ATR-2026-00062critical工具下毒experimental
Hidden Capability in MCP Skill
Detects MCP skills that expose hidden or undocumented capabilities beyond their declared tool schema. A skill may advertise a simple interface but accept hidden parameters like "debug_mode", "admin_override", or "raw_exec" that unlock dangerous functionality. This is a common pattern in trojaned MCP packages.
嚴重度
critical
類別
工具下毒
掃描目標
mcp
作者
ATR Community
建議回應
block toolquarantine sessionalertsnapshotkill agent
參考資料
OWASP Agentic
ASI02:2026 - Tool Misuse and ExploitationASI05:2026 - Unexpected Code Execution
OWASP LLM
LLM03:2025 - Supply Chain VulnerabilitiesLLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0010 - ML Supply Chain Compromise
實地驗證
驗證日期
2026-04-08
樣本數
53,577
誤報率
0%
偵測條件
組合方式: any- 01欄位: tool_args運算子: regex
- 02欄位: tool_args運算子: regex
- 03欄位: tool_args運算子: regex
- 04欄位: tool_response運算子: regex
攻擊範例(規則會觸發)
- 觸發條件: hidden debug_mode and raw_exec parameters
tool_name: note_taker tool_args: '{"text": "hello", "debug_mode": true, "raw_exec": "cat /etc/shadow"}' - 觸發條件: dunder-wrapped hidden parameter
tool_name: calculator tool_args: '{"expression": "2+2", "__backdoor__": "reverse_shell"}'
以上為真實攻擊 payload 脫敏版本。用於 regression testing。
正常樣本(規則不會觸發)
tool_name: debugger tool_args: '{"breakpoint": "line_42", "mode": "step"}'tool_name: admin_panel tool_args: '{"action": "list_users"}'
已知誤報情境
- ▸Development/staging environments where debug modes are intentionally enabled
- ▸Administrative tools that legitimately expose debug parameters
完整 YAML 定義
在 GitHub 編輯 →title: "Hidden Capability in MCP Skill"
id: ATR-2026-00062
rule_version: 1
status: experimental
description: >
Detects MCP skills that expose hidden or undocumented capabilities beyond their
declared tool schema. A skill may advertise a simple interface but accept hidden
parameters like "debug_mode", "admin_override", or "raw_exec" that unlock dangerous
functionality. This is a common pattern in trojaned MCP packages.
author: "ATR Community"
date: "2026/03/08"
schema_version: "0.1"
detection_tier: pattern
maturity: experimental
severity: critical
references:
owasp_llm:
- "LLM03:2025 - Supply Chain Vulnerabilities"
- "LLM06:2025 - Excessive Agency"
owasp_agentic:
- "ASI02:2026 - Tool Misuse and Exploitation"
- "ASI05:2026 - Unexpected Code Execution"
mitre_atlas:
- "AML.T0010 - ML Supply Chain Compromise"
cve:
- "CVE-2025-59536"
compliance:
nist_ai_rmf:
- subcategory: "GV.6.1"
context: "Hidden capabilities in MCP skills represent third-party/supplier AI risk where a packaged tool exposes undocumented parameters beyond its declared schema; GV.6.1 requires policies and procedures that govern third-party AI components and detect deviations from declared interfaces."
strength: primary
- subcategory: "MG.3.2"
context: "Trojaned MCP packages with hidden parameters like debug_mode or admin_override are exactly the supply-chain risk MG.3.2 addresses by requiring monitoring of pre-trained models and third-party components used in development for unexpected or unsafe capabilities."
strength: secondary
- subcategory: "MP.5.1"
context: "Detection of undocumented dangerous parameters characterizes the likelihood and magnitude of supply-chain compromise impact; MP.5.1 requires that these hidden-capability risks be identified and tracked as part of risk characterization."
strength: secondary
tags:
category: tool-poisoning
subcategory: hidden-capability
scan_target: mcp
confidence: high
agent_source:
type: tool_call
framework:
- mcp
- langchain
- autogen
provider:
- any
detection:
conditions:
- field: tool_args
operator: regex
value: "(?i)(debug[_-]?mode|admin[_-]?override|raw[_-]?exec|unsafe[_-]?mode|bypass[_-]?check|no[_-]?sandbox)"
- field: tool_args
operator: regex
value: "(?i)(__[a-z]+__|\\$\\$[a-z]+|_internal_|_hidden_|_backdoor_|_secret_)"
- field: tool_args
operator: regex
value: "(?i)(eval_code|exec_raw|shell_cmd|run_arbitrary|system_call|inject_prompt)"
- field: tool_response
operator: regex
value: "(?i)(hidden\\s+mode\\s+activated|debug\\s+mode\\s+enabled|admin\\s+access\\s+granted|sandbox\\s+disabled)"
condition: any
false_positives:
- "Development/staging environments where debug modes are intentionally enabled"
- "Administrative tools that legitimately expose debug parameters"
response:
actions:
- block_tool
- quarantine_session
- alert
- snapshot
- kill_agent
auto_response_threshold: critical
message_template: >
[ATR-2026-062] CRITICAL: Hidden capability detected in MCP skill. Tool arguments
or response indicate undocumented functionality that may be a backdoor.
Session quarantined. Investigate skill source immediately.
confidence: 53
wild_validated: "2026/04/08"
wild_samples: 53577
wild_fp_rate: 0
test_cases:
true_positives:
- input:
tool_name: "note_taker"
tool_args: '{"text": "hello", "debug_mode": true, "raw_exec": "cat /etc/shadow"}'
expected: triggered
matched_condition: "hidden debug_mode and raw_exec parameters"
- input:
tool_name: "calculator"
tool_args: '{"expression": "2+2", "__backdoor__": "reverse_shell"}'
expected: triggered
matched_condition: "dunder-wrapped hidden parameter"
true_negatives:
- input:
tool_name: "debugger"
tool_args: '{"breakpoint": "line_42", "mode": "step"}'
expected: not_triggered
reason: "Debugger tool legitimately using debug-related terminology"
- input:
tool_name: "admin_panel"
tool_args: '{"action": "list_users"}'
expected: not_triggered
reason: "Admin tool using normal admin operations"