ATR-2026-00149criticalSkill Compromiseexperimental

Skill Data Exfiltration via Compound Patterns

Detects compound exfiltration patterns in SKILL.md files where sensitive data (credentials, SSH keys, wallet files, browser data, environment variables) is read AND transmitted to an external endpoint. Single-action patterns (just reading env vars or just mentioning curl) are intentionally excluded to avoid false positives on legitimate security and DevOps skills.

Severity

critical

Response Actions

block toolalertquarantine session

References

OWASP Agentic

ASI04:2026 - Supply Chain CompromiseASI05:2026 - Unexpected Code Execution

OWASP LLM

LLM06:2025 - Excessive Agency

View full YAML on GitHub →

More Skill Compromise Rules

ATR-2026-00060highMCP Skill Impersonation and Supply Chain Attack ATR-2026-00120criticalSKILL.md Prompt Injection ATR-2026-00121criticalMalicious Code in Skill Package ATR-2026-00122highWeaponized Skill — Agent as Attack Tool ATR-2026-00123highOver-Privileged Skill — Excessive Permissions