ATR-2026-00127mediumSkill Compromiseexperimental

Subcommand Overflow Bypass

Detects SKILL.md files declaring an excessive number of subcommands or tools (>50). Claude Code has a security architecture where each subcommand is individually evaluated for safety. When a skill declares >50 subcommands, some implementations skip security checks on overflow commands due to performance budgets or fixed-size buffers. Attackers pad with 49 benign commands then add malicious ones at the end, expecting the security check to be skipped. Discovered via Claude Code leak analysis (2026-03).

Severity

medium

Response Actions

alert

References

OWASP Agentic

ASI02:2026 - Excessive Agent Autonomy

OWASP LLM

LLM07:2025 - System Prompt Leakage

View full YAML on GitHub →

More Skill Compromise Rules

ATR-2026-00060highMCP Skill Impersonation and Supply Chain Attack ATR-2026-00120criticalSKILL.md Prompt Injection ATR-2026-00121criticalMalicious Code in Skill Package ATR-2026-00122highWeaponized Skill — Agent as Attack Tool ATR-2026-00123highOver-Privileged Skill — Excessive Permissions