@blamejs/exceptd-skills 0.12.11 → 0.12.15

package/scripts/validate-vendor-online.js

@@ -0,0 +1,169 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * scripts/validate-vendor-online.js — Audit G F6.
+ *
+ * Optional, network-touching companion to lib/validate-vendor.js. For every
+ * file recorded in vendor/blamejs/_PROVENANCE.json, fetches the upstream
+ * blob from github.com/<source_repo>/blob/<pinned_commit>/<upstream_path>
+ * (via the raw.githubusercontent.com mirror), hashes it, and compares the
+ * result against the `upstream_sha256_at_pin` recorded in _PROVENANCE.json.
+ *
+ * This catches the class where _PROVENANCE.json was hand-edited to
+ * advertise a `upstream_sha256_at_pin` that does not actually match what
+ * upstream had at that commit. lib/validate-vendor.js only checks that the
+ * local vendored file matches its own recorded hash — that's self-attesting.
+ * This script extends the check to upstream, closing the gap.
+ *
+ * Not part of `npm run predeploy` by default — the predeploy gate sequence
+ * must remain network-independent (offline gates only). Run manually:
+ *
+ *   node scripts/validate-vendor-online.js
+ *   node scripts/validate-vendor-online.js --timeout 30000
+ *   node scripts/validate-vendor-online.js --json
+ *
+ * Exit codes:
+ *   0  every vendored file's upstream_sha256_at_pin matched upstream
+ *   1  at least one mismatch
+ *   2  runtime / network error
+ *
+ * Zero npm deps. Node 24 stdlib only.
+ */
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+const https = require("https");
+
+const ROOT = path.join(__dirname, "..");
+const PROV_PATH = path.join(ROOT, "vendor", "blamejs", "_PROVENANCE.json");
+
+function parseArgs(argv) {
+  const out = { timeoutMs: 15000, json: false };
+  for (let i = 2; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--timeout") out.timeoutMs = Number(argv[++i]) || out.timeoutMs;
+    else if (a === "--json") out.json = true;
+    else if (a === "--help" || a === "-h") {
+      process.stdout.write(
+        "Usage: node scripts/validate-vendor-online.js [--timeout <ms>] [--json]\n"
+      );
+      process.exit(0);
+    } else {
+      process.stderr.write(`Unknown argument: ${a}\n`);
+      process.exit(2);
+    }
+  }
+  return out;
+}
+
+function rawUrlForPin(sourceRepo, commit, upstreamPath) {
+  // Translate https://github.com/owner/repo → raw.githubusercontent.com/owner/repo
+  // sourceRepo may end in .git; strip it. Tolerate trailing slash.
+  const m = (sourceRepo || "").match(
+    /^https?:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/
+  );
+  if (!m) return null;
+  const [, owner, repo] = m;
+  const cleanPath = String(upstreamPath || "").replace(/^\/+/, "");
+  return `https://raw.githubusercontent.com/${owner}/${repo}/${commit}/${cleanPath}`;
+}
+
+const MAX_REDIRECTS = 5;
+
+function fetchBuffer(url, timeoutMs, redirectsLeft = MAX_REDIRECTS) {
+  return new Promise((resolve, reject) => {
+    const req = https.get(url, (res) => {
+      // v0.12.14 (codex P2): cap redirect hops. A redirect loop (or a
+      // hostile / mis-configured upstream that keeps returning 3xx with
+      // Location pointing back to itself) used to recurse until stack
+      // overflow or hang. Now: count hops, fail clean on exhaustion.
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        res.resume();
+        if (redirectsLeft <= 0) {
+          return reject(new Error(`exceeded ${MAX_REDIRECTS} redirects fetching ${url}`));
+        }
+        return resolve(fetchBuffer(res.headers.location, timeoutMs, redirectsLeft - 1));
+      }
+      if (res.statusCode !== 200) {
+        res.resume();
+        return reject(new Error(`HTTP ${res.statusCode} for ${url}`));
+      }
+      const chunks = [];
+      res.on("data", (c) => chunks.push(c));
+      res.on("end", () => resolve(Buffer.concat(chunks)));
+      res.on("error", reject);
+    });
+    req.on("error", reject);
+    req.setTimeout(timeoutMs, () => {
+      req.destroy(new Error(`timeout after ${timeoutMs}ms fetching ${url}`));
+    });
+  });
+}
+
+async function main() {
+  const opts = parseArgs(process.argv);
+  if (!fs.existsSync(PROV_PATH)) {
+    process.stderr.write(`vendor/blamejs/_PROVENANCE.json missing\n`);
+    process.exitCode = 2;
+    return;
+  }
+  const prov = JSON.parse(fs.readFileSync(PROV_PATH, "utf8"));
+  const sourceRepo = prov.source_repo;
+  const pinnedCommit = prov.pinned_commit;
+  if (!sourceRepo || !pinnedCommit) {
+    process.stderr.write(`_PROVENANCE.json missing source_repo or pinned_commit\n`);
+    process.exitCode = 2;
+    return;
+  }
+
+  const findings = [];
+  for (const [name, info] of Object.entries(prov.files || {})) {
+    const url = rawUrlForPin(sourceRepo, pinnedCommit, info.upstream_path);
+    if (!url) {
+      findings.push({ name, ok: false, reason: `cannot compute raw URL for ${sourceRepo}` });
+      continue;
+    }
+    try {
+      const buf = await fetchBuffer(url, opts.timeoutMs);
+      const sha = crypto.createHash("sha256").update(buf).digest("hex");
+      if (info.upstream_sha256_at_pin && sha !== info.upstream_sha256_at_pin) {
+        findings.push({
+          name,
+          ok: false,
+          reason:
+            `upstream sha mismatch: recorded ${String(info.upstream_sha256_at_pin).slice(0, 12)}…, ` +
+            `live ${sha.slice(0, 12)}…`,
+          url,
+        });
+      } else {
+        findings.push({ name, ok: true, sha, url });
+      }
+    } catch (e) {
+      findings.push({ name, ok: false, reason: `fetch failed: ${e.message}`, url });
+    }
+  }
+
+  const failed = findings.filter((f) => !f.ok);
+  if (opts.json) {
+    process.stdout.write(JSON.stringify({ ok: failed.length === 0, findings }, null, 2) + "\n");
+  } else {
+    for (const f of findings) {
+      if (f.ok) process.stdout.write(`PASS  ${f.name}  ${f.sha.slice(0, 12)}…\n`);
+      else process.stdout.write(`FAIL  ${f.name}  ${f.reason}\n`);
+    }
+    process.stdout.write(
+      `\n${findings.length - failed.length}/${findings.length} vendored files match upstream pin.\n`
+    );
+  }
+  process.exitCode = failed.length === 0 ? 0 : 1;
+}
+
+if (require.main === module) {
+  main().catch((e) => {
+    process.stderr.write(`runtime error: ${e.message}\n`);
+    process.exitCode = 2;
+  });
+}
+
+module.exports = { rawUrlForPin, fetchBuffer };

package/scripts/verify-shipped-tarball.js

@@ -18,6 +18,20 @@
  * The bug was invisible because CI's verify ran against the SOURCE tree,
  * not the shipped tarball. This gate closes that gap.
  *
+ * Audit G:
+ *   F9  — After the first-pass extraction (using the source-tree parseTar),
+ *         re-parse the tarball using the parseTar shipped INSIDE the
+ *         extracted tree itself. If the two parses disagree, fail with a
+ *         structured error. Catches the class where the shipped parser
+ *         silently rejects entries the source parser accepts (or vice
+ *         versa), which would mean operators run a different extractor
+ *         than CI exercised.
+ *   F15 — Invoke `npm pack --offline` so the gate cannot be blocked by
+ *         registry reachability problems during predeploy.
+ *   F4  — Cross-check the extracted public.pem against
+ *         keys/EXPECTED_FINGERPRINT (warn-and-continue when missing, fail
+ *         when present-but-mismatched and KEYS_ROTATED != 1).
+ *
  * Exit codes:
  *   0  verify passed against the packed tarball
  *   1  verify failed against the packed tarball (the bug class above)
@@ -42,7 +56,10 @@ function fail(msg, code = 1) {
 const tmpRoot = fs.mkdtempSync(path.join(os.tmpdir(), "verify-shipped-"));
 try {
   emit(`packing into ${tmpRoot} ...`);
-  const pack = spawnSync("npm", ["pack", "--pack-destination", tmpRoot], {
+  // F15 — pass --offline. Predeploy must run without registry
+  // reachability; `npm pack` does not need the network for a local
+  // package and forcing offline mode hard-locks the assumption.
+  const pack = spawnSync("npm", ["pack", "--offline", "--pack-destination", tmpRoot], {
     cwd: ROOT,
     encoding: "utf8",
     shell: process.platform === "win32",
@@ -60,10 +77,10 @@ try {
   const extractDir = path.join(tmpRoot, "extract");
   fs.mkdirSync(extractDir, { recursive: true });
   const zlib = require("zlib");
-  const { parseTar } = require(path.join(ROOT, "lib", "refresh-network.js"));
+  const { parseTar: parseTarSource } = require(path.join(ROOT, "lib", "refresh-network.js"));
   const tgz = fs.readFileSync(tarballPath);
   const tarBuf = zlib.gunzipSync(tgz);
-  const entries = parseTar(tarBuf);
+  const entries = parseTarSource(tarBuf);
   for (const e of entries) {
     if (!e.name) continue;
     const dst = path.join(extractDir, e.name);
@@ -77,6 +94,65 @@ try {
   }
   emit(`extracted to ${pkgRoot}`);
 
+  // Audit G F9 — load the extracted tree's OWN parseTar and re-parse the
+  // tarball. If the two parsers diverge on entry list or content, the
+  // gate trips: this means CI exercised a different parser than operators
+  // will. Defense against drift between source and shipped tarball when
+  // someone edits lib/refresh-network.js without re-vendoring or vice
+  // versa.
+  const shippedParserPath = path.join(pkgRoot, "lib", "refresh-network.js");
+  if (!fs.existsSync(shippedParserPath)) {
+    fail(`extracted tree missing lib/refresh-network.js (cannot run F9 cross-parse check)`, 2);
+  }
+  let parseTarShipped;
+  try {
+    parseTarShipped = require(shippedParserPath).parseTar;
+  } catch (e) {
+    fail(`failed to load extracted parseTar: ${e.message}`, 2);
+  }
+  if (typeof parseTarShipped !== "function") {
+    fail(`extracted lib/refresh-network.js does not export parseTar`, 2);
+  }
+  const shippedEntries = parseTarShipped(tarBuf);
+  // Compare counts first — fast bailout.
+  const divergences = [];
+  if (shippedEntries.length !== entries.length) {
+    divergences.push(
+      `entry count divergence: source-tree parser produced ${entries.length}, ` +
+      `shipped parser produced ${shippedEntries.length}`
+    );
+  } else {
+    // Walk in parallel; tarball entry order is deterministic so positional
+    // compare is correct. Compare name + byte length + body bytes.
+    for (let i = 0; i < entries.length; i++) {
+      const a = entries[i];
+      const b = shippedEntries[i];
+      if (a.name !== b.name) {
+        divergences.push(`entry[${i}] name mismatch: source=${a.name} shipped=${b.name}`);
+        continue;
+      }
+      const aBuf = Buffer.isBuffer(a.body) ? a.body : Buffer.from(a.body);
+      const bBuf = Buffer.isBuffer(b.body) ? b.body : Buffer.from(b.body);
+      if (aBuf.length !== bBuf.length || !aBuf.equals(bBuf)) {
+        divergences.push(
+          `entry[${i}] (${a.name}) body bytes differ between source-tree and shipped parser ` +
+          `(source ${aBuf.length} bytes vs shipped ${bBuf.length} bytes)`
+        );
+      }
+    }
+  }
+  if (divergences.length > 0) {
+    emit(`*** F9: parseTar divergence between source-tree and shipped tree ***`);
+    for (const d of divergences.slice(0, 5)) emit(`  - ${d}`);
+    if (divergences.length > 5) emit(`  ... and ${divergences.length - 5} more`);
+    fail(
+      `parseTar implementations diverge between source tree and shipped tarball. ` +
+      `Operators will run a different extractor than CI exercised. Refusing to publish.`,
+      1
+    );
+  }
+  emit(`F9: source-tree and shipped parseTar agree on ${entries.length} entries`);
+
   // Run the verifier inline against the extracted package tree. This avoids
   // having to spawn a separate process whose cwd resolution differs across
   // platforms.
@@ -108,6 +184,33 @@ try {
     emit(`*** Something between sign and pack is swapping the key. Verify will fail below. ***`);
   }
 
+  // Audit G F4 — key-pin cross-check against the EXTRACTED tree. The pin
+  // is consumed from keys/EXPECTED_FINGERPRINT in the extracted package —
+  // that's the file operators will actually receive on `npm install`.
+  // Warn when absent, fail when present-but-mismatched (unless KEYS_ROTATED).
+  const expectedFpPath = path.join(pkgRoot, "keys", "EXPECTED_FINGERPRINT");
+  if (fs.existsSync(expectedFpPath)) {
+    const raw = fs.readFileSync(expectedFpPath, "utf8").trim();
+    const firstLine = raw.split(/\r?\n/).map((l) => l.trim()).find((l) => l.length > 0) || "";
+    const liveFpLine = `SHA256:${pubFp}`;
+    if (firstLine !== liveFpLine) {
+      if (process.env.KEYS_ROTATED === "1") {
+        emit(`WARN: extracted public.pem fingerprint ${liveFpLine} differs from pin ${firstLine}; KEYS_ROTATED=1 accepted`);
+      } else {
+        fail(
+          `keys/EXPECTED_FINGERPRINT (${firstLine}) does not match the extracted ` +
+          `public.pem fingerprint (${liveFpLine}). If this is an intentional rotation ` +
+          `set KEYS_ROTATED=1 and commit the new pin.`,
+          1
+        );
+      }
+    } else {
+      emit(`F4: key pin verified — ${liveFpLine} matches keys/EXPECTED_FINGERPRINT`);
+    }
+  } else {
+    emit(`WARN: keys/EXPECTED_FINGERPRINT not in extracted tree — key-pin check skipped`);
+  }
+
   let pass = 0, miss = 0, fail_count = 0;
   const failures = [];
   for (const s of (manifest.skills || [])) {

package/skills/ai-attack-surface/skill.md

@@ -63,7 +63,7 @@ The AI attack surface is not speculative. It is actively exploited. The followin
 
 ### 1. Prompt Injection as Enterprise RCE
 
-**CVE-2025-53773** — Hidden prompt injection in GitHub Copilot PR descriptions enabling RCE. CVSS 9.6. The attack embeds adversarial instructions in GitHub PR descriptions. When a developer uses GitHub Copilot to review or summarize the PR, the injected instructions execute in the context of the developer's session, enabling remote code execution.
+**CVE-2025-53773** — Hidden prompt injection in GitHub Copilot agent mode coerces the assistant to write `"chat.tools.autoApprove": true` into `.vscode/settings.json`, flipping every subsequent tool call into auto-approval. CVSS 7.8 (AV:L — local-vector through developer-side IDE interaction; RWEP 30). The attack embeds adversarial instructions in any agent-readable content (source comments, README, PR descriptions, retrieved docs, MCP tool responses). Once the YOLO-mode flag lands, the next shell tool call executes attacker-chosen commands in the developer's user context.
 
 This is not a chatbot trick. This is enterprise RCE via a developer tool used by hundreds of millions of developers. The attack surface is any system that:
 - Feeds external content (user input, web content, documents, PR descriptions, emails, calendar events) into an LLM prompt
@@ -71,13 +71,13 @@ This is not a chatbot trick. This is enterprise RCE via a developer tool used by
 
 **Attack success rates against SOTA defenses:** A 2026 meta-analysis of 78 studies found adaptive prompt injection strategies succeed against state-of-the-art defenses at rates exceeding 85%. No current framework has adequate controls for this.
 
-**ATLAS ref:** AML.T0054 (Craft Adversarial Data — NLP)
+**ATLAS ref:** AML.T0054 (LLM Jailbreak) and AML.T0051 (LLM Prompt Injection)
 
 ### 2. MCP Supply Chain — Architectural RCE
 
 The Model Context Protocol (MCP) introduced an architectural vulnerability affecting every major AI coding assistant: Cursor, VS Code + GitHub Copilot, Windsurf, Claude Code, Gemini CLI.
 
-**CVE-2026-30615** — Windsurf. Zero user interaction required. The vulnerability allows a malicious MCP server (or a compromised legitimate MCP server) to execute arbitrary code in the context of the AI assistant. 150M+ affected downloads.
+**CVE-2026-30615** — Windsurf MCP. CVSS 8.0 (AV:L — local-vector RCE requiring attacker-controlled HTML the MCP client processes; RWEP 35). The vulnerability allows a malicious or compromised MCP server to drive code execution in the context of the AI assistant once a victim installs it. 150M+ combined downloads across MCP-capable assistants share the same architectural attack surface.
 
 This is a supply chain attack surface. Every MCP server a user installs is a potential RCE vector. Trust boundaries that exist for npm packages do not exist for MCP servers because most MCP clients do not enforce signed manifests or tool allowlists.
 
@@ -89,13 +89,13 @@ This is a supply chain attack surface. Every MCP server a user installs is a pot
 
 The implication: the time between a vulnerability's introduction into a codebase and its reliable exploitation has compressed from months or years to hours or days for AI-capable threat actors. Patch management SLAs designed for human-speed exploit development are structurally inadequate.
 
-**ATLAS ref:** AML.T0017 (Develop Capabilities)
+**ATLAS ref:** AML.T0016 (Obtain Capabilities: Develop Capabilities)
 
 ### 4. AI Credential Phishing Acceleration
 
 Credential theft driven by AI increased 160% in 2025. 82.6% of phishing emails now contain AI-generated content undetectable by grammar/style checks. Traditional phishing detection heuristics (poor grammar, unusual phrasing, template patterns) are no longer reliable detectors.
 
-**ATLAS ref:** AML.T0018 (Acquire Public ML Artifacts — misuse of generation capability)
+**ATLAS ref:** AML.T0016 (Obtain Capabilities: Develop Capabilities — misuse of public AI APIs to generate phishing payloads)
 
 ### 5. AI as Covert C2 — SesameOp
 
@@ -127,6 +127,14 @@ Training pipeline targeting has moved beyond data injection to directly biasing
 
 AI-assisted reconnaissance is observed at 36,000 probes per second per campaign. Traditional rate-based detection (100–1,000 req/s threshold alerts) does not fire at legitimate-looking distributed AI-directed probe rates until significant reconnaissance has already occurred.
 
+### 10. LLM-Gateway Credential Theft as AI Attack Surface
+
+**CVE-2026-42208** — BerriAI LiteLLM Proxy authorization-header SQL injection (CVSS 9.8 / CVSS v4 9.3 / CISA KEV-listed 2026-05-08, due 2026-05-29). LiteLLM is the open-source LLM-API gateway used in front of agent stacks, MCP-server fronts, and multi-model proxy deployments — exactly the trust hinge that this skill's threat-context section treats as the credential boundary for hosted-model use. The proxy concatenated an attacker-controlled `Authorization` header value into a SQL query in the error-logging path, so a single curl-able POST against `/chat/completions` with a SQL-injection payload returns the managed-credentials DB content without prior auth. Patched in 1.83.7+; temporary workaround `general_settings: disable_error_logs: true`. Any organisation whose AI attack-surface inventory treats the LLM gateway as "just a reverse proxy" misses that the gateway holds every downstream model-provider credential.
+
+### 11. AI-Discovered + AI-Weaponized Supply-Chain Worms
+
+**CVE-2026-45321** — Mini Shai-Hulud TanStack npm worm (CVSS 9.6, ~150M weekly downloads across 42 @tanstack/* packages, CISA KEV pending). Disclosed 2026-05-11. The attack chain — Pwn-Request via `pull_request_target` on TanStack's bundle-size workflow, pnpm-store cache poisoning under the `actions/cache` key, and OIDC-token theft on the next main push — is engineering-grade and weaponizes three independently-benign primitives. While attribution (TeamPCP) records no AI-assisted exploit development for this specific instance, the worm pattern is exactly what AML.T0016-class capability-development now produces at AI cadence: chained CI/CD primitives that no individual component owner recognises as exploitable. Treat the @tanstack/* surface as an exemplar of the broader AML.T0010 (ML Supply Chain Compromise) threat applied to JS toolchains that the AI assistant ecosystem depends on.
+
 ---
 
 ## Framework Lag Declaration
@@ -150,14 +158,14 @@ AI-assisted reconnaissance is observed at 36,000 probes per second per campaign.
 
 | ATLAS ID | Technique | Framework Coverage | Gap Description | Exploitation Example |
 |---|---|---|---|---|
-| AML.T0054 | Craft Adversarial Data — NLP | Missing in all major frameworks | No control covers adversarial text injection into LLM prompts | CVE-2025-53773 (GitHub Copilot RCE) |
+| AML.T0054 | LLM Jailbreak | Missing in all major frameworks | No control covers adversarial-instruction injection that bypasses guardrails and coerces the model into attacker-chosen actions | CVE-2025-53773 (GitHub Copilot YOLO-mode RCE) |
 | AML.T0010 | ML Supply Chain Compromise | Partial (ISO A.8.30) | A.8.30 covers outsourced development; does not cover MCP server trust, package signing for AI tools | CVE-2026-30615 (Windsurf MCP) |
 | AML.T0096 | LLM Integration Abuse (C2) | Missing in all major frameworks | No framework has a control for AI API traffic as C2 channel | SesameOp campaign |
 | AML.T0020 | Poison Training Data | Partial (NIST AI RMF) | NIST AI RMF identifies the risk; no specific technical control | Supply chain logistics model poisoning |
 | AML.T0043 | Craft Adversarial Data | Partial (SI-10) | SI-10 covers web input validation; not semantic injection in LLM prompts | RAG vector manipulation |
 | AML.T0051 | LLM Prompt Injection | Missing in all major frameworks | Zero controls in NIST, ISO, SOC 2, PCI for prompt injection | CVE-2025-53773, indirect injection via retrieved docs |
-| AML.T0017 | Develop Capabilities | Partial (awareness only) | No framework requires monitoring for AI-assisted exploit development against the org | Copy Fail AI discovery, 41% of 2025 0-days |
-| AML.T0016 | Acquire Public ML Artifacts | Missing (misuse dimension) | Frameworks don't address adversary use of public AI APIs for reconnaissance/attack | PROMPTFLUX, PROMPTSTEAL, phishing generation |
+| AML.T0017 | Discover ML Model Ontology | Partial (awareness only) | No framework requires monitoring for adversary mapping of deployed model family, guardrail surface, or system-prompt structure via inference-API probing | Reconnaissance step preceding PROMPTSTEAL-class targeting; AML-model registry exposure |
+| AML.T0016 | Obtain Capabilities: Develop Capabilities | Missing (misuse dimension) | Frameworks don't address adversary AI-assisted exploit development or use of public AI APIs to craft malware/phishing payloads | Copy Fail AI discovery (41% of 2025 0-days), PROMPTFLUX, PROMPTSTEAL, phishing generation |
 | AML.T0018 | Backdoor ML Model | Partial (NIST AI RMF) | No technical control requirements for model integrity verification | Training pipeline poisoning |
 
 ---
@@ -166,8 +174,8 @@ AI-assisted reconnaissance is observed at 36,000 probes per second per campaign.
 
 | Vulnerability | CVSS | RWEP | KEV | PoC | AI-Accelerated | Active Exploitation |
 |---|---|---|---|---|---|---|
-| CVE-2025-53773 (Copilot prompt injection RCE) | 9.6 | 91 | No | Yes — demonstrated | Yes (AI tooling enables) | Suspected |
-| CVE-2026-30615 (Windsurf MCP RCE) | 9.8 | 94 | No | Partial | No | Suspected |
+| CVE-2025-53773 (Copilot YOLO-mode RCE) | 7.8 | 30 | No | Yes — demonstrated | Yes (AI tooling enables) | Suspected |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | No | Partial | No | Suspected |
 | SesameOp (AI C2 technique) | N/A | N/A | N/A | Yes (ATLAS documented) | Yes | Confirmed campaign |
 | PROMPTFLUX family | N/A | N/A | N/A | Behavioral signatures | Yes | Active |
 | PROMPTSTEAL family | N/A | N/A | N/A | Behavioral signatures | Yes | Active |

package/skills/ai-c2-detection/skill.md

@@ -324,7 +324,8 @@ level: medium
 | ID | Source | Technique | C2 Relevance | Gap Flag — Which Detection Control Fails |
 |---|---|---|---|---|
 | AML.T0096 | ATLAS v5.1.0 | LLM API as covert C2 / LLM Integration Abuse | Direct: SesameOp encodes commands and exfiltrated data in prompt and completion fields against api.openai.com, api.anthropic.com, generativelanguage.googleapis.com. AI provider domain is the relay, not the attacker C2 endpoint. | NIST-800-53-SC-7 (Boundary Protection) — AI provider domains are allowlisted in most enterprise egress for legitimate developer and product use, so boundary inspection cannot distinguish benign developer prompts from C2-encoded prompts. See SC-7 entry in `data/framework-control-gaps.json` — real requirement is SDK-level prompt logging with identity binding, anomaly detection on prompt-shape and token-volume, and an allowlist that enumerates the sanctioned business reason per identity. Boundary-only SC-7 evidence is incomplete for any org with AI API access in production. |
-| AML.T0017 | ATLAS v5.1.0 | Develop Capabilities — including adversary use of inference APIs to develop/refine attack capability (and model exfiltration via inference API where applicable) | PROMPTFLUX queries public LLMs to generate per-execution evasion code; PROMPTSTEAL uses LLMs to prioritise exfiltration targets. The inference API is doing capability-development work for the adversary in real time. | NIST-800-53-SI-3 fails — there is no static signature for code generated per-event by a public LLM. NIST-800-53-SI-4 fails as commonly deployed — no AI-API behavioural baseline per process/identity. |
+| AML.T0017 | ATLAS v5.1.0 | Discover ML Model Ontology — adversary maps the deployed LLM's family, system-prompt structure, guardrail surface via inference-API probing | PROMPTFLUX queries public LLMs to generate per-execution evasion code; PROMPTSTEAL uses LLMs to prioritise exfiltration targets — both depend on first discovering what the target model will answer. The inference API is the discovery surface. | NIST-800-53-SI-3 fails — there is no static signature for code generated per-event by a public LLM. NIST-800-53-SI-4 fails as commonly deployed — no AI-API behavioural baseline per process/identity. |
+| AML.T0016 | ATLAS v5.1.0 | Obtain Capabilities: Develop Capabilities — adversary use of inference APIs to generate / refine malware, evasion, phishing payloads | PROMPTFLUX and PROMPTSTEAL both consume public LLMs as a real-time capability-development service. The inference API is doing weaponization work for the adversary. | NIST-800-53-SI-3 fails for the same reason. SC-7 boundary control treats the AI provider as allowlisted SaaS. |
 | T1071 | ATT&CK | Application Layer Protocol (C2) | AI C2 traffic is standard HTTPS REST to api.openai.com or equivalent. Application-protocol C2 detection that looks for DGA, unusual TLS, or beaconing does not fire. | SC-7 boundary control sees only the destination domain (allowlisted) — no protocol anomaly to alert on. Detection requires identity-bound prompt content inspection, which SC-7 as written does not require. |
 | T1102 | ATT&CK | Web Service (C2 via legitimate web service) | AI API endpoints are exactly the "legitimate web service used as C2" pattern that T1102 describes — but at scale and pre-allowlisted in nearly every enterprise. | SOC 2 CC7 anomaly-detection control: AI API traffic shares the SaaS blind spot — typically not baselined per process or identity. ISO 27001 A.8.16 monitoring activities: no guidance for AI-API-shaped traffic. |
 | T1568 | ATT&CK | Dynamic Resolution | AI provider responses can carry encoded instructions that dynamically determine the next-hop behaviour for the malware (effectively model-mediated dynamic resolution of the next attacker instruction). | No standard DNS-tunnelling or DGA detection applies — the "resolution" happens inside an HTTPS payload to a trusted endpoint. SC-7 cannot see it without SDK-level prompt + response logging. |
@@ -342,7 +343,11 @@ The threats in this skill are adversary TTPs and malware families rather than ve
 | PROMPTSTEAL | No — adversary malware family | Yes — public reporting on LLM-assisted exfiltration prioritisation and lateral-movement guidance | No | Yes — LLM is acting as the adversary's live intelligence analyst | Minimal — requires correlation of AI API calls with credential-access and file-access events. Possible to build in a SIEM; not a default rule pack. | None enterprise-subscribable. |
 | AI C2 — generic (T1071 / T1102 / T1568 over AI APIs) | No | Yes — research and red-team demonstrations across all major AI providers | No | Yes | Minimal — boundary controls treat AI provider domains as allowlisted SaaS; content-layer inspection requires TLS interception plus SDK-level prompt logging, which most orgs do not run. | Partial / inconsistent across providers. |
 
-**Interpretation:** there is no patch to apply because there is no vendor CVE. Mitigation is detection-architectural: SDK-level prompt logging with identity binding, AI-API behavioural baselining per process, correlation with credential/file/scan events, and an explicit allowlist that enumerates the sanctioned business reason per identity (per the SC-7 real_requirement in `data/framework-control-gaps.json`).
+**Interpretation:** there is no patch to apply because there is no vendor CVE for the SesameOp / PROMPTFLUX / PROMPTSTEAL class. Mitigation is detection-architectural: SDK-level prompt logging with identity binding, AI-API behavioural baselining per process, correlation with credential/file/scan events, and an explicit allowlist that enumerates the sanctioned business reason per identity (per the SC-7 real_requirement in `data/framework-control-gaps.json`).
+
+### LLM-Gateway Credential Theft as an AI-C2 Adjacent Class
+
+**CVE-2026-42208** — BerriAI LiteLLM Proxy Authorization-header SQL injection (CVSS 9.8 / CVSS v4 9.3 / CISA KEV-listed 2026-05-08, federal due 2026-05-29; in-wild exploitation evidence). LiteLLM is the open-source LLM-API gateway used in front of agent stacks, MCP-server fronts, and multi-model proxy deployments — exactly the egress hinge this skill's detection architecture treats as the credential boundary for hosted-model use. The proxy concatenated an attacker-controlled `Authorization` header value into a SQL query in the error-logging path, so a curl-able POST against `/chat/completions` with a SQL-injection payload returns the managed-credentials DB content without prior auth. Patched in 1.83.7+; temporary workaround `general_settings: disable_error_logs: true`. Detection-relevance for this skill: an AI-API egress baseline that records only outbound destinations misses the *inbound* SQL injection on the proxy itself; pair `D3-IOPR` (SDK-level prompt logging) with `D3-CSPP` payload profiling on the gateway's inbound request stream. Any organisation whose AI-API egress visibility treats the LLM gateway as "just a reverse proxy" will discover post-breach that the gateway held every downstream model-provider credential and was the actual covert exfiltration channel.
 
 ### RFC Transport Reality
 

package/skills/ai-risk-management/skill.md

@@ -65,7 +65,7 @@ AI governance moved from voluntary to mandatory between 2024 and 2026. The trans
 
 The gap on the ground is severe and the same in every jurisdiction the maintainers have spot-checked through Q2 2026: most organisations deploying LLMs, agents, RAG pipelines, and AI-augmented developer tooling have **zero governance artefact specific to AI**. They assume general security policies, the existing risk register, the existing vendor management programme, and the existing incident response playbook cover AI by inheritance. They do not. Concretely:
 
-- The risk register has no entry for prompt injection (AML.T0051), AI-as-C2 (AML.T0096), or AI-assisted exploit development against the organisation (AML.T0017).
+- The risk register has no entry for prompt injection (AML.T0051), AI-as-C2 (AML.T0096), or AI-assisted exploit development against the organisation (AML.T0016 + AML.T0017).
 - The vendor management programme treats AI providers as ordinary SaaS suppliers and accepts a SOC 2 Type II as evidence of AI-specific control adequacy — even though SOC 2 has no AI-specific criteria.
 - The incident response playbook does not enumerate AI-specific incident classes (model exfiltration, training-data poisoning, agent compromise via MCP server, RAG corpus contamination, AI vendor breach affecting derived embeddings).
 - The data inventory does not include vector embedding stores, model weights, or LLM prompt/response logs as classified data assets.
@@ -77,7 +77,7 @@ AI red-team activity has likewise shifted from voluntary research practice to go
 - NIST AI RMF MEASURE 2.5 expects organisations to assess AI risks during operation (`data/framework-control-gaps.json` → `NIST-AI-RMF-MEASURE-2.5`).
 - OWASP LLM Top 10 2025 (LLM01: Prompt Injection — `data/framework-control-gaps.json` → `OWASP-LLM-Top-10-2025-LLM01`) is treated by auditors as the working operational checklist where ISO/IEC 42001 is silent on technical specifics.
 
-The 2024–2026 disclosure record is unforgiving: vendor advisories from OpenAI, Anthropic, Google DeepMind, and Microsoft have published AI vulnerability disclosures spanning prompt-injection RCEs (CVE-2025-53773), MCP supply-chain RCEs (CVE-2026-30615), agentic-pipeline compromise patterns, and indirect-injection via retrieved content. An organisation with no governance artefact mapping these classes to internal use cases is not in a position to act on any of them.
+The 2024–2026 disclosure record is unforgiving: vendor advisories from OpenAI, Anthropic, Google DeepMind, and Microsoft have published AI vulnerability disclosures spanning prompt-injection-driven RCE (CVE-2025-53773, CVSS 7.8 / AV:L), local-vector MCP supply-chain RCE (CVE-2026-30615, CVSS 8.0 / AV:L), agentic-pipeline compromise patterns, and indirect-injection via retrieved content. An organisation with no governance artefact mapping these classes to internal use cases is not in a position to act on any of them.
 
 ---
 
@@ -113,7 +113,8 @@ Governance failure surfaces as exploitable threat. The TTPs below are the diagno
 |---|---|---|---|
 | AML.T0051 | LLM Prompt Injection | No prompt/response logging, no semantic monitoring, no AI use-case-level risk treatment decision | ISO/IEC 23894 clause 7 risk treatment register has no entry; OWASP LLM01 control unowned. CWE-1426 (improper validation of generative AI output) is the root-cause class. |
 | AML.T0096 | LLM Integration Abuse (covert C2) | No baseline of normal AI API traffic per principal; AI API egress treated as trusted internal traffic | NIST AI RMF MEASURE 2.5 not operationalised; SesameOp-class detection absent from SOC playbooks. |
-| AML.T0017 | Develop Capabilities (adversary AI-assisted exploit development) | No threat-intelligence ingestion path for AI-discovered vulnerabilities; patch SLAs sized for human-speed exploit development | EU AI Act Art. 9 RMS not iterating on the input that 41% of 2025 zero-days are AI-discovered (per `ai-attack-surface` and `zeroday-lessons.json`). |
+| AML.T0017 | Discover ML Model Ontology — adversary reconnaissance of deployed model family / guardrails | No inference-API rate / shape baseline; model-registry RBAC absent; system-prompt extraction queries undetected | NIST AI RMF MEASURE 2.5 not requiring per-identity inference monitoring; AIMS lacks a probing-detection control. |
+| AML.T0016 | Obtain Capabilities: Develop Capabilities (adversary AI-assisted exploit / payload development) | No threat-intelligence ingestion path for AI-discovered vulnerabilities; patch SLAs sized for human-speed exploit development | EU AI Act Art. 9 RMS not iterating on the input that 41% of 2025 zero-days are AI-discovered (per `ai-attack-surface` and `zeroday-lessons.json`). |
 
 Supporting weakness classes consumed from `data/cwe-catalog.json`:
 - **CWE-1426** — improper validation of generative AI output. The governance correlate: every AI use case must declare what output validation is performed and who owns it.
@@ -134,7 +135,7 @@ Adversary capability versus organisational governance maturity is the relevant a
 |---|---|---|---|
 | Low (off-the-shelf prompt injection per AML.T0051) | Exploitable today. Bypass rates >85% against SOTA defences (per `ai-attack-surface`). No detection. | Exploitable. Risk register names the threat; no detection or response capability deployed. | Detection latency: minutes-to-hours. Response playbook bound to incident class. |
 | Medium (AI-as-C2 per AML.T0096, SesameOp pattern) | Exploited last quarter by definition — no AI API logging, no baseline. | Detection-blind: AI traffic logged but no behavioural baseline. | Behavioural baseline + correlation with host activity per `ai-attack-surface` Step 4. |
-| High (AI-assisted exploit development per AML.T0017, Copy Fail-class) | Patch SLA structurally inadequate; live-patch capability absent. | Patch SLA sized for human-speed exploit development. | RWEP-driven prioritisation (`lib/scoring.js`), live-patch SLA <4h for KEV+PoC+AI-discovered class. |
+| High (AI-assisted exploit development per AML.T0016, Copy Fail-class) | Patch SLA structurally inadequate; live-patch capability absent. | Patch SLA sized for human-speed exploit development. | RWEP-driven prioritisation (`lib/scoring.js`), live-patch SLA <4h for KEV+PoC+AI-discovered class. |
 | Frontier (training pipeline poisoning, supply-chain compromise of model weights — AML.T0020 catalogue) | No AI supplier risk register; vendor SOC 2 accepted as adequate. | AI vendor register exists; no 4th-party (AI-of-AI) coverage. | EU AI Act Art. 10 data governance + Art. 72 adversarial testing operationalised; vendor adversarial-test attestations required contractually. |
 
 Reference incident inputs to the matrix: vendor advisories from Anthropic, OpenAI, Google DeepMind, Microsoft across 2024–2026; the emergent agentic-attack patterns observed through 2025–2026 disclosed in coordinated-vulnerability programmes per `coordinated-vuln-disclosure`; the AI-as-C2 evidence base referenced in `ai-c2-detection`; the prompt-injection-RCE and MCP-RCE CVE evidence referenced in `ai-attack-surface`.

package/skills/api-security/skill.md

@@ -78,7 +78,7 @@ APIs are now the integration substrate of every non-trivial system. The mid-2026
 
 1. **AI-API rate-limit abuse / denial-of-wallet** — a stolen API key or compromised internal service burns the organisation's spend cap on a model endpoint. GPT-class and Claude-class token costs at production volume run to five-to-six figures per day per workload — a key exfiltrated on Friday and abused over a weekend is a real budget event.
 2. **Prompt-injection-as-C2** — user-controlled content reaches an LLM-fronted internal API and exfiltrates data through the model's response channel (the model becomes the covert C2 channel). Hand-off to `ai-c2-detection` for SesameOp-class detection patterns.
-3. **Model extraction via inference rate (AML.T0017)** — high-volume queries against a hosted model are used to reconstruct the model's behaviour or training data. Detected at egress only by per-identity rate-and-shape monitoring, not by request count alone.
+3. **Model extraction via inference rate (AML.T0017 — Discover ML Model Ontology)** — high-volume queries against a hosted model are used to reconstruct the model's behaviour, system prompt, guardrail surface, or training-data signal. Detected at egress only by per-identity rate-and-shape monitoring, not by request count alone.
 
 **MCP transport runs over HTTP/SSE.** Anthropic's **Model Context Protocol** (MCP) — the de-facto agent-to-tool protocol adopted across the industry through 2025 — uses HTTP and Server-Sent Events as its transport. That means MCP traffic is API traffic and inherits every API attack surface: auth, rate limiting, schema validation, BOLA on tool calls, SSRF if a tool fetches URLs. Hand-off to `mcp-agent-trust` for MCP-specific semantics; the API-security posture is foundational.
 
@@ -125,7 +125,7 @@ APIs are now the integration substrate of every non-trivial system. The mid-2026
 | T1078 | Valid Accounts | Stolen API token / OAuth refresh token / leaked service-account key reused against the API; key-exfil-then-abuse pattern dominant for AI-API rate-limit abuse | CWE-287, CWE-200 | Partial — NIST-800-53-AC-2 manages account lifecycle but not per-object authz, not key rotation cadence for AI-API keys |
 | T1567 | Exfiltration Over Web Service | Sensitive data egressed via a legitimate API channel — AI-API response stream as covert C2; OAuth-token-scoped exfil over the org's own API | CWE-200, CWE-918 | Missing — no framework mandates per-identity egress baselining; D3-NTA is the operational control (see Defensive Countermeasure Mapping) |
 | AML.T0096 | AI Service Exploitation (AI-API as covert C2) | LLM API used as a covert command-and-control / exfil channel — prompt content carries instructions; response carries staged data | CWE-77, CWE-200 | Missing in NIST/ISO; hand-off to `ai-c2-detection` |
-| AML.T0017 | Model Extraction via Inference API | High-volume queries against a hosted model used to reconstruct behaviour / training data | CWE-200 | Missing — detected only by per-identity rate-and-shape monitoring at egress |
+| AML.T0017 | Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, model-family signal) | High-volume queries against a hosted model used to reconstruct behaviour, guardrail surface, or training-data signal | CWE-200 | Missing — detected only by per-identity rate-and-shape monitoring at egress |
 
 CWE root-causes referenced as a set (per `cwe_refs` in frontmatter): CWE-287 (Improper Authentication), CWE-862 (Missing Authorization — BFLA root cause), CWE-863 (Incorrect Authorization — BOLA root cause), CWE-918 (SSRF — API7), CWE-200 (Information Exposure — BOPLA contributor), CWE-352 (CSRF — cookie-auth APIs + WebSocket CSWSH), CWE-22 (Path Traversal — API parameter sinks), CWE-77 (Command Injection — API parameter to shell), CWE-1188 (Insecure Default Initialization — default-open API state).
 
@@ -147,7 +147,7 @@ CWE root-causes referenced as a set (per `cwe_refs` in frontmatter): CWE-287 (Im
 | API10 Unsafe Consumption of Third-Party APIs | Burp, custom integration fuzz | Egress allowlist; per-third-party threat model | Yes — agentic frameworks chain via third-party trust | Variable; transitive RCE chains via consumed AI-API or SaaS API are high | Emergent class through 2025–2026; AI-API consumption dominant subtype |
 | AI-API rate-limit abuse / denial-of-wallet | Stolen-key abuse scripts; trivial automation | Per-identity + per-cost-unit egress quotas; budget alarms | Yes — fully automated | Direct USD loss — measurable per incident | High when keys leak; common via committed secrets, third-party breach, browser-extension exfil |
 | AML.T0096 prompt-injection-as-C2 | Custom payload corpora; Promptfoo, Garak | Output guardrails, egress baselining (D3-NTA) | Yes — adaptive injection succeeds >85% against SOTA guardrails per 2026 meta-analysis | Emergent category | Active operational reality; hand-off to `ai-c2-detection` |
-| AML.T0017 model extraction | High-volume inference scripts; query-shape diversity tooling | Per-identity rate-and-shape monitoring at egress | Yes — agentic query diversification | Emergent | Active in adversarial-ML research; bleeding into production where hosted models expose probability vectors |
+| AML.T0017 Discover ML Model Ontology (inference-API probing) | High-volume inference scripts; query-shape diversity tooling | Per-identity rate-and-shape monitoring at egress | Yes — agentic query diversification | Emergent | Active in adversarial-ML research; bleeding into production where hosted models expose probability vectors |
 
 ---
 

package/skills/attack-surface-pentest/skill.md

@@ -78,11 +78,11 @@ Every enterprise now has outbound HTTPS to one or more LLM providers (OpenAI, An
 
 ### 3. MCP servers as RCE surface
 
-CVE-2026-30615 (Windsurf MCP, CVSS 9.8) is the canonical example: a malicious MCP server executes arbitrary code in the AI assistant's context with zero user interaction. 150M+ affected downloads. Every developer workstation with an MCP-aware client (Cursor, VS Code + Copilot, Windsurf, Claude Code, Gemini CLI) is potentially a network of unsigned-package RCE vectors that no traditional asset inventory enumerates. ATLAS AML.T0010 (ML Supply Chain Compromise).
+CVE-2026-30615 (Windsurf MCP, CVSS 8.0 / AV:L / RWEP 35) is the canonical example: a malicious MCP server drives code execution in the AI assistant's context via attacker-controlled HTML processed by the MCP client. 150M+ combined downloads across MCP-capable assistants share the architectural surface. Every developer workstation with an MCP-aware client (Cursor, VS Code + Copilot, Windsurf, Claude Code, Gemini CLI) is potentially a network of unsigned-package RCE vectors that no traditional asset inventory enumerates. ATLAS AML.T0010 (ML Supply Chain Compromise).
 
 ### 4. Prompt-injection footprint
 
-Any system that feeds external content (PR descriptions, support tickets, web-retrieved docs, calendar events, email bodies, RAG-retrieved chunks) into an LLM prompt is in scope (ATLAS AML.T0051). CVE-2025-53773 (GitHub Copilot, CVSS 9.6) showed prompt injection achieving RCE via a developer tool. 2026 meta-analysis: adaptive prompt injection succeeds against SOTA defenses at >85%. Pen testers must enumerate the prompt-injection footprint as a first-class asset class.
+Any system that feeds external content (PR descriptions, support tickets, web-retrieved docs, calendar events, email bodies, RAG-retrieved chunks) into an LLM prompt is in scope (ATLAS AML.T0051 / AML.T0054). CVE-2025-53773 (GitHub Copilot YOLO-mode RCE, CVSS 7.8 / AV:L / RWEP 30) showed prompt-injection coercion flipping `chat.tools.autoApprove: true` and converting subsequent tool calls into shell execution via developer-side IDE interaction. 2026 meta-analysis: adaptive prompt injection succeeds against SOTA defenses at >85%. Pen testers must enumerate the prompt-injection footprint as a first-class asset class.
 
 ### 5. RAG corpora and embedding stores
 
@@ -126,7 +126,7 @@ Pen testers must emulate both classical and AI-class chains. The table below map
 
 | Phase | Classical TTP (ATT&CK v17) | AI-Class TTP (ATLAS v5.1.0) | Framework Gap Flag |
 |---|---|---|---|
-| Reconnaissance | T1595 (Active Scanning) — implied by T1190 setup | AML.T0000 (Search Open Technical Databases) — model card / dataset / API endpoint discovery | NIST 800-115 §3.x recon guidance is network-only |
+| Reconnaissance | T1595 (Active Scanning) — implied by T1190 setup | AML.TA0002 (Reconnaissance tactic) — model card / dataset / API endpoint discovery, system-prompt probing | NIST 800-115 §3.x recon guidance is network-only |
 | Initial Access | T1190 (Exploit Public-Facing Application) | AML.T0051 (LLM Prompt Injection) — entered via PR description, support ticket, retrieved doc | OWASP WSTG covers webapp; not prompt-injection as entry vector |
 | Initial Access | T1133 (External Remote Services) | AML.T0010 (ML Supply Chain Compromise) — malicious MCP server installed by developer | PTES scoping templates do not require MCP server enumeration |
 | Execution | T1059 (Command and Scripting Interpreter) | AML.T0051 → tool-use call invoking shell/code execution in agent context | NIS2 Art.21 patch-mgmt language assumes binary exploit; semantic-input exploit lives outside |
@@ -146,8 +146,8 @@ Pen testers select tooling based on real exploit availability. The matrix below
 | Vulnerability | CVSS | RWEP | CISA KEV | Public PoC | AI-Discovered/Accelerated | Live-Patchable | Pen Tester Use |
 |---|---|---|---|---|---|---|---|
 | CVE-2026-31431 (Copy Fail Linux kernel LPE) | 7.8 | 90 | Yes | Yes — 732-byte deterministic exploit | Yes (AI-discovered in ~1 hour) | Yes (kpatch / livepatch) | Post-exploit privilege escalation in unpatched Linux hosts; reliable, no race condition |
-| CVE-2025-53773 (GitHub Copilot prompt-injection RCE) | 9.6 | 91 | No (not enterprise infra in KEV sense) | Yes — demonstrated PoC | Yes (AI tooling generates injection payloads) | No (requires Copilot update + prompt hardening) | Initial access via PR descriptions, support tickets, retrieved docs; emulate AML.T0051 |
-| CVE-2026-30615 (Windsurf MCP RCE) | 9.8 | 94 | No | Partial — concept demonstrated | No | No (requires Windsurf patch) | Lateral movement to developer workstations via malicious MCP server; emulate AML.T0010 |
+| CVE-2025-53773 (GitHub Copilot YOLO-mode RCE) | 7.8 | 30 | No (not enterprise infra in KEV sense) | Yes — demonstrated PoC | Yes (AI tooling generates injection payloads) | Yes (SaaS push / IDE update) | Initial access via PR descriptions, support tickets, retrieved docs; emulate AML.T0051 / AML.T0054 |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | No | Partial — concept demonstrated | No | Yes (IDE update) | Lateral movement to developer workstations via malicious MCP server; emulate AML.T0010 |
 | CVE-2026-43284 (covered in fuzz/memory-safety skill) | see `data/cve-catalog.json` | see `data/cve-catalog.json` | see `data/exploit-availability.json` | see `data/exploit-availability.json` | see `data/cve-catalog.json` | see `data/cve-catalog.json` | Memory-corruption chain context — refer to that skill for exploitation detail |
 | CVE-2026-43500 (covered in supply-chain skill) | see `data/cve-catalog.json` | see `data/cve-catalog.json` | see `data/exploit-availability.json` | see `data/exploit-availability.json` | see `data/cve-catalog.json` | see `data/cve-catalog.json` | Supply chain compromise context — refer to that skill for exploitation detail |
 | SesameOp (AI-as-C2 technique, no CVE — adversary tradecraft) | N/A (technique, not vulnerability) | N/A | N/A | Yes — ATLAS-documented adversary pattern (AML.T0096) | Yes | N/A | Emulate covert AI-API C2 during adversary emulation; verifies whether egress monitoring catches AML.T0096 |

package/skills/cloud-security/skill.md

@@ -136,7 +136,7 @@ Cloud is where AI runs. Every consequential AI service — OpenAI, Anthropic, Go
 | Cloud-facing application | T1190 — Exploit Public-Facing Application | ATT&CK Enterprise | API Gateway / Load Balancer / managed-WAF-bypass; managed-database exposure (RDS / SQL DB / Cloud SQL public IP); container-registry public image abuse; Lambda / Cloud Functions / Azure Functions endpoint exploit | NIST 800-53 SC-7 perimeter assumption inadequate; CSA CCM AIS-04 and IVS-08 partial; CWE-1188 (Insecure Default Initialization) |
 | Cloud-credential exposure | T1552 — Unsecured Credentials (incl. T1552.001 Files, T1552.005 Cloud Instance Metadata API, T1552.007 Container API) | ATT&CK Enterprise | IMDSv1 SSRF on EC2 / GCE; static cloud credentials in git / images / env vars; container API and kubeconfig theft; workload-identity-federation trust-policy abuse | CWE-798 (hardcoded credentials), CWE-200; NIST 800-53 IA-5 method-neutral |
 | AI model registry / cloud-hosted model | AML.T0010 — ML Supply Chain Compromise | ATLAS v5.1.0 | Bedrock / SageMaker custom model from poisoned upstream; Azure ML model registry tampering; Vertex Model Garden mirror tampering; HF model pulled into Bedrock / SageMaker / Vertex with weights backdoor | CSA CCM CCC-09 (vendor / supply chain) silent on model-supply-chain specifics; SLSA / in-toto / Sigstore for models still maturing |
-| Cloud inference API abuse / model extraction | AML.T0017 — Develop Adversarial ML Attack Capabilities (closest existing ATLAS mapping for inference-API abuse against cloud-hosted endpoints) | ATLAS v5.1.0 | Programmatic query of Bedrock / Azure OpenAI / Vertex endpoint to extract model behaviour, training-data inference, system-prompt leakage | No cloud-specific ATLAS control mapping for inference-API rate-limit / anomaly detection; chain to `ai-attack-surface` |
+| Cloud inference API abuse / model extraction | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, model-family signal against cloud-hosted endpoints); AML.T0016 — Obtain Capabilities: Develop Capabilities (downstream weaponization) | ATLAS v5.1.0 | Programmatic query of Bedrock / Azure OpenAI / Vertex endpoint to extract model behaviour, training-data inference, system-prompt leakage | No cloud-specific ATLAS control mapping for inference-API rate-limit / anomaly detection; chain to `ai-attack-surface` |
 
 **Note on ATT&CK Enterprise cloud-platform sub-techniques.** ATT&CK Enterprise has cloud-platform-specific matrices (IaaS, SaaS, Office 365, Azure AD / Entra ID, Google Workspace). T1078.004 (Cloud Accounts), T1552.005 (Cloud Instance Metadata API), T1552.007 (Container API), T1190 with cloud-service variants, T1530 with managed-storage variants are the most operationally relevant. The frontmatter pins the parent IDs; analysis should descend to the sub-technique appropriate to the cloud(s) in scope.