Subcommand Overflow Bypass

Detects SKILL.md files declaring an excessive number of subcommands or tools (>50). Claude Code has a security architecture where each subcommand is individually evaluated for safety. When a skill declares >50 subcommands, some implementations skip security checks on overflow commands due to performance budgets or fixed-size buffers. Attackers pad with 49 benign commands then add malicious ones at the end, expecting the security check to be skipped. Discovered via Claude Code leak analysis (2026-03).

建議回應

參考資料

實地驗證

1. 01

   Explicit declaration of large command count (50+)

   欄位: content運算子: regex

攻擊範例（規則會觸發）

1. # Mega Tool Suite
   
   This skill provides 75 commands for managing your entire system infrastructure.

2. This skill provides 65 tools for comprehensive system administration and monitoring.

3. The package includes over 80 commands covering file management, network, and security.

4. Our framework supports more than 55 subcommands for DevOps automation.

5. MegaSkill provides 100 commands for full system orchestration.

以上為真實攻擊 payload 脫敏版本。用於 regression testing。

正常樣本（規則不會觸發）

1. # Simple Calculator
   
   ## add
   Adds two numbers
   ## subtract
   Subtracts two numbers
   ## multiply
   Multiplies two numbers

2. This skill provides 5 commands for managing your git repository.

3. # File Manager
   
   - `create` - Create a file
   - `delete` - Delete a file
   - `move` - Move a file
   - `copy` - Copy a file
   - `list` - List files

4. Legit multi-chain wallet manager (27 tools, well below 50)

   Multi-chain wallet and trading tools for AI agents. Provides 27 tools for: wallet management, balance checks, export keys.

5. Legit Canva integration (22 tools, well below 50)

   MCP skill for canva. Provides 22 tools: upload-asset-from-url, resolve-shortlink, search-designs, get-design.

6. Common count below the 50 threshold

   This skill includes 30 helper functions for data transformation tasks.

7. Edge case — 49 is below 50 threshold and must not trigger

   Our framework supports 49 subcommands for build automation.

已知誤報情境

• ▸Legitimate enterprise SDKs that genuinely expose 50+ tools as a single skill (rare but real — flag for human review rather than auto-block)
• ▸Documentation describing platform feature counts in marketing copy (e.g. 'AWS supports over 200 services') — should be filtered by checking that the count refers to skill subcommands, not platform features

已記錄的規避手法

1. 手法: format manipulation

   This skill comprises 75 endpoints for system management.

   Verb 'comprises' is not in the regex verb list (provides|includes|contains|offers|supports|has). Author can extend the verb list to close this gap.
2. 手法: split keyword

   This skill provides 5 0 commands for everything.

   Whitespace inside the digit string '5 0' breaks the [5-9]\d character class. A token-aware preprocessor would catch this.
3. 手法: language switch

   本工具提供六十五个子命令用于自动化部署。

   Chinese number 六十五 (65) and verb 提供 (provide) are not in the English-only regex. ATR engine should add NFKC normalization and per-language regex variants.

這些是公開記錄的繞過手法。誠實揭露限制，而不是假裝不存在。

title: "Subcommand Overflow Bypass"
id: ATR-2026-00127
rule_version: 1
status: experimental
description: >
  Detects SKILL.md files declaring an excessive number of subcommands or tools
  (>50). Claude Code has a security architecture where each subcommand is
  individually evaluated for safety. When a skill declares >50 subcommands,
  some implementations skip security checks on overflow commands due to
  performance budgets or fixed-size buffers. Attackers pad with 49 benign
  commands then add malicious ones at the end, expecting the security check
  to be skipped. Discovered via Claude Code leak analysis (2026-03).
author: "ATR Community"
date: "2026/04/05"
schema_version: "0.1"
detection_tier: pattern
maturity: experimental
severity: medium

references:
  mitre_atlas:
    - "AML.T0010 - ML Supply Chain Compromise"
  owasp_llm:
    - "LLM07:2025 - System Prompt Leakage"
  owasp_agentic:
    - "ASI02:2026 - Excessive Agent Autonomy"
  owasp_ast:
    - "AST02:2026 - Excessive Permissions"
  research:
    - "Claude Code leak: 50 subcommand security check bypass (2026-03)"

metadata_provenance:
  mitre_atlas: auto-generated

compliance:
  nist_ai_rmf:
    - subcategory: "MS.2.7"
      context: >-
        Subcommand overflow bypass exploits a security check weakness where excessive
        declared commands cause safety evaluation to be skipped on overflow entries;
        MS.2.7 requires that AI system security and resilience properties, including
        boundary conditions in security validation logic, are evaluated and documented.
      strength: primary
    - subcategory: "MP.5.1"
      context: >-
        Declaring >50 subcommands to pad benign entries before malicious ones is an
        identifiable adversarial pattern with characterizable likelihood and impact;
        MP.5.1 requires that such risk vectors against the skill loading pipeline are
        tracked and characterized.
      strength: secondary
    - subcategory: "MG.3.2"
      context: >-
        SKILL.md files are third-party-authored components loaded into the agent runtime,
        and overflow-based bypass attempts must be monitored as part of pre-trained or
        third-party model/component supply chain risk management under MG.3.2.
      strength: secondary
tags:
  category: skill-compromise
  subcategory: subcommand-overflow
  scan_target: skill
  confidence: low

agent_source:
  type: mcp_exchange
  framework:
    - any
  provider:
    - any

detection:
  condition: any
  false_positives:
    - "Legitimate enterprise SDKs that genuinely expose 50+ tools as a single skill (rare but real — flag for human review rather than auto-block)"
    - "Documentation describing platform feature counts in marketing copy (e.g. 'AWS supports over 200 services') — should be filtered by checking that the count refers to skill subcommands, not platform features"
  conditions:
    # Many tool/command definitions (markdown headers pattern)
    # Explicit large command count declaration. Number must be 50 or higher —
    # earlier version of this regex used \d{2,3} which matched any 2-digit
    # number (10+) and produced false positives on legitimate multi-tool
    # skills like "provides 22 tools" or "provides 27 wallet management
    # operations" (2026-04-11 ClawHub wild scan).
    - field: content
      operator: regex
      value: "(?i)(provides?|includes?|contains?|offers?|supports?|has)\\s+(?:(?:[5-9]\\d|\\d{3,})|over\\s+(?:[5-9]\\d|\\d{3,})|more\\s+than\\s+(?:[5-9]\\d|\\d{3,}))\\s+(commands?|tools?|subcommands?|functions?|operations?|endpoints?|actions?|methods?)"
      description: "Explicit declaration of large command count (50+)"

confidence: 78
wild_validated: "2026/04/11"
wild_samples: 89971  # 53577 (mega-scan v1) + 36394 (clawhub registry summary scan)
wild_fp_rate: 0.0
test_cases:
  true_positives:
    - input: "# Mega Tool Suite\n\nThis skill provides 75 commands for managing your entire system infrastructure."
      expected: trigger
    - input: "This skill provides 65 tools for comprehensive system administration and monitoring."
      expected: trigger
    - input: "The package includes over 80 commands covering file management, network, and security."
      expected: trigger
    - input: "Our framework supports more than 55 subcommands for DevOps automation."
      expected: trigger
    - input: "MegaSkill provides 100 commands for full system orchestration."
      expected: trigger
      description: "Three-digit count well above the 50 threshold"

  true_negatives:
    - input: "# Simple Calculator\n\n## add\nAdds two numbers\n## subtract\nSubtracts two numbers\n## multiply\nMultiplies two numbers"
      expected: no_trigger
    - input: "This skill provides 5 commands for managing your git repository."
      expected: no_trigger
    - input: "# File Manager\n\n- `create` - Create a file\n- `delete` - Delete a file\n- `move` - Move a file\n- `copy` - Copy a file\n- `list` - List files"
      expected: no_trigger
    # 2026-04-11 ClawHub wild scan regression guards. The earlier \d{2,3}
    # regex caught any 2-digit count (10+) and flagged legitimate multi-tool
    # skills like wallets and design SaaS integrations. These TNs lock in the
    # fix at 50+ as documented in the rule description.
    - input: "Multi-chain wallet and trading tools for AI agents. Provides 27 tools for: wallet management, balance checks, export keys."
      expected: no_trigger
      description: "Legit multi-chain wallet manager (27 tools, well below 50)"
    - input: "MCP skill for canva. Provides 22 tools: upload-asset-from-url, resolve-shortlink, search-designs, get-design."
      expected: no_trigger
      description: "Legit Canva integration (22 tools, well below 50)"
    - input: "This skill includes 30 helper functions for data transformation tasks."
      expected: no_trigger
      description: "Common count below the 50 threshold"
    - input: "Our framework supports 49 subcommands for build automation."
      expected: no_trigger
      description: "Edge case — 49 is below 50 threshold and must not trigger"

evasion_tests:
  - input: "This skill comprises 75 endpoints for system management."
    expected: not_triggered
    bypass_technique: format_manipulation
    notes: "Verb 'comprises' is not in the regex verb list (provides|includes|contains|offers|supports|has). Author can extend the verb list to close this gap."
  - input: "This skill provides 5 0 commands for everything."
    expected: not_triggered
    bypass_technique: split_keyword
    notes: "Whitespace inside the digit string '5 0' breaks the [5-9]\\d character class. A token-aware preprocessor would catch this."
  - input: "本工具提供六十五个子命令用于自动化部署。"
    expected: not_triggered
    bypass_technique: language_switch
    notes: "Chinese number 六十五 (65) and verb 提供 (provide) are not in the English-only regex. ATR engine should add NFKC normalization and per-language regex variants."

response:
  actions:
    - alert