ATR-2026-00123highSkill Compromiseexperimental

Over-Privileged Skill — Excessive Permissions

Detects skills requesting or instructing overly broad permissions. OWASP AST03 rates this HIGH severity. 280+ leaky skills exposing API keys and PII found by Snyk (Feb 2026). The "consent gap" (Cato Networks) means once a skill is approved, it gains persistent permissions without re-approval. Real patterns: blanket network:true, wildcard file paths (~/*), write access to identity files (SOUL.md, MEMORY.md), auto-approve escalation (CVE-2025-53773). arXiv documents Copilot auto-approve attack writing {"chat.tools.autoApprove":true} to .vscode/settings.json.

Severity

high

Response Actions

alertreduce permissions

References

CVE

CVE-2025-53773 - Copilot auto-approve escalation

OWASP Agentic

ASI03:2026 - Identity and Privilege Abuse

OWASP LLM

LLM06:2025 - Excessive Agency

View full YAML on GitHub →

More Skill Compromise Rules

ATR-2026-00060highMCP Skill Impersonation and Supply Chain Attack ATR-2026-00120criticalSKILL.md Prompt Injection ATR-2026-00121criticalMalicious Code in Skill Package ATR-2026-00122highWeaponized Skill — Agent as Attack Tool ATR-2026-00124highSkill Squatting / Typosquatting