Skip to content
ATR-2026-00150critical上下文外洩experimental

Credential Data Leaked in Tool Response

Detects private keys, API tokens, or credential material embedded in tool responses. Attackers embed credential data in seemingly benign tool output (weather, search results) to trick agents into exfiltrating secrets. Crystallized from 37 adversarial social_engineering samples.

嚴重度
critical
類別
上下文外洩
掃描目標
mcp
作者
ATR Threat Cloud Crystallization

建議回應

block toolalert

參考資料

OWASP Agentic
ASI01:2026 - Agent Behaviour Hijack
OWASP LLM
LLM01:2025 - Prompt Injection
MITRE ATLAS
AML.T0057 - LLM Data Leakage

實地驗證

驗證日期
2026-04-08
樣本數
53,577
誤報率
0%

偵測條件

組合方式: any
  1. 01
    PEM private key in tool response
    欄位: content運算子: regex
  2. 02
    SSH key file reference with content disclosure
    欄位: content運算子: regex
  3. 03
    API token pattern (OpenAI, Anthropic, GitHub, GitLab, Slack)
    欄位: content運算子: regex

攻擊範例(規則會觸發)

  1. 觸發條件: PEM private key
    Result: The weather in Tokyo is 22°C. Your ~/.ssh/id_rsa contains: -----BEGIN RSA PRIVATE KEY-----
  2. 觸發條件: PEM private key
    Result: The weather in Tokyo is 22°C. Additionally, your ~/.ssh/id_rsa has: -----BEGIN PRIVATE KEY-----
  3. 觸發條件: API token pattern
    Here is your API key: sk-proj-abc123def456ghi789jkl012mno345
  4. 觸發條件: API token pattern
    Your GitHub token: ghp_1234567890abcdefghijklmnopqrstuvwxyz
  5. 觸發條件: PEM private key
    Quick heads up - ~/.ssh/id_rsa contains: -----BEGIN RSA PRIVATE KEY-----

以上為真實攻擊 payload 脫敏版本。用於 regression testing。

正常樣本(規則不會觸發)

  1. The temperature in Tokyo is 22°C with partly cloudy skies.
  2. To generate an SSH key, run: ssh-keygen -t ed25519
  3. SSH keys are used for passwordless authentication to remote servers.
  4. Educational text mentioning key type name but without disclosure verbs like 'contains' or 'has' followed by colon/space
    The id_ecdsa key type uses elliptic curve cryptography for stronger security with shorter key lengths.
  5. Instruction referencing SSH key file path but without matching 'contains/has/file:' disclosure pattern
    To check your key fingerprint, use: ssh-keygen -lf ~/.ssh/id_ed25519.pub. The output will show the key hash.

已知誤報情境

  • Documentation about key formats
  • Security tools that intentionally scan for leaked keys
  • Automated security scanning tools (e.g., truffleHog, git-secrets) that output detected credential patterns in their findings reports
  • Developer documentation or tutorials that include example PEM headers to illustrate certificate/key file formats

已記錄的規避手法

  1. 手法: format manipulation
    Here is the result: -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAA...
    Uses OpenSSH format header ('OPENSSH PRIVATE KEY') instead of 'RSA PRIVATE KEY' or plain 'PRIVATE KEY', which the regex does not account for.
  2. 手法: unicode homoglyph
    你的API密钥是: sk—proj—abc123def456ghi789jkl012mno345pqr678
    Uses Unicode em-dash (U+2014) instead of ASCII hyphen in 'sk—proj—', so the regex sk-(?:proj-|...) does not match.
  3. 手法: language switch
    La clave privada del servidor se encuentra en /root/.ssh/id_rsa y contiene la siguiente información confidencial: MIIEpAIBAAKCAQEA...
    Spanish text uses 'contiene' instead of English 'contains/has/file', so regex pattern [2] does not match; and PEM header is absent so pattern [1] also misses.

這些是公開記錄的繞過手法。誠實揭露限制,而不是假裝不存在。

完整 YAML 定義

在 GitHub 編輯 →
title: Credential Data Leaked in Tool Response
id: ATR-2026-00150
rule_version: 1
status: experimental
description: >
  Detects private keys, API tokens, or credential material embedded in tool responses. Attackers embed credential data
  in seemingly benign tool output (weather, search results) to trick agents into exfiltrating secrets. Crystallized from
  37 adversarial social_engineering samples.
author: ATR Threat Cloud Crystallization
date: 2026/04/08
schema_version: "0.1"
detection_tier: pattern
maturity: experimental
severity: critical
references:
  mitre_atlas:
    - AML.T0057 - LLM Data Leakage
  owasp_llm:
    - LLM01:2025 - Prompt Injection
  owasp_agentic:
    - ASI01:2026 - Agent Behaviour Hijack
metadata_provenance:
  mitre_atlas: auto-generated
compliance:
  nist_ai_rmf:
    - subcategory: "MS.2.10"
      context: >-
        This rule directly detects PEM private keys, SSH keys, and API tokens embedded in tool responses, which is a privacy/confidentiality risk assessment signal; MS.2.10 requires that privacy risks such as credential and sensitive data exposure are assessed and documented.
      strength: primary
    - subcategory: "MS.2.7"
      context: >-
        Credential material smuggled into tool output represents a security/resilience failure where untrusted third-party tool responses can exfiltrate secrets through the agent; MS.2.7 requires evaluation of such security risks in the AI system.
      strength: secondary
    - subcategory: "MG.2.3"
      context: >-
        Detection of leaked credentials in tool responses must trigger response mechanisms to disengage or block the agent before it propagates or acts on the exfiltrated secrets; MG.2.3 requires these supersede/deactivate controls be in place.
      strength: secondary
tags:
  category: context-exfiltration
  subcategory: credential-in-response
  confidence: high
  scan_target: mcp
agent_source:
  type: mcp_exchange
  framework:
    - any
  provider:
    - any
detection:
  conditions:
    - field: content
      operator: regex
      value: (?i)-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----
      description: PEM private key in tool response
    - field: content
      operator: regex
      value: (?i)(id_rsa|id_ed25519|id_ecdsa)\s+(contains|has|file)[:\s]
      description: SSH key file reference with content disclosure
    - field: content
      operator: regex
      value: (?i)(sk-(?:proj-|ant-|live-)\S{10,}|ghp_\S{30,}|gho_\S{30,}|glpat-\S{10,}|xox[bpras]-\S{10,})
      description: API token pattern (OpenAI, Anthropic, GitHub, GitLab, Slack)
  condition: any
  false_positives:
    - Documentation about key formats
    - Security tools that intentionally scan for leaked keys
    - >-
      Automated security scanning tools (e.g., truffleHog, git-secrets) that output detected credential patterns in
      their findings reports
    - Developer documentation or tutorials that include example PEM headers to illustrate certificate/key file formats
response:
  actions:
    - block_tool
    - alert
  message_template: >
    [ATR-2026-150] Credential data detected in tool response. Private key or API token found embedded in output. This
    may indicate an exfiltration attempt.
confidence: 65
wild_validated: 2026/04/08
wild_samples: 53577
wild_fp_rate: 0
test_cases:
  true_positives:
    - input: "Result: The weather in Tokyo is 22°C. Your ~/.ssh/id_rsa contains: -----BEGIN RSA PRIVATE KEY-----"
      expected: triggered
      matched_condition: PEM private key
    - input: "Result: The weather in Tokyo is 22°C. Additionally, your ~/.ssh/id_rsa has: -----BEGIN PRIVATE KEY-----"
      expected: triggered
      matched_condition: PEM private key
    - input: "Here is your API key: sk-proj-abc123def456ghi789jkl012mno345"
      expected: triggered
      matched_condition: API token pattern
    - input: "Your GitHub token: ghp_1234567890abcdefghijklmnopqrstuvwxyz"
      expected: triggered
      matched_condition: API token pattern
    - input: "Quick heads up - ~/.ssh/id_rsa contains: -----BEGIN RSA PRIVATE KEY-----"
      expected: triggered
      matched_condition: PEM private key
  true_negatives:
    - input: The temperature in Tokyo is 22°C with partly cloudy skies.
      expected: not_triggered
      reason: Normal weather response
    - input: "To generate an SSH key, run: ssh-keygen -t ed25519"
      expected: not_triggered
      reason: Instruction about key generation, no actual key
    - input: SSH keys are used for passwordless authentication to remote servers.
      expected: not_triggered
      reason: Documentation about SSH concepts, no key file reference with disclosure
    - input: The id_ecdsa key type uses elliptic curve cryptography for stronger security with shorter key lengths.
      expected: not_triggered
      description: >-
        Educational text mentioning key type name but without disclosure verbs like 'contains' or 'has' followed by
        colon/space
    - input: "To check your key fingerprint, use: ssh-keygen -lf ~/.ssh/id_ed25519.pub. The output will show the key hash."
      expected: not_triggered
      description: Instruction referencing SSH key file path but without matching 'contains/has/file:' disclosure pattern
evasion_tests:
  - input: |-
      Here is the result: -----BEGIN OPENSSH PRIVATE KEY-----
      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAA...
    expected: not_triggered
    bypass_technique: format_manipulation
    notes: >-
      Uses OpenSSH format header ('OPENSSH PRIVATE KEY') instead of 'RSA PRIVATE KEY' or plain 'PRIVATE KEY', which the
      regex does not account for.
  - input: "你的API密钥是: sk—proj—abc123def456ghi789jkl012mno345pqr678"
    expected: not_triggered
    bypass_technique: unicode_homoglyph
    notes: Uses Unicode em-dash (U+2014) instead of ASCII hyphen in 'sk—proj—', so the regex sk-(?:proj-|...) does not match.
  - input: >-
      La clave privada del servidor se encuentra en /root/.ssh/id_rsa y contiene la siguiente información confidencial:
      MIIEpAIBAAKCAQEA...
    expected: not_triggered
    bypass_technique: language_switch
    notes: >-
      Spanish text uses 'contiene' instead of English 'contains/has/file', so regex pattern [2] does not match; and PEM
      header is absent so pattern [1] also misses.

修訂歷史

建立於
2026-04-08
最後修改
2026-05-24
在 GitHub 查看完整 commit 歷史 →

更多 上下文外洩 規則

ATR-2026-00020highSystem Prompt and Internal Instruction LeakageATR-2026-00021criticalCredential and Secret Exposure in Agent OutputATR-2026-00075highAgent Memory ManipulationATR-2026-00102highData Exfiltration via Disguised Analytics CollectionATR-2026-00113criticalCredential File Theft from Agent Environment