Fork Claim and Community Package Impersonation

Detects skill/package impersonation through fork claims and community-variant naming. Unlike ATR-2026-060 (typosquatting detection), this catches packages that claim to be "community forks", "enhanced versions", or "unofficial alternatives" of known tools. Also detects abstracted permission descriptions that obscure dangerous capabilities behind benign language ("required capabilities: internet, storage" instead of "needs network + filesystem access"). Discovered via Autoresearch v0 (94% miss on fork_claim, 97% on abstracted_permissions, 97% on original_naming).

Response Actions

References