ATR-2026-00063criticalTool Poisoningexperimental

Multi-Skill Chain Attack

Detects attack sequences where multiple MCP skills are chained together to achieve a malicious outcome that no single skill could accomplish alone. For example: (1) a reconnaissance skill reads sensitive files, (2) an encoding skill obfuscates the data, (3) a network skill exfiltrates it. Each step appears benign individually but the chain constitutes data exfiltration.

Severity

critical

Response Actions

block toolalertsnapshotescalate

References

OWASP Agentic

ASI02:2026 - Tool Misuse and Exploitation

OWASP LLM

LLM03:2025 - Supply Chain VulnerabilitiesLLM06:2025 - Excessive Agency

MITRE ATLAS

AML.T0024 - Exfiltration via ML Inference APIAML.T0053 - LLM Plugin Compromise

View full YAML on GitHub →

More Tool Poisoning Rules

ATR-2026-00010criticalMalicious Content in MCP Tool Response ATR-2026-00011highInstruction Injection via Tool Output ATR-2026-00012highUnauthorized Tool Call Detection ATR-2026-00013criticalSSRF via Agent Tool Calls ATR-2026-00061mediumSkill Description-Behavior Mismatch