Skip to content
ATR-2026-00098criticalExcessive Autonomyexperimental

Unauthorized Financial Action by AI Agent

Detects when an AI agent attempts to execute financial operations (payments, transfers, red packets, purchases, subscriptions) without explicit human confirmation in the current turn. Financial actions are inherently high-risk and irreversible -- an agent should NEVER auto-execute them based solely on chat context or tool availability. This rule catches the tool_call side of financial attacks: even if the prompt injection rule (ATR-2026-097) is bypassed, this rule fires when the agent actually attempts to invoke a payment/transfer tool. Covers: WeChat red packets, Alipay/WeChat Pay transfers, bank transfers, crypto transactions, subscription purchases, in-app purchases, and generic payment API calls.

Severity
critical
Category
Excessive Autonomy
Scan Target
mcp
Author
ATR Community

Response Actions

block toolkill agentalertsnapshot

References

OWASP Agentic
ASI08:2026 - Excessive AutonomyASI09:2026 - Inadequate Access Controls
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0053 - LLM Plugin Compromise
View full YAML on GitHub →

More Excessive Autonomy Rules

ATR-2026-00050highRunaway Agent Loop DetectionATR-2026-00051highAgent Resource Exhaustion DetectionATR-2026-00052highCascading Failure Detection in Agent PipelinesATR-2026-00099lowHigh-Risk Tool Invocation Without Human Confirmation