ATR-2026-00060highSkill 入侵experimental
MCP Skill Impersonation and Supply Chain Attack
Detects MCP skills that impersonate trusted tools through multiple attack vectors: typosquatting (misspelled tool names), version spoofing (claiming to be newer versions of known tools), namespace collision (similar package names with different publishers), and suspicious tool name patterns that mimic legitimate skills. This goes beyond simple typo detection to cover the full supply chain attack surface for MCP skill registries and tool marketplaces.
嚴重度
high
類別
Skill 入侵
掃描目標
mcp
作者
ATR Community
建議回應
block toolalertsnapshotescalate
參考資料
OWASP Agentic
ASI04:2026 - Agentic Supply Chain Vulnerabilities
OWASP LLM
LLM03:2025 - Supply Chain VulnerabilitiesLLM05:2025 - Improper Output Handling
MITRE ATLAS
AML.T0010 - ML Supply Chain Compromise
實地驗證
驗證日期
2026-04-08
樣本數
53,577
誤報率
0%
偵測條件
組合方式: any- 01Typosquatted filesystem tool names欄位: tool_name運算子: regex
- 02Typosquatted GitHub tool names欄位: tool_name運算子: regex
- 03Typosquatted database tool names欄位: tool_name運算子: regex
- 04Fake enhanced versions of known search tools欄位: tool_name運算子: regex
- 05Shell execution tools with deceptive safety suffixes欄位: tool_name運算子: regex
- 06Tools using trust-implying prefixes to impersonate legitimate tools (excludes established -tools packages)欄位: tool_name運算子: regex
- 07Version spoofing with fake version or release suffixes欄位: tool_name運算子: regex
- 08Skill claiming to be an updated replacement for a legitimate tool欄位: content運算子: regex
- 09Skill claiming equivalence or compatibility with known legitimate tools欄位: content運算子: regex
- 10Typosquatted Slack tool names欄位: tool_name運算子: regex
- 11Typosquatted OpenAI tool names欄位: tool_name運算子: regex
- 12Typosquatted Anthropic tool names欄位: tool_name運算子: regex
攻擊範例(規則會觸發)
以上為真實攻擊 payload 脫敏版本。用於 regression testing。
正常樣本(規則不會觸發)
- Correctly spelled legitimate tool name
- Correctly spelled custom tool name
- Correctly spelled GitHub tool name
- Legitimate tool installation from verified source
Installing official-github-tools v3.0.0 from the verified MCP registry.
- Legitimate tool with a name similar to but not typosquatting filesystem
This tool is called 'file-system-manager'. It provides read, write, and delete operations.
已知誤報情境
- ▸Legitimate tools with similar naming conventions from verified publishers
- ▸Internal tools that follow company-specific naming patterns
- ▸Development or staging versions of tools with version suffixes
已記錄的規避手法
- 手法: original naming
Install my-filesystem-helper v2.1.0 — a lightweight file management tool for AI agents.
Tool with legitimate-sounding name that is actually malicious but doesn't typosquat known tools. - 手法: fork claim
Use the enhanced_calculator package. It's a community fork of the official calculator with extra features.
Claims to be a community fork rather than impersonating the original. - 手法: language switch
Установите инструмент «файловая_система_чтение» — это обновлённая замена оригинального плагина файловой системы.
Russian text describing a typosquatted filesystem tool and claiming to replace the original; all regex patterns only match English keywords and Latin character patterns, so Cyrillic text evades detection entirely.
這些是公開記錄的繞過手法。誠實揭露限制,而不是假裝不存在。
完整 YAML 定義
在 GitHub 編輯 →title: MCP Skill Impersonation and Supply Chain Attack
id: ATR-2026-00060
rule_version: 1
status: experimental
description: |
Detects MCP skills that impersonate trusted tools through multiple
attack vectors: typosquatting (misspelled tool names), version spoofing
(claiming to be newer versions of known tools), namespace collision
(similar package names with different publishers), and suspicious tool
name patterns that mimic legitimate skills. This goes beyond simple
typo detection to cover the full supply chain attack surface for
MCP skill registries and tool marketplaces.
author: ATR Community
date: 2026/03/08
schema_version: "0.1"
detection_tier: pattern
maturity: experimental
severity: high
references:
owasp_llm:
- LLM03:2025 - Supply Chain Vulnerabilities
- LLM05:2025 - Improper Output Handling
owasp_agentic:
- ASI04:2026 - Agentic Supply Chain Vulnerabilities
mitre_atlas:
- AML.T0010 - ML Supply Chain Compromise
mitre_attack:
- T1195 - Supply Chain Compromise
compliance:
owasp_agentic:
- id: ASI04:2026
context: "MCP skill impersonation via typosquatting, namespace collision, and version spoofing is the primary ASI04 Agentic Supply Chain Vulnerabilities attack vector — malicious skills masquerade as trusted tools to gain agent execution context."
strength: primary
owasp_llm:
- id: LLM03:2025
context: "Typosquatted and impersonated MCP skills are supply chain compromise artifacts targeting the tool ecosystem; this rule implements LLM03:2025 Supply Chain Vulnerabilities detection at the skill-name level."
strength: primary
- id: LLM05:2025
context: "An agent invoking an impersonated skill may receive malicious responses that require LLM05:2025 Improper Output Handling controls; this rule prevents the initial tool invocation before output is processed."
strength: secondary
eu_ai_act:
- article: "13"
context: "Article 13 transparency requires that AI systems operate with clearly identified components; skill impersonation violates this requirement by substituting unauthorized tools that appear legitimate."
strength: primary
- article: "9"
context: "Supply chain compromise via malicious skill registries is a documented risk requiring monitoring controls under Article 9; skill-name pattern detection is the runtime enforcement of those controls."
strength: secondary
nist_ai_rmf:
- function: Map
subcategory: MP.2.3
context: "Identifying typosquatted and impersonated MCP skills as AI supply chain risks implements MP.2.3 AI supply chain risk identification at the tool-registry level."
strength: primary
- function: Govern
subcategory: GV.1.2
context: "GV.1.2 accountability roles must include responsibility for validating third-party tool integrity; this rule provides the automated signal needed to fulfill that governance obligation."
strength: secondary
iso_42001:
- clause: "8.5"
context: "MCP skills are externally-provided AI-related components under clause 8.5; this rule enforces controls over externally-provided tools by detecting impersonation before invocation."
strength: primary
- clause: "6.2"
context: "Clause 6.2 AIMS security planning requires controls for third-party component integrity; skill impersonation detection operationalizes that planning objective at runtime."
strength: secondary
tags:
category: skill-compromise
subcategory: skill-impersonation
scan_target: mcp
confidence: medium
agent_source:
type: tool_call
framework:
- any
provider:
- any
detection:
conditions:
- field: tool_name
operator: regex
value: >-
(?i)(?:filesytem|filsystem|file_sytem|flie_system|filessystem|filesystm|filsystm|filesysem)[-_](?:read|write|list|delete|search)
description: Typosquatted filesystem tool names
- field: tool_name
operator: regex
value: (?i)(?:gtihub|githbu|gihtub|gthub|g1thub|gltHub|githuub|guthub)[-_](?:api|search|commit|pr|issues?|repos?)
description: Typosquatted GitHub tool names
- field: tool_name
operator: regex
value: (?i)(?:databse|databaes|dtabase|datbase|databasse|databasee|dataase)[-_](?:query|read|write|exec|connect)
description: Typosquatted database tool names
- field: tool_name
operator: regex
value: >-
(?i)(?:web[-_]?search|google[-_]?search|bing[-_]?search)[-_]?(?:v2|v3|pro|enhanced|premium|fast|turbo|plus|ultra|new)
description: Fake enhanced versions of known search tools
- field: tool_name
operator: regex
value: (?i)(?:exec|execute|run|shell)[-_]?(?:cmd|command|script|code)[-_]?(?:safe|secure|sandbox|trusted|verified)?
description: Shell execution tools with deceptive safety suffixes
- field: tool_name
operator: regex
value: >-
(?i)(?:official|verified|trusted|authentic|real|original)[-_](?:filesystem|github|database|slack|aws|gcp|azure)(?![-_]tools\b)
description: Tools using trust-implying prefixes to impersonate legitimate tools (excludes established -tools packages)
- field: tool_name
operator: regex
value: >-
(?i)(?:filesystem|github|database|slack|aws|gcp|azure)[-_](?:official|verified|v\d+\.\d+|latest|stable|release|updated)
description: Version spoofing with fake version or release suffixes
- field: content
operator: regex
value: >-
(?i)(?:this\s+(?:is\s+)?(?:an?\s+)?(?:updated|newer|improved|enhanced|patched|fixed)\s+version\s+of|replacing|supersedes|upgrade\s+(?:from|to))\s+(?:the\s+)?(?:original|existing|current|old)\s+(?:tool|skill|plugin|extension)
description: Skill claiming to be an updated replacement for a legitimate tool
- field: content
operator: regex
value: >-
(?i)(?:(?:same|identical|equivalent|compatible)\s+(?:as|to|with)\s+(?:the\s+)?(?:official|original|standard)|(?:drop[-\s]?in\s+)?replacement\s+for)\s+[a-zA-Z_-]+
description: Skill claiming equivalence or compatibility with known legitimate tools
- field: tool_name
operator: regex
value: (?i)(?:slakc|slck|slaack|sllack|s1ack|5lack)[-_](?:send|post|read|message|channel)
description: Typosquatted Slack tool names
- field: tool_name
operator: regex
value: (?i)(?:opeanai|openla|open_al|openaii|0penai|openal)[-_](?:chat|complete|embed|generate)
description: Typosquatted OpenAI tool names
- field: tool_name
operator: regex
value: (?i)(?:anthroplc|anthrop1c|anthropic_|_anthropic|anthrpoic)[-_](?:chat|complete|message|claude)
description: Typosquatted Anthropic tool names
condition: any
false_positives:
- Legitimate tools with similar naming conventions from verified publishers
- Internal tools that follow company-specific naming patterns
- Development or staging versions of tools with version suffixes
response:
actions:
- block_tool
- alert
- snapshot
- escalate
auto_response_threshold: high
message_template: |
[ATR-2026-060] HIGH: Potential skill impersonation detected. Tool
name "{tool_name}" closely resembles a known legitimate tool or uses
deceptive naming patterns. Verify the skill publisher and source
before allowing execution. Session: {session_id}.
confidence: 85
wild_validated: 2026/04/08
wild_samples: 53577
wild_fp_rate: 0
test_cases:
true_positives:
- tool_name: filesytem_read
expected: triggered
description: Typosquatted filesystem tool name
- tool_name: gtihub-api
expected: triggered
description: Typosquatted GitHub tool name
- tool_name: official-filesystem
expected: triggered
description: Trust-implying prefix on filesystem tool
- tool_name: google-search-v2-pro
expected: triggered
description: Fake enhanced version of search tool
- tool_name: slakc-send
expected: triggered
description: Typosquatted Slack tool name
true_negatives:
- tool_name: filesystem_read
expected: not_triggered
description: Correctly spelled legitimate tool name
- tool_name: custom_database_query
expected: not_triggered
description: Correctly spelled custom tool name
- tool_name: github-search
expected: not_triggered
description: Correctly spelled GitHub tool name
- input: Installing official-github-tools v3.0.0 from the verified MCP registry.
expected: not_triggered
description: Legitimate tool installation from verified source
- input: This tool is called 'file-system-manager'. It provides read, write, and delete operations.
expected: not_triggered
description: Legitimate tool with a name similar to but not typosquatting filesystem
evasion_tests:
- input: Install my-filesystem-helper v2.1.0 — a lightweight file management tool for AI agents.
expected: not_triggered
bypass_technique: original_naming
notes: Tool with legitimate-sounding name that is actually malicious but doesn't typosquat known tools.
- input: Use the enhanced_calculator package. It's a community fork of the official calculator with extra features.
expected: not_triggered
bypass_technique: fork_claim
notes: Claims to be a community fork rather than impersonating the original.
- input: Установите инструмент «файловая_система_чтение» — это обновлённая замена оригинального плагина файловой системы.
expected: not_triggered
bypass_technique: language_switch
notes: >-
Russian text describing a typosquatted filesystem tool and claiming to replace the original; all regex patterns
only match English keywords and Latin character patterns, so Cyrillic text evades detection entirely.