ATR-2026-00135criticalSkill Compromiseexperimental

Data Exfiltration URL in Skill Instructions

Detects SKILL.md files that instruct the agent to send data to external URLs, especially when combined with concealment language ("don't tell the user", "automatic", "verification step"). Legitimate skills may reference URLs for documentation, but they don't ask the agent to POST user data to them. Key pattern: instruction to send/post/upload + user data reference + URL.

Severity

critical

Response Actions

alertblock input

References

OWASP Agentic

ASI01:2026 - Agent Goal Hijack

OWASP LLM

LLM01:2025 - Prompt Injection

View full YAML on GitHub →

More Skill Compromise Rules

ATR-2026-00060highMCP Skill Impersonation and Supply Chain Attack ATR-2026-00120criticalSKILL.md Prompt Injection ATR-2026-00121criticalMalicious Code in Skill Package ATR-2026-00122highWeaponized Skill — Agent as Attack Tool ATR-2026-00123highOver-Privileged Skill — Excessive Permissions