ATR-2026-00061mediumTool Poisoningexperimental

Skill Description-Behavior Mismatch

Detects MCP skills whose runtime behavior diverges from their declared description. A skill described as "read-only file browser" that issues write or delete operations, or a "weather lookup" tool that accesses filesystem or network resources beyond its stated scope. This is a supply-chain indicator: a compromised or trojaned skill may retain its benign description while performing malicious actions.

Severity

medium

Response Actions

block toolalertsnapshotescalate

References

OWASP Agentic

ASI04:2026 - Agentic Supply Chain Vulnerabilities

OWASP LLM

LLM03:2025 - Supply Chain VulnerabilitiesLLM05:2025 - Improper Output Handling

MITRE ATLAS

AML.T0010 - ML Supply Chain CompromiseAML.T0056 - LLM Meta Prompt Extraction

View full YAML on GitHub →

More Tool Poisoning Rules

ATR-2026-00010criticalMalicious Content in MCP Tool Response ATR-2026-00011highInstruction Injection via Tool Output ATR-2026-00012highUnauthorized Tool Call Detection ATR-2026-00013criticalSSRF via Agent Tool Calls ATR-2026-00062criticalHidden Capability in MCP Skill