@blamejs/exceptd-skills 0.12.40 → 0.13.0

package/skills/global-grc/skill.md

@@ -17,9 +17,10 @@ triggers:
   - multi-jurisdiction
   - global compliance
 data_deps:
-  - global-frameworks.json
-  - framework-control-gaps.json
   - atlas-ttps.json
+  - exploit-availability.json
+  - framework-control-gaps.json
+  - global-frameworks.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []

package/skills/identity-assurance/skill.md

@@ -21,10 +21,8 @@ triggers:
   - phishing-resistant
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
+  - exploit-availability.json
   - framework-control-gaps.json
-  - cwe-catalog.json
-  - d3fend-catalog.json
   - rfc-references.json
 atlas_refs:
   - AML.T0051

package/skills/idp-incident-response/skill.md

@@ -29,11 +29,8 @@ triggers:
   - tenant compromise
 data_deps:
   - cve-catalog.json
-  - attack-techniques.json
-  - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
   - d3fend-catalog.json
+  - framework-control-gaps.json
 atlas_refs: []
 attack_refs:
   - T1078.004

package/skills/incident-response-playbook/skill.md

@@ -17,12 +17,8 @@ triggers:
   - prompt injection incident
   - model exfiltration incident
 data_deps:
-  - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
   - d3fend-catalog.json
+  - framework-control-gaps.json
   - zeroday-lessons.json
 atlas_refs:
   - AML.T0096

package/skills/kernel-lpe-triage/skill.md

@@ -15,8 +15,8 @@ triggers:
   - kernel patch
   - live kernel patch
 data_deps:
-  - cve-catalog.json
-  - exploit-availability.json
+  - d3fend-catalog.json
+  - rfc-references.json
 atlas_refs: []
 attack_refs:
   - T1068

package/skills/mcp-agent-trust/skill.md

@@ -14,9 +14,11 @@ triggers:
   - claude code security
   - ai agent security
 data_deps:
-  - cve-catalog.json
   - atlas-ttps.json
-  - framework-control-gaps.json
+  - cve-catalog.json
+  - d3fend-catalog.json
+  - exploit-availability.json
+  - rfc-references.json
 atlas_refs:
   - AML.T0010
   - AML.T0016
@@ -65,7 +67,7 @@ forward_watch:
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM full SSRF + Code Injection by Out Of Bounds (Byung Young Yi); duplicate-class with the k3vg3n entry; track unified patch advisory
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LM Studio 5-bug exploit chain by STARLabs SG; impacts local MCP/agent runtime trust; track patch and integration advisories
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Claude Code MCP collision-scored entry by Viettel Cyber Security; CVE in flight; track MCP trust and tool-collision advisory
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-05-17"
 ---
 
 # MCP Agent Trust Assessment
@@ -142,6 +144,14 @@ Every MCP server listed in popular registries (MCP Hub, npm `@modelcontextprotoc
 | CIS Controls v8 | Control 2 (Inventory and Control of Software Assets) | Software inventory and allowlisting. Does not explicitly cover MCP servers. AI coding assistant MCP configs are not in scope for most enterprise software inventory processes. |
 | PCI DSS 4.0 | 12.3.4 | Review and manage third-party service providers. Scoped to service providers with access to cardholder data. An MCP server running on a developer workstation accessing a PCI-scoped codebase is not clearly in scope and would not appear in vendor management reviews. |
 | SWIFT CSCF v2026 | 1.1 (SWIFT Environment Protection — allowlisted software inside the secure zone) | Mandates allowlisted software and protected operator-PC posture for the SWIFT secure zone. The control's allowlist concept is the closest existing analogue to MCP tool allowlisting, but CSCF 1.1 was written for traditional middleware and does not contemplate MCP servers, agent-mediated tool calls, or model-judgment-as-authorization on operator workstations adjacent to the SWIFT zone. |
+| EU NIS2 | Art. 21(2)(d) (supply-chain security) + Art. 21(2)(e) (security in acquisition, development and maintenance) | "Appropriate and proportionate" supply-chain language. Member-state transpositions (BSI IT-SiG 2.0, ANSSI, CNIL) do not enumerate MCP servers as in-scope third-party components. An essential entity meets the NIS2 supplier-management obligation with traditional SaaS vendor reviews while leaving developer-workstation MCP servers entirely outside the supply-chain register. |
+| EU DORA | Art. 28 (ICT third-party risk register) + Art. 30 (key contractual provisions) + Art. 6 (ICT risk-management framework) | Financial-entity ICT third-party language scoped to traditional ICT providers and cloud outsourcing. ESAs RTS on subcontracting (JC 2024/53) is silent on MCP servers running inside trading-desk developer environments, even though those MCP servers can reach repository, trading-system, and ticketing-system tools via the AI assistant. |
+| EU AI Act (Regulation 2024/1689) | Art. 9 (risk management for high-risk AI) + Art. 15 (cybersecurity) + Art. 25 (responsibilities along the AI value chain) | Art. 25 addresses providers, deployers, importers, and distributors but does not categorize MCP server publishers as in-scope value-chain actors. High-risk AI cybersecurity language refers to "state of the art" without naming MCP supply chain as a scoped attack class. |
+| UK NCSC CAF | Principle A4 (Supply Chain), B4 (System Security), B2 (Identity and Access Control) | Outcome-based language. NCSC's 2024 guidance on securing AI systems names supply-chain integrity for AI tooling, but the CAF outcome statements are unchanged — an organisation can achieve A4 / B4 outcomes at Achieved level with zero MCP server allowlisting, no signature verification, and no per-server authentication. |
+| UK DSIT AI Cyber Code of Practice (2025) | Principle 7 (secure software supply chain) + Principle 8 (secure development) | Names supply-chain integrity for AI development but as a principle, not a testable control. No technical floor for MCP signing, allowlisting, or per-server auth. |
+| AU ASD Essential 8 | Strategy: Application Control + Restrict Administrative Privileges | Application Control (allowlisting) is the closest existing strategy to MCP allowlisting but is scoped to operating-system-level executables. MCP servers run as long-lived child processes spawned by the AI assistant's process — Application Control rarely reaches the npm/pip-installed JavaScript or Python that constitutes an MCP server. None of the eight strategies address agent-mediated tool execution. |
+| AU ASD ISM | ISM-1728 (managing cyber supply chain risk) + ISM-1808 (cloud consumer responsibilities) + ISM-0935 (application control) | ISM-1728 supply-chain language is scoped to traditional vendor classes; MCP servers fall outside enumerated supply-chain categories. ISM-0935 application control is operating-system-level and does not reach package-level MCP servers. |
+| AU APRA CPS 234 / CPS 230 | Para 27 (information security capability) + CPS 230 ICT-service-provider obligations | "Capability commensurate with vulnerabilities and threats" language. APRA-regulated entities deploying AI coding assistants meet CPS 234 attestation with traditional vendor-management capability; MCP-specific supply-chain capability is not an examined control. CPS 230 (effective 2025-07-01) third-party-arrangements obligations do not enumerate MCP servers as in-scope material service providers. |
 
 **Fundamental gap:** No current framework has a control category for "AI tool trust boundaries" — the concept that an AI model can be the authorization mechanism for code execution, and that this creates a new class of supply chain and access control risk.
 

package/skills/mlops-security/skill.md

@@ -20,12 +20,11 @@ triggers:
   - drift detection
   - model monitoring
 data_deps:
-  - cve-catalog.json
   - atlas-ttps.json
-  - framework-control-gaps.json
+  - cve-catalog.json
   - cwe-catalog.json
   - d3fend-catalog.json
-  - rfc-references.json
+  - framework-control-gaps.json
 atlas_refs:
   - AML.T0010
   - AML.T0018
@@ -61,7 +60,7 @@ forward_watch:
   - OpenSSF model-signing emergence to v1.0 — Sigstore-based model-weight signing; track for production adoption and admission-control integration
   - SLSA v1.1 ML profile (draft) — model-provenance extension for training-run attestation chains; track ID and section changes
   - EU AI Act high-risk technical-file implementing acts (2026-2027) — operational requirements for Article 10 / 13 / 15 documentation may pin ML-BOM or model-signing
-  - MITRE ATLAS v5.4.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques ("Publish Poisoned AI Agent Tool", "Escape to Host"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: ATLAS v5.5 / v6.0 — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques
+  - MITRE ATLAS v5.4.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques ("Publish Poisoned AI Agent Tool", "Escape to Host"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques
 last_threat_review: "2026-05-15"
 ---
 

package/skills/ot-ics-security/skill.md

@@ -20,9 +20,6 @@ triggers:
   - purdue
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - cwe-catalog.json
   - d3fend-catalog.json
 atlas_refs:
   - AML.T0010

package/skills/policy-exception-gen/skill.md

@@ -12,8 +12,9 @@ triggers:
   - zero trust exception
   - compensating control
 data_deps:
-  - framework-control-gaps.json
-  - global-frameworks.json
+  - atlas-ttps.json
+  - cve-catalog.json
+  - exploit-availability.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []
@@ -22,7 +23,7 @@ forward_watch:
   - EU CRA exceptions for AI pipeline components
   - NIST SP 800-204 series updates for microservices
   - FedRAMP updates for container/serverless authorization
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-17"
 ---
 
 # Policy Exception Generation
@@ -75,6 +76,13 @@ Per-framework lag statements for each exception category in this skill:
 | PCI DSS 4.0 | 12.3.4 (Inventory of system components) | Persistent-asset assumption — fails for autoscaled ephemeral compute. |
 | PCI DSS 4.0 | 1.3 (Network segmentation) | Implicit perimeter-trust model; ZTA evidence shape does not match the language. |
 | NIS2 | Art. 21 (Cybersecurity risk-management measures) | Asset register and patch management language predates serverless; ephemeral nodes cannot be inventoried as the article assumes. |
+| EU DORA | Art. 8 (ICT-related risk and ICT asset management) + Art. 9 (protection and prevention) + Art. 28 (ICT third-party risk) | Financial-entity asset register and patch-management obligations mirror the NIS2 lag: ephemeral compute has no clean register fit, and Art. 28 ICT third-party register is silent on LLM API providers and developer-environment MCP servers. ESAs RTS on subcontracting (JC 2024/53) does not enumerate AI/ML SaaS classes. |
+| EU AI Act (Regulation 2024/1689) | Art. 13 (transparency / instructions for use) + Art. 15 (cybersecurity for high-risk AI) | Drafted around vendor-provided AI systems with documented change-management. External provider model updates that change behavior mid-deployment have no exception language; high-risk AI Art. 15 cybersecurity expectations assume operator control over the model. |
+| UK NCSC CAF | Principle A2 (Risk Management), A4 (Supply Chain), B4 (System Security) | Outcome-based assessment. NCSC Cloud Security Principles and ZT Architecture Design Principles (NCSC 2024) recognize ephemeral and identity-centric architectures, but the CAF outcome statements do not enumerate ZTA / ephemeral / AI-model-update as explicit deviation classes. Exception language must map the operator's compensating-control bundle to the CAF principle's outcome rather than to a prescriptive control. |
+| UK Cyber Essentials Plus | Patch management + Secure Configuration criteria | 14-day patch SLA assumes persistent assets the operator patches. Ephemeral / immutable / provider-patched runtimes (Lambda, Cloud Run, Cloudflare Workers) fall outside the criterion as written. The CE+ assessor expects a documented justification when a service does not fit the standard model. |
+| AU ASD Essential 8 | Patch Applications + Patch Operating Systems + Application Control (ML1-ML3) | Patch-window language assumes a persistent OS / application installation the operator patches. Ephemeral container workloads with immutable images and serverless runtimes break the model. Application Control (allowlisting) does not contemplate AI-coding-assistant tool-use chains where the AI agent dynamically composes the executed action. |
+| AU ASD ISM | ISM-1493 (vulnerability identification and patching) + ISM-1144 (patching frequency) + ISM-1808 (cloud service consumer responsibilities) | ISM-1808 acknowledges cloud shared-responsibility but does not specify exception language for provider-controlled runtimes. ISM-1493 / ISM-1144 patch-frequency controls assume operator-controlled patching. |
+| AU APRA CPS 234 | Para 27 (information security capability) + Para 36 (control testing) | "Capability commensurate with vulnerabilities and threats" language. AI-pipeline and ZTA architectures are not enumerated as in-scope capability classes; an APRA-regulated entity must document the architectural deviation explicitly to avoid a control-testing finding. |
 
 This skill's exceptions exist precisely because the framework language has not caught up to the architecture. The exceptions do not claim the threat goes away — they document the compensating controls that handle the residual TTPs (see TTP Mapping).
 

package/skills/pqc-first/skill.md

@@ -18,8 +18,10 @@ triggers:
   - fips 204
   - fips 205
 data_deps:
-  - cve-catalog.json
-  - framework-control-gaps.json
+  - atlas-ttps.json
+  - exploit-availability.json
+  - global-frameworks.json
+  - rfc-references.json
 atlas_refs: []
 attack_refs: []
 framework_gaps:

package/skills/rag-pipeline-security/skill.md

@@ -12,6 +12,8 @@ triggers:
   - vector poisoning
 data_deps:
   - atlas-ttps.json
+  - d3fend-catalog.json
+  - exploit-availability.json
   - framework-control-gaps.json
 atlas_refs:
   - AML.T0020

package/skills/ransomware-response/skill.md

@@ -26,12 +26,8 @@ triggers:
   - double extortion
   - data theft before encryption
 data_deps:
-  - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
   - d3fend-catalog.json
+  - framework-control-gaps.json
   - zeroday-lessons.json
 atlas_refs: []
 attack_refs:

package/skills/researcher/skill.md

@@ -14,12 +14,13 @@ triggers:
   - threat intel triage
   - exceptd research
 data_deps:
-  - cve-catalog.json
   - atlas-ttps.json
-  - framework-control-gaps.json
-  - zeroday-lessons.json
+  - cve-catalog.json
+  - d3fend-catalog.json
   - exploit-availability.json
+  - framework-control-gaps.json
   - global-frameworks.json
+  - zeroday-lessons.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []

package/skills/sector-energy/skill.md

@@ -20,10 +20,6 @@ triggers:
   - smart meter security
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
   - d3fend-catalog.json
 atlas_refs: []
 attack_refs:

package/skills/sector-federal-government/skill.md

@@ -21,11 +21,10 @@ triggers:
   - stateramp
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
   - cwe-catalog.json
   - d3fend-catalog.json
+  - exploit-availability.json
+  - framework-control-gaps.json
 atlas_refs: []
 attack_refs:
   - T1190

package/skills/sector-financial/skill.md

@@ -22,12 +22,9 @@ triggers:
   - tlpt
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
   - d3fend-catalog.json
   - dlp-controls.json
+  - framework-control-gaps.json
 atlas_refs:
   - AML.T0096
   - AML.T0017

package/skills/sector-healthcare/skill.md

@@ -19,12 +19,7 @@ triggers:
   - patient data
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
   - d3fend-catalog.json
-  - dlp-controls.json
 atlas_refs:
   - AML.T0051
   - AML.T0017

package/skills/sector-telecom/skill.md

@@ -27,11 +27,7 @@ triggers:
   - itu-t x.805
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
   - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
-  - d3fend-catalog.json
 atlas_refs:
   - AML.T0040
 attack_refs:

package/skills/security-maturity-tiers/skill.md

@@ -16,9 +16,8 @@ triggers:
   - defense in depth
   - how do we get from here to there
 data_deps:
+  - atlas-ttps.json
   - cve-catalog.json
-  - framework-control-gaps.json
-  - global-frameworks.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []

package/skills/skill-update-loop/skill.md

@@ -14,13 +14,14 @@ triggers:
   - atlas update
   - framework update
 data_deps:
-  - cve-catalog.json
   - atlas-ttps.json
+  - cve-catalog.json
+  - d3fend-catalog.json
+  - exploit-availability.json
   - framework-control-gaps.json
   - global-frameworks.json
-  - zeroday-lessons.json
-  - exploit-availability.json
   - rfc-references.json
+  - zeroday-lessons.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []

package/skills/supply-chain-integrity/skill.md

@@ -19,11 +19,12 @@ triggers:
   - csaf
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - rfc-references.json
   - cwe-catalog.json
   - d3fend-catalog.json
+  - exploit-availability.json
+  - framework-control-gaps.json
+  - global-frameworks.json
+  - rfc-references.json
 atlas_refs:
   - AML.T0010
   - AML.T0018

package/skills/threat-model-currency/skill.md

@@ -12,7 +12,7 @@ triggers:
 data_deps:
   - atlas-ttps.json
   - cve-catalog.json
-  - framework-control-gaps.json
+  - global-frameworks.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []

package/skills/threat-modeling-methodology/skill.md

@@ -18,10 +18,11 @@ triggers:
   - trust boundary
 data_deps:
   - atlas-ttps.json
-  - framework-control-gaps.json
   - cve-catalog.json
   - cwe-catalog.json
   - d3fend-catalog.json
+  - framework-control-gaps.json
+  - zeroday-lessons.json
 atlas_refs: []
 attack_refs: []
 framework_gaps:

package/skills/webapp-security/skill.md

@@ -19,12 +19,7 @@ triggers:
   - broken access control
   - ai generated code
 data_deps:
-  - cve-catalog.json
-  - atlas-ttps.json
   - framework-control-gaps.json
-  - cwe-catalog.json
-  - d3fend-catalog.json
-  - rfc-references.json
 atlas_refs:
   - AML.T0051
 attack_refs: