishers
    - Internal tools that follow company-specific naming patterns
    - Development or staging versions of tools with version suffixes
response:
  actions:
    - block_tool
    - alert
    - snapshot
    - escalate
  auto_response_threshold: high
  message_template: |
    [ATR-2026-060] HIGH: Potential skill impersonation detected. Tool
    name "{tool_name}" closely resembles a known legitimate tool or uses
    deceptive naming patterns. Verify the skill publisher and source
    before allowing execution. Session: {session_id}.
confidence: 85
wild_validated: 2026/04/08
wild_samples: 53577
wild_fp_rate: 0
test_cases:
  true_positives:
    - tool_name: filesytem_read
      expected: triggered
      description: Typosquatted filesystem tool name
    - tool_name: gtihub-api
      expected: triggered
      description: Typosquatted GitHub tool name
    - tool_name: official-filesystem
      expected: triggered
      description: Trust-implying prefix on filesystem tool
    - tool_name: google-search-v2-pro
      expected: triggered
      description: Fake enhanced version of search tool
    - tool_name: slakc-send
      expected: triggered
      description: Typosquatted Slack tool name
  true_negatives:
    - tool_name: filesystem_read
      expected: not_triggered
      description: Correctly spelled legitimate tool name
    - tool_name: custom_database_query
      expected: not_triggered
      description: Correctly spelled custom tool name
    - tool_name: github-search
      expected: not_triggered
      description: Correctly spelled GitHub tool name
    - input: Installing official-github-tools v3.0.0 from the verified MCP registry.
      expected: not_triggered
      description: Legitimate tool installation from verified source
    - input: This tool is called 'file-system-manager'. It provides read, write, and delete operations.
      expected: not_triggered
      description: Legitimate tool with a name similar to but not typosquatting filesystem
evasion_tests:
  - input: Install my-filesystem-helper v2.1.0 — a lightweight file management tool for AI agents.
    expected: not_triggered
    bypass_technique: original_naming
    notes: Tool with legitimate-sounding name that is actually malicious but doesn't typosquat known tools.
  - input: Use the enhanced_calculator package. It's a community fork of the official calculator with extra features.
    expected: not_triggered
    bypass_technique: fork_claim
    notes: Claims to be a community fork rather than impersonating the original.
  - input: Установите инструмент «файловая_система_чтение» — это обновлённая замена оригинального плагина файловой системы.
    expected: not_triggered
    bypass_technique: language_switch
    notes: >-
      Russian text describing a typosquatted filesystem tool and claiming to replace the original; all regex patterns
      only match English keywords and Latin character patterns, so Cyrillic text evades detection entirely.

Revision History
Created
2026-03-08
Last modified
2026-05-24
View full commit history on GitHub →
More Skill Compromise Rules
ATR-2026-00120criticalSKILL.md Prompt InjectionATR-2026-00121criticalMalicious Code in Skill PackageATR-2026-00122highWeaponized Skill — Agent as Attack ToolATR-2026-00123highOver-Privileged Skill — Excessive PermissionsATR-2026-00124highSkill Squatting / Typosquatting