ATR-2026-00060highSkill 入侵experimental
MCP Skill Impersonation and Supply Chain Attack
Detects MCP skills that impersonate trusted tools through multiple attack vectors: typosquatting (misspelled tool names), version spoofing (claiming to be newer versions of known tools), namespace collision (similar package names with different publishers), and suspicious tool name patterns that mimic legitimate skills. This goes beyond simple typo detection to cover the full supply chain attack surface for MCP skill registries and tool marketplaces.
嚴重度
high
類別
Skill 入侵
掃描目標
mcp
作者
ATR Community
建議回應
block toolalertsnapshotescalate
參考資料
OWASP Agentic
ASI04:2026 - Agentic Supply Chain Vulnerabilities
OWASP LLM
LLM03:2025 - Supply Chain VulnerabilitiesLLM05:2025 - Improper Output Handling
MITRE ATLAS
AML.T0010 - AI Supply Chain CompromiseAML.T0104 - Publish Poisoned AI Agent Tool
實地驗證
驗證日期
2026-04-08
樣本數
53,577
誤報率(實地語料)
0%
偵測條件
組合方式: any- 01Typosquatted filesystem tool names欄位: tool_name運算子: regex
- 02Typosquatted GitHub tool names欄位: tool_name運算子: regex
- 03Typosquatted database tool names欄位: tool_name運算子: regex
- 04Fake enhanced versions of known search tools欄位: tool_name運算子: regex
- 05Tools using trust-implying prefixes to impersonate legitimate tools (excludes established -tools packages)欄位: tool_name運算子: regex
- 06Version spoofing with fake version or release suffixes欄位: tool_name運算子: regex
- 07Skill claiming to be an updated replacement for a legitimate tool欄位: content運算子: regex
- 08Skill claiming equivalence or compatibility with known legitimate tools欄位: content運算子: regex
- 09Typosquatted Slack tool names欄位: tool_name運算子: regex
- 10Typosquatted OpenAI tool names欄位: tool_name運算子: regex
- 11Typosquatted Anthropic tool names欄位: tool_name運算子: regex
攻擊範例(規則會觸發)
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- Correctly spelled legitimate tool name
- Correctly spelled custom tool name
- Correctly spelled GitHub tool name
- Legitimate tool installation from verified source
Installing official-github-tools v3.0.0 from the verified MCP registry.
- Legitimate tool with a name similar to but not typosquatting filesystem
This tool is called 'file-system-manager'. It provides read, write, and delete operations.
已知誤報情境
- ▸Legitimate tools with similar naming conventions from verified publishers
- ▸Internal tools that follow company-specific naming patterns
- ▸Development or staging versions of tools with version suffixes
已記錄的規避手法
- 手法: original naming
Install my-filesystem-helper v2.1.0 — a lightweight file management tool for AI agents.
Tool with legitimate-sounding name that is actually malicious but doesn't typosquat known tools. - 手法: fork claim
Use the enhanced_calculator package. It's a community fork of the official calculator with extra features.
Claims to be a community fork rather than impersonating the original. - 手法: language switch
Установите инструмент «файловая_система_чтение» — это обновлённая замена оригинального плагина файловой системы.
Russian text describing a typosquatted filesystem tool and claiming to replace the original; all regex patterns only match English keywords and Latin character patterns, so Cyrillic text evades detection entirely.
這些是公開記錄的繞過手法。一個標準的可信度,取決於它願不願意公開自己最差的數字——所以已知限制寫在規則裡,而不是藏起來。
完整 YAML 定義
在 GitHub 編輯 →title: MCP Skill Impersonation and Supply Chain Attack
id: ATR-2026-00060
rule_version: 1
status: experimental
description: |
Detects MCP skills that impersonate trusted tools through multiple
attack vectors: typosquatting (misspelled tool names), version spoofing
(claiming to be newer versions of known tools), namespace collision
(similar package names with different publishers), and suspicious tool
name patterns that mimic legitimate skills. This goes beyond simple
typo detection to cover the full supply chain attack surface for
MCP skill registries and tool marketplaces.
author: ATR Community
date: 2026/03/08
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: high
references:
owasp_llm:
- LLM03:2025 - Supply Chain Vulnerabilities
- LLM05:2025 - Improper Output Handling
owasp_agentic:
- ASI04:2026 - Agentic Supply Chain Vulnerabilities
mitre_atlas:
- AML.T0010 - AI Supply Chain Compromise
- AML.T0104 - Publish Poisoned AI Agent Tool
mitre_attack:
- T1195 - Supply Chain Compromise
compliance:
owasp_agentic:
- id: ASI04:2026
context: "MCP skill impersonation via typosquatting, namespace collision, and version spoofing is the primary ASI04:2026 Agentic Supply Chain Vulnerabilities attack vector — malicious skills masquerade as trusted tools to gain agent execution context."
strength: primary
owasp_llm:
- id: LLM03:2025
context: "Typosquatted and impersonated MCP skills are supply chain compromise artifacts targeting the tool ecosystem; this rule implements LLM03:2025 Supply Chain Vulnerabilities detection at the skill-name level."
strength: primary
- id: LLM05:2025
context: "An agent invoking an impersonated skill may receive malicious responses that require LLM05:2025 Improper Output Handling controls; this rule prevents the initial tool invocation before output is processed."
strength: secondary
eu_ai_act:
- article: "13"
context: "Article 13 transparency requires that AI systems operate with clearly identified components; skill impersonation violates this requirement by substituting unauthorized tools that appear legitimate."
strength: primary
- article: "9"
context: "Supply chain compromise via malicious skill registries is a documented risk requiring monitoring controls under Article 9; skill-name pattern detection is the runtime enforcement of those controls."
strength: secondary
- article: "15"
context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (MCP Skill Impersonation and Supply Chain Attack)."
strength: primary
nist_ai_rmf:
- function: Map
subcategory: MP.2.3
context: "Identifying typosquatted and impersonated MCP skills as AI supply chain risks implements MP.2.3 AI supply chain risk identification at the tool-registry level."
strength: primary
- function: Govern
subcategory: GV.1.2
context: "GV.1.2 accountability roles must include responsibility for validating third-party tool integrity; this rule provides the automated signal needed to fulfill that governance obligation."
strength: secondary
- subcategory: "MS.2.7"
context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (MCP Skill Impersonation and Supply Chain Attack)."
strength: primary
- subcategory: "MG.3.1"
context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (MCP Skill Impersonation and Supply Chain Attack)."
strength: secondary
- subcategory: "MG.3.2"
context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (MCP Skill Impersonation and Supply Chain Attack)."
strength: secondary
iso_42001:
- clause: "8.1"
context: "MCP skills are externally-provided AI-related components under clause 8.1; this rule enforces controls over externally-provided tools by detecting impersonation before invocation."
strength: primary
- clause: "6.2"
context: "Clause 6.2 AIMS security planning requires controls for third-party component integrity; skill impersonation detection operationalizes that planning objective at runtime."
strength: secondary
- clause: "8.3"
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (MCP Skill Impersonation and Supply Chain Attack) as a treatment control."
strength: secondary
tags:
category: skill-compromise
subcategory: skill-impersonation
scan_target: mcp
confidence: medium
agent_source:
type: tool_call
framework:
- any
provider:
- any
detection:
conditions:
- field: tool_name
operator: regex
value: >-
(?i)(?:filesytem|filsystem|file_sytem|flie_system|filessystem|filesystm|filsystm|filesysem)[-_](?:read|write|list|delete|search)
description: Typosquatted filesystem tool names
- field: tool_name
operator: regex
value: (?i)(?:gtihub|githbu|gihtub|gthub|g1thub|gltHub|githuub|guthub)[-_](?:api|search|commit|pr|issues?|repos?)
description: Typosquatted GitHub tool names
- field: tool_name
operator: regex
value: (?i)(?:databse|databaes|dtabase|datbase|databasse|databasee|dataase)[-_](?:query|read|write|exec|connect)
description: Typosquatted database tool names
- field: tool_name
operator: regex
value: >-
(?i)(?:web[-_]?search|google[-_]?search|bing[-_]?search)[-_]?(?:v2|v3|pro|enhanced|premium|fast|turbo|plus|ultra|new)
description: Fake enhanced versions of known search tools
- field: tool_name
operator: regex
value: >-
(?i)(?:official|verified|trusted|authentic|real|original)[-_](?:filesystem|github|database|slack|aws|gcp|azure)(?![-_]tools\b)
description: Tools using trust-implying prefixes to impersonate legitimate tools (excludes established -tools packages)
- field: tool_name
operator: regex
value: >-
(?i)(?:filesystem|github|database|slack|aws|gcp|azure)[-_](?:official|verified|v\d+\.\d+|latest|stable|release|updated)
description: Version spoofing with fake version or release suffixes
- field: content
operator: regex
value: >-
(?i)(?:this\s+(?:is\s+)?(?:an?\s+)?(?:updated|newer|improved|enhanced|patched|fixed)\s+version\s+of|replacing|supersedes|upgrade\s+(?:from|to))\s+(?:the\s+)?(?:original|existing|current|old)\s+(?:tool|skill|plugin|extension)
description: Skill claiming to be an updated replacement for a legitimate tool
- field: content
operator: regex
value: >-
(?i)(?:(?:same|identical|equivalent|compatible)\s+(?:as|to|with)\s+(?:the\s+)?(?:official|original|standard)|(?:drop[-\s]?in\s+)?replacement\s+for)\s+[a-zA-Z_-]+
description: Skill claiming equivalence or compatibility with known legitimate tools
- field: tool_name
operator: regex
value: (?i)(?:slakc|slck|slaack|sllack|s1ack|5lack)[-_](?:send|post|read|message|channel)
description: Typosquatted Slack tool names
- field: tool_name
operator: regex
value: (?i)(?:opeanai|openla|open_al|openaii|0penai|openal)[-_](?:chat|complete|embed|generate)
description: Typosquatted OpenAI tool names
- field: tool_name
operator: regex
value: (?i)(?:anthroplc|anthrop1c|anthropic_|_anthropic|anthrpoic)[-_](?:chat|complete|message|claude)
description: Typosquatted Anthropic tool names
condition: any
false_positives:
- Legitimate tools with similar naming conventions from verified publishers
- Internal tools that follow company-specific naming patterns
- Development or staging versions of tools with version suffixes
response:
actions:
- block_tool
- alert
- snapshot
- escalate
auto_response_threshold: high
message_template: |
[ATR-2026-060] HIGH: Potential skill impersonation detected. Tool
name "{tool_name}" closely resembles a known legitimate tool or uses
deceptive naming patterns. Verify the skill publisher and source
before allowing execution. Session: {session_id}.
confidence: 85
wild_validated: 2026/04/08
wild_samples: 53577
wild_fp_rate: 0
test_cases:
true_positives:
- tool_name: filesytem_read
expected: triggered
description: Typosquatted filesystem tool name
- tool_name: gtihub-api
expected: triggered
description: Typosquatted GitHub tool name
- tool_name: official-filesystem
expected: triggered
description: Trust-implying prefix on filesystem tool
- tool_name: google-search-v2-pro
expected: triggered
description: Fake enhanced version of search tool
- tool_name: slakc-send
expected: triggered
description: Typosquatted Slack tool name
true_negatives:
- tool_name: filesystem_read
expected: not_triggered
description: Correctly spelled legitimate tool name
- tool_name: custom_database_query
expected: not_triggered
description: Correctly spelled custom tool name
- tool_name: github-search
expected: not_triggered
description: Correctly spelled GitHub tool name
- input: Installing official-github-tools v3.0.0 from the verified MCP registry.
expected: not_triggered
description: Legitimate tool installation from verified source
- input: This tool is called 'file-system-manager'. It provides read, write, and delete operations.
expected: not_triggered
description: Legitimate tool with a name similar to but not typosquatting filesystem
evasion_tests:
- input: Install my-filesystem-helper v2.1.0 — a lightweight file management tool for AI agents.
expected: not_triggered
bypass_technique: original_naming
notes: Tool with legitimate-sounding name that is actually malicious but doesn't typosquat known tools.
- input: Use the enhanced_calculator package. It's a community fork of the official calculator with extra features.
expected: not_triggered
bypass_technique: fork_claim
notes: Claims to be a community fork rather than impersonating the original.
- input: Установите инструмент «файловая_система_чтение» — это обновлённая замена оригинального плагина файловой системы.
expected: not_triggered
bypass_technique: language_switch
notes: >-
Russian text describing a typosquatted filesystem tool and claiming to replace the original; all regex patterns
only match English keywords and Latin character patterns, so Cyrillic text evades detection entirely.