Skip to content
ATR-2026-00061mediumTool Poisoningexperimental

Skill Description-Behavior Mismatch

Detects MCP skills whose runtime behavior diverges from their declared description. A skill described as "read-only file browser" that issues write or delete operations, or a "weather lookup" tool that accesses filesystem or network resources beyond its stated scope. This is a supply-chain indicator: a compromised or trojaned skill may retain its benign description while performing malicious actions.

嚴重度
medium
類別
Tool Poisoning
掃描目標
mcp
作者
ATR Community

建議回應

block toolalertsnapshotescalate

參考資料

OWASP Agentic
ASI04:2026 - Agentic Supply Chain Vulnerabilities
OWASP LLM
LLM03:2025 - Supply Chain VulnerabilitiesLLM05:2025 - Improper Output Handling
MITRE ATLAS
AML.T0010 - ML Supply Chain CompromiseAML.T0056 - LLM Meta Prompt Extraction
在 GitHub 上查看完整 YAML →

更多 Tool Poisoning 規則

ATR-2026-00010criticalMalicious Content in MCP Tool ResponseATR-2026-00011highInstruction Injection via Tool OutputATR-2026-00012highUnauthorized Tool Call DetectionATR-2026-00013criticalSSRF via Agent Tool CallsATR-2026-00062criticalHidden Capability in MCP Skill