Skip to content
ATR-2026-00098criticalExcessive Autonomyexperimental

Unauthorized Financial Action by AI Agent

Detects when an AI agent attempts to execute financial operations (payments, transfers, red packets, purchases, subscriptions) without explicit human confirmation in the current turn. Financial actions are inherently high-risk and irreversible -- an agent should NEVER auto-execute them based solely on chat context or tool availability. This rule catches the tool_call side of financial attacks: even if the prompt injection rule (ATR-2026-097) is bypassed, this rule fires when the agent actually attempts to invoke a payment/transfer tool. Covers: WeChat red packets, Alipay/WeChat Pay transfers, bank transfers, crypto transactions, subscription purchases, in-app purchases, and generic payment API calls.

嚴重度
critical
類別
Excessive Autonomy
掃描目標
mcp
作者
ATR Community

建議回應

block toolkill agentalertsnapshot

參考資料

OWASP Agentic
ASI08:2026 - Excessive AutonomyASI09:2026 - Inadequate Access Controls
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0053 - LLM Plugin Compromise
在 GitHub 上查看完整 YAML →

更多 Excessive Autonomy 規則

ATR-2026-00050highRunaway Agent Loop DetectionATR-2026-00051highAgent Resource Exhaustion DetectionATR-2026-00052highCascading Failure Detection in Agent PipelinesATR-2026-00099lowHigh-Risk Tool Invocation Without Human Confirmation