@safebrowse/daemon 0.1.2-rc.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +15 -0
- package/README.md +31 -0
- package/dist/cli.d.ts +8 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +93 -0
- package/dist/cli.js.map +1 -0
- package/dist/index.d.ts +4 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +21 -0
- package/dist/index.js.map +1 -0
- package/dist/loaders.d.ts +23 -0
- package/dist/loaders.d.ts.map +1 -0
- package/dist/loaders.js +181 -0
- package/dist/loaders.js.map +1 -0
- package/dist/runtime/config/adapter-registry.json +65 -0
- package/dist/runtime/config/adapter-registry.json.sig +1 -0
- package/dist/runtime/config/v2-compromised-fixtures.json +34 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_action_integrity_patterns.json +1411 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_artifact_surface_patterns.json +891 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_evaluation_scenarios.json +217 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_incident_response_playbooks.json +209 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_base_index.json +143 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_base_index.json.sig +1 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_bases.zip +0 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_bases.zip.sig +1 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_memory_context_poisoning_patterns.json +803 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_policy_controls_catalog.json +686 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_prompt_injection_patterns.json +9930 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_source_registry.json +345 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_tool_protocol_supply_chain_patterns.json +879 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_trust_signals_provenance.json +480 -0
- package/dist/runtime/knowledge_base/signing/safebrowse_vf_ed25519_public.pem +3 -0
- package/dist/runtime/policies/base/research.yaml +56 -0
- package/dist/runtime/policies/emergency/default.yaml +14 -0
- package/dist/runtime/policies/project/default.yaml +13 -0
- package/dist/runtime/policies/tenant/default.yaml +12 -0
- package/dist/server.d.ts +14 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +195 -0
- package/dist/server.js.map +1 -0
- package/package.json +53 -0
|
@@ -0,0 +1,1411 @@
|
|
|
1
|
+
{
|
|
2
|
+
"kb_meta": {
|
|
3
|
+
"name": "SafeBrowse vf action integrity patterns",
|
|
4
|
+
"version": "vf-final",
|
|
5
|
+
"generated_on": "2026-03-28",
|
|
6
|
+
"entry_count": 50,
|
|
7
|
+
"purpose": "Hot-path action anomaly and misalignment patterns used to gate or downgrade proposed actions."
|
|
8
|
+
},
|
|
9
|
+
"entries": [
|
|
10
|
+
{
|
|
11
|
+
"pattern_id": "AI-01-01",
|
|
12
|
+
"family_key": "new_origin_expansion",
|
|
13
|
+
"family_name": "Unapproved origin expansion",
|
|
14
|
+
"pattern_name": "Navigation to unseen top-level origin",
|
|
15
|
+
"entry_kind": "action_anomaly_template",
|
|
16
|
+
"summary": "Action proposal adds a new origin, frame, or redirect target not yet allowed by task policy.",
|
|
17
|
+
"action_verb": "navigate",
|
|
18
|
+
"risk_signals": [
|
|
19
|
+
"verb=navigate",
|
|
20
|
+
"outside current task envelope",
|
|
21
|
+
"novel sink/origin/capability"
|
|
22
|
+
],
|
|
23
|
+
"default_controls": [
|
|
24
|
+
"read/write origin gating",
|
|
25
|
+
"relevance critic",
|
|
26
|
+
"deterministic public-URL validation",
|
|
27
|
+
"user confirmation for risky expansion"
|
|
28
|
+
],
|
|
29
|
+
"default_decision": "replan_or_require_approval",
|
|
30
|
+
"source_ids": [
|
|
31
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
32
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
33
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
34
|
+
],
|
|
35
|
+
"credibility": "high",
|
|
36
|
+
"last_verified": "2026-03-28"
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
"pattern_id": "AI-01-02",
|
|
40
|
+
"family_key": "new_origin_expansion",
|
|
41
|
+
"family_name": "Unapproved origin expansion",
|
|
42
|
+
"pattern_name": "Iframe-origin exposure request",
|
|
43
|
+
"entry_kind": "action_anomaly_template",
|
|
44
|
+
"summary": "Action proposal adds a new origin, frame, or redirect target not yet allowed by task policy.",
|
|
45
|
+
"action_verb": "expose_iframe",
|
|
46
|
+
"risk_signals": [
|
|
47
|
+
"verb=expose_iframe",
|
|
48
|
+
"outside current task envelope",
|
|
49
|
+
"novel sink/origin/capability"
|
|
50
|
+
],
|
|
51
|
+
"default_controls": [
|
|
52
|
+
"read/write origin gating",
|
|
53
|
+
"relevance critic",
|
|
54
|
+
"deterministic public-URL validation",
|
|
55
|
+
"user confirmation for risky expansion"
|
|
56
|
+
],
|
|
57
|
+
"default_decision": "replan_or_require_approval",
|
|
58
|
+
"source_ids": [
|
|
59
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
60
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
61
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
62
|
+
],
|
|
63
|
+
"credibility": "high",
|
|
64
|
+
"last_verified": "2026-03-28"
|
|
65
|
+
},
|
|
66
|
+
{
|
|
67
|
+
"pattern_id": "AI-01-03",
|
|
68
|
+
"family_key": "new_origin_expansion",
|
|
69
|
+
"family_name": "Unapproved origin expansion",
|
|
70
|
+
"pattern_name": "Cross-site redirect acceptance",
|
|
71
|
+
"entry_kind": "action_anomaly_template",
|
|
72
|
+
"summary": "Action proposal adds a new origin, frame, or redirect target not yet allowed by task policy.",
|
|
73
|
+
"action_verb": "follow_redirect",
|
|
74
|
+
"risk_signals": [
|
|
75
|
+
"verb=follow_redirect",
|
|
76
|
+
"outside current task envelope",
|
|
77
|
+
"novel sink/origin/capability"
|
|
78
|
+
],
|
|
79
|
+
"default_controls": [
|
|
80
|
+
"read/write origin gating",
|
|
81
|
+
"relevance critic",
|
|
82
|
+
"deterministic public-URL validation",
|
|
83
|
+
"user confirmation for risky expansion"
|
|
84
|
+
],
|
|
85
|
+
"default_decision": "replan_or_require_approval",
|
|
86
|
+
"source_ids": [
|
|
87
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
88
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
89
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
90
|
+
],
|
|
91
|
+
"credibility": "high",
|
|
92
|
+
"last_verified": "2026-03-28"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"pattern_id": "AI-01-04",
|
|
96
|
+
"family_key": "new_origin_expansion",
|
|
97
|
+
"family_name": "Unapproved origin expansion",
|
|
98
|
+
"pattern_name": "Popup or new-tab origin expansion",
|
|
99
|
+
"entry_kind": "action_anomaly_template",
|
|
100
|
+
"summary": "Action proposal adds a new origin, frame, or redirect target not yet allowed by task policy.",
|
|
101
|
+
"action_verb": "open_new_context",
|
|
102
|
+
"risk_signals": [
|
|
103
|
+
"verb=open_new_context",
|
|
104
|
+
"outside current task envelope",
|
|
105
|
+
"novel sink/origin/capability"
|
|
106
|
+
],
|
|
107
|
+
"default_controls": [
|
|
108
|
+
"read/write origin gating",
|
|
109
|
+
"relevance critic",
|
|
110
|
+
"deterministic public-URL validation",
|
|
111
|
+
"user confirmation for risky expansion"
|
|
112
|
+
],
|
|
113
|
+
"default_decision": "replan_or_require_approval",
|
|
114
|
+
"source_ids": [
|
|
115
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
116
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
117
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
118
|
+
],
|
|
119
|
+
"credibility": "high",
|
|
120
|
+
"last_verified": "2026-03-28"
|
|
121
|
+
},
|
|
122
|
+
{
|
|
123
|
+
"pattern_id": "AI-01-05",
|
|
124
|
+
"family_key": "new_origin_expansion",
|
|
125
|
+
"family_name": "Unapproved origin expansion",
|
|
126
|
+
"pattern_name": "Model-generated domain navigation",
|
|
127
|
+
"entry_kind": "action_anomaly_template",
|
|
128
|
+
"summary": "Action proposal adds a new origin, frame, or redirect target not yet allowed by task policy.",
|
|
129
|
+
"action_verb": "navigate_generated_url",
|
|
130
|
+
"risk_signals": [
|
|
131
|
+
"verb=navigate_generated_url",
|
|
132
|
+
"outside current task envelope",
|
|
133
|
+
"novel sink/origin/capability"
|
|
134
|
+
],
|
|
135
|
+
"default_controls": [
|
|
136
|
+
"read/write origin gating",
|
|
137
|
+
"relevance critic",
|
|
138
|
+
"deterministic public-URL validation",
|
|
139
|
+
"user confirmation for risky expansion"
|
|
140
|
+
],
|
|
141
|
+
"default_decision": "replan_or_require_approval",
|
|
142
|
+
"source_ids": [
|
|
143
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
144
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
145
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
146
|
+
],
|
|
147
|
+
"credibility": "high",
|
|
148
|
+
"last_verified": "2026-03-28"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"pattern_id": "AI-02-01",
|
|
152
|
+
"family_key": "read_to_write_escalation",
|
|
153
|
+
"family_name": "Read-to-write escalation",
|
|
154
|
+
"pattern_name": "Typing on previously read-only origin",
|
|
155
|
+
"entry_kind": "action_anomaly_template",
|
|
156
|
+
"summary": "A session that started as read-only shifts toward actuation, submission, or mutation.",
|
|
157
|
+
"action_verb": "type",
|
|
158
|
+
"risk_signals": [
|
|
159
|
+
"verb=type",
|
|
160
|
+
"outside current task envelope",
|
|
161
|
+
"policy or phase mismatch"
|
|
162
|
+
],
|
|
163
|
+
"default_controls": [
|
|
164
|
+
"mode-based policy",
|
|
165
|
+
"explicit write capability",
|
|
166
|
+
"approval threshold",
|
|
167
|
+
"task-envelope verification"
|
|
168
|
+
],
|
|
169
|
+
"default_decision": "user_confirm_or_block",
|
|
170
|
+
"source_ids": [
|
|
171
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
172
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
173
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
174
|
+
],
|
|
175
|
+
"credibility": "high",
|
|
176
|
+
"last_verified": "2026-03-28"
|
|
177
|
+
},
|
|
178
|
+
{
|
|
179
|
+
"pattern_id": "AI-02-02",
|
|
180
|
+
"family_key": "read_to_write_escalation",
|
|
181
|
+
"family_name": "Read-to-write escalation",
|
|
182
|
+
"pattern_name": "Form submission after passive extraction",
|
|
183
|
+
"entry_kind": "action_anomaly_template",
|
|
184
|
+
"summary": "A session that started as read-only shifts toward actuation, submission, or mutation.",
|
|
185
|
+
"action_verb": "submit_form",
|
|
186
|
+
"risk_signals": [
|
|
187
|
+
"verb=submit_form",
|
|
188
|
+
"outside current task envelope",
|
|
189
|
+
"policy or phase mismatch"
|
|
190
|
+
],
|
|
191
|
+
"default_controls": [
|
|
192
|
+
"mode-based policy",
|
|
193
|
+
"explicit write capability",
|
|
194
|
+
"approval threshold",
|
|
195
|
+
"task-envelope verification"
|
|
196
|
+
],
|
|
197
|
+
"default_decision": "user_confirm_or_block",
|
|
198
|
+
"source_ids": [
|
|
199
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
200
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
201
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
202
|
+
],
|
|
203
|
+
"credibility": "high",
|
|
204
|
+
"last_verified": "2026-03-28"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"pattern_id": "AI-02-03",
|
|
208
|
+
"family_key": "read_to_write_escalation",
|
|
209
|
+
"family_name": "Read-to-write escalation",
|
|
210
|
+
"pattern_name": "Button click with irreversible effect",
|
|
211
|
+
"entry_kind": "action_anomaly_template",
|
|
212
|
+
"summary": "A session that started as read-only shifts toward actuation, submission, or mutation.",
|
|
213
|
+
"action_verb": "click_mutation",
|
|
214
|
+
"risk_signals": [
|
|
215
|
+
"verb=click_mutation",
|
|
216
|
+
"outside current task envelope",
|
|
217
|
+
"policy or phase mismatch"
|
|
218
|
+
],
|
|
219
|
+
"default_controls": [
|
|
220
|
+
"mode-based policy",
|
|
221
|
+
"explicit write capability",
|
|
222
|
+
"approval threshold",
|
|
223
|
+
"task-envelope verification"
|
|
224
|
+
],
|
|
225
|
+
"default_decision": "user_confirm_or_block",
|
|
226
|
+
"source_ids": [
|
|
227
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
228
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
229
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
230
|
+
],
|
|
231
|
+
"credibility": "high",
|
|
232
|
+
"last_verified": "2026-03-28"
|
|
233
|
+
},
|
|
234
|
+
{
|
|
235
|
+
"pattern_id": "AI-02-04",
|
|
236
|
+
"family_key": "read_to_write_escalation",
|
|
237
|
+
"family_name": "Read-to-write escalation",
|
|
238
|
+
"pattern_name": "Message send after read-only task",
|
|
239
|
+
"entry_kind": "action_anomaly_template",
|
|
240
|
+
"summary": "A session that started as read-only shifts toward actuation, submission, or mutation.",
|
|
241
|
+
"action_verb": "send_message",
|
|
242
|
+
"risk_signals": [
|
|
243
|
+
"verb=send_message",
|
|
244
|
+
"outside current task envelope",
|
|
245
|
+
"policy or phase mismatch"
|
|
246
|
+
],
|
|
247
|
+
"default_controls": [
|
|
248
|
+
"mode-based policy",
|
|
249
|
+
"explicit write capability",
|
|
250
|
+
"approval threshold",
|
|
251
|
+
"task-envelope verification"
|
|
252
|
+
],
|
|
253
|
+
"default_decision": "user_confirm_or_block",
|
|
254
|
+
"source_ids": [
|
|
255
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
256
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
257
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
258
|
+
],
|
|
259
|
+
"credibility": "high",
|
|
260
|
+
"last_verified": "2026-03-28"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"pattern_id": "AI-02-05",
|
|
264
|
+
"family_key": "read_to_write_escalation",
|
|
265
|
+
"family_name": "Read-to-write escalation",
|
|
266
|
+
"pattern_name": "Delete/archive/edit operation",
|
|
267
|
+
"entry_kind": "action_anomaly_template",
|
|
268
|
+
"summary": "A session that started as read-only shifts toward actuation, submission, or mutation.",
|
|
269
|
+
"action_verb": "mutate_state",
|
|
270
|
+
"risk_signals": [
|
|
271
|
+
"verb=mutate_state",
|
|
272
|
+
"outside current task envelope",
|
|
273
|
+
"policy or phase mismatch"
|
|
274
|
+
],
|
|
275
|
+
"default_controls": [
|
|
276
|
+
"mode-based policy",
|
|
277
|
+
"explicit write capability",
|
|
278
|
+
"approval threshold",
|
|
279
|
+
"task-envelope verification"
|
|
280
|
+
],
|
|
281
|
+
"default_decision": "user_confirm_or_block",
|
|
282
|
+
"source_ids": [
|
|
283
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
284
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
285
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
286
|
+
],
|
|
287
|
+
"credibility": "high",
|
|
288
|
+
"last_verified": "2026-03-28"
|
|
289
|
+
},
|
|
290
|
+
{
|
|
291
|
+
"pattern_id": "AI-03-01",
|
|
292
|
+
"family_key": "sensitive_sink_transmission",
|
|
293
|
+
"family_name": "Sensitive data to external sink",
|
|
294
|
+
"pattern_name": "Paste sensitive text into public form",
|
|
295
|
+
"entry_kind": "action_anomaly_template",
|
|
296
|
+
"summary": "Data with taint or sensitivity labels is about to be transmitted to a third-party sink.",
|
|
297
|
+
"action_verb": "type_sensitive",
|
|
298
|
+
"risk_signals": [
|
|
299
|
+
"verb=type_sensitive",
|
|
300
|
+
"outside current task envelope",
|
|
301
|
+
"novel sink/origin/capability"
|
|
302
|
+
],
|
|
303
|
+
"default_controls": [
|
|
304
|
+
"source-sink analysis",
|
|
305
|
+
"taint tracking",
|
|
306
|
+
"sensitive sink confirmation",
|
|
307
|
+
"deny by default for public sinks"
|
|
308
|
+
],
|
|
309
|
+
"default_decision": "block_or_user_confirm",
|
|
310
|
+
"source_ids": [
|
|
311
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
312
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
313
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
314
|
+
],
|
|
315
|
+
"credibility": "high",
|
|
316
|
+
"last_verified": "2026-03-28"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"pattern_id": "AI-03-02",
|
|
320
|
+
"family_key": "sensitive_sink_transmission",
|
|
321
|
+
"family_name": "Sensitive data to external sink",
|
|
322
|
+
"pattern_name": "Send extracted data by email/chat",
|
|
323
|
+
"entry_kind": "action_anomaly_template",
|
|
324
|
+
"summary": "Data with taint or sensitivity labels is about to be transmitted to a third-party sink.",
|
|
325
|
+
"action_verb": "send_external",
|
|
326
|
+
"risk_signals": [
|
|
327
|
+
"verb=send_external",
|
|
328
|
+
"outside current task envelope",
|
|
329
|
+
"novel sink/origin/capability"
|
|
330
|
+
],
|
|
331
|
+
"default_controls": [
|
|
332
|
+
"source-sink analysis",
|
|
333
|
+
"taint tracking",
|
|
334
|
+
"sensitive sink confirmation",
|
|
335
|
+
"deny by default for public sinks"
|
|
336
|
+
],
|
|
337
|
+
"default_decision": "block_or_user_confirm",
|
|
338
|
+
"source_ids": [
|
|
339
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
340
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
341
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
342
|
+
],
|
|
343
|
+
"credibility": "high",
|
|
344
|
+
"last_verified": "2026-03-28"
|
|
345
|
+
},
|
|
346
|
+
{
|
|
347
|
+
"pattern_id": "AI-03-03",
|
|
348
|
+
"family_key": "sensitive_sink_transmission",
|
|
349
|
+
"family_name": "Sensitive data to external sink",
|
|
350
|
+
"pattern_name": "Upload file to untrusted service",
|
|
351
|
+
"entry_kind": "action_anomaly_template",
|
|
352
|
+
"summary": "Data with taint or sensitivity labels is about to be transmitted to a third-party sink.",
|
|
353
|
+
"action_verb": "upload",
|
|
354
|
+
"risk_signals": [
|
|
355
|
+
"verb=upload",
|
|
356
|
+
"outside current task envelope",
|
|
357
|
+
"novel sink/origin/capability"
|
|
358
|
+
],
|
|
359
|
+
"default_controls": [
|
|
360
|
+
"source-sink analysis",
|
|
361
|
+
"taint tracking",
|
|
362
|
+
"sensitive sink confirmation",
|
|
363
|
+
"deny by default for public sinks"
|
|
364
|
+
],
|
|
365
|
+
"default_decision": "block_or_user_confirm",
|
|
366
|
+
"source_ids": [
|
|
367
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
368
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
369
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
370
|
+
],
|
|
371
|
+
"credibility": "high",
|
|
372
|
+
"last_verified": "2026-03-28"
|
|
373
|
+
},
|
|
374
|
+
{
|
|
375
|
+
"pattern_id": "AI-03-04",
|
|
376
|
+
"family_key": "sensitive_sink_transmission",
|
|
377
|
+
"family_name": "Sensitive data to external sink",
|
|
378
|
+
"pattern_name": "Call API with tainted payload",
|
|
379
|
+
"entry_kind": "action_anomaly_template",
|
|
380
|
+
"summary": "Data with taint or sensitivity labels is about to be transmitted to a third-party sink.",
|
|
381
|
+
"action_verb": "tool_write",
|
|
382
|
+
"risk_signals": [
|
|
383
|
+
"verb=tool_write",
|
|
384
|
+
"outside current task envelope",
|
|
385
|
+
"novel sink/origin/capability"
|
|
386
|
+
],
|
|
387
|
+
"default_controls": [
|
|
388
|
+
"source-sink analysis",
|
|
389
|
+
"taint tracking",
|
|
390
|
+
"sensitive sink confirmation",
|
|
391
|
+
"deny by default for public sinks"
|
|
392
|
+
],
|
|
393
|
+
"default_decision": "block_or_user_confirm",
|
|
394
|
+
"source_ids": [
|
|
395
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
396
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
397
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
398
|
+
],
|
|
399
|
+
"credibility": "high",
|
|
400
|
+
"last_verified": "2026-03-28"
|
|
401
|
+
},
|
|
402
|
+
{
|
|
403
|
+
"pattern_id": "AI-03-05",
|
|
404
|
+
"family_key": "sensitive_sink_transmission",
|
|
405
|
+
"family_name": "Sensitive data to external sink",
|
|
406
|
+
"pattern_name": "Copy secrets into URL parameters",
|
|
407
|
+
"entry_kind": "action_anomaly_template",
|
|
408
|
+
"summary": "Data with taint or sensitivity labels is about to be transmitted to a third-party sink.",
|
|
409
|
+
"action_verb": "navigate_with_data",
|
|
410
|
+
"risk_signals": [
|
|
411
|
+
"verb=navigate_with_data",
|
|
412
|
+
"outside current task envelope",
|
|
413
|
+
"novel sink/origin/capability"
|
|
414
|
+
],
|
|
415
|
+
"default_controls": [
|
|
416
|
+
"source-sink analysis",
|
|
417
|
+
"taint tracking",
|
|
418
|
+
"sensitive sink confirmation",
|
|
419
|
+
"deny by default for public sinks"
|
|
420
|
+
],
|
|
421
|
+
"default_decision": "block_or_user_confirm",
|
|
422
|
+
"source_ids": [
|
|
423
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
424
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
425
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
426
|
+
],
|
|
427
|
+
"credibility": "high",
|
|
428
|
+
"last_verified": "2026-03-28"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"pattern_id": "AI-04-01",
|
|
432
|
+
"family_key": "model_generated_url_exfil",
|
|
433
|
+
"family_name": "Model-generated URL exfiltration risk",
|
|
434
|
+
"pattern_name": "Query-string data stuffing",
|
|
435
|
+
"entry_kind": "action_anomaly_template",
|
|
436
|
+
"summary": "Generated URLs may encode or leak private data, or route through attacker-controlled destinations.",
|
|
437
|
+
"action_verb": "navigate",
|
|
438
|
+
"risk_signals": [
|
|
439
|
+
"verb=navigate",
|
|
440
|
+
"outside current task envelope",
|
|
441
|
+
"policy or phase mismatch"
|
|
442
|
+
],
|
|
443
|
+
"default_controls": [
|
|
444
|
+
"public URL allowlist",
|
|
445
|
+
"URL component inspection",
|
|
446
|
+
"redirect validation",
|
|
447
|
+
"strip tainted parameters"
|
|
448
|
+
],
|
|
449
|
+
"default_decision": "block_or_replan_read_only",
|
|
450
|
+
"source_ids": [
|
|
451
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
452
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
453
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025"
|
|
454
|
+
],
|
|
455
|
+
"credibility": "high",
|
|
456
|
+
"last_verified": "2026-03-28"
|
|
457
|
+
},
|
|
458
|
+
{
|
|
459
|
+
"pattern_id": "AI-04-02",
|
|
460
|
+
"family_key": "model_generated_url_exfil",
|
|
461
|
+
"family_name": "Model-generated URL exfiltration risk",
|
|
462
|
+
"pattern_name": "Path-segment data stuffing",
|
|
463
|
+
"entry_kind": "action_anomaly_template",
|
|
464
|
+
"summary": "Generated URLs may encode or leak private data, or route through attacker-controlled destinations.",
|
|
465
|
+
"action_verb": "navigate",
|
|
466
|
+
"risk_signals": [
|
|
467
|
+
"verb=navigate",
|
|
468
|
+
"outside current task envelope",
|
|
469
|
+
"policy or phase mismatch"
|
|
470
|
+
],
|
|
471
|
+
"default_controls": [
|
|
472
|
+
"public URL allowlist",
|
|
473
|
+
"URL component inspection",
|
|
474
|
+
"redirect validation",
|
|
475
|
+
"strip tainted parameters"
|
|
476
|
+
],
|
|
477
|
+
"default_decision": "block_or_replan_read_only",
|
|
478
|
+
"source_ids": [
|
|
479
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
480
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
481
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025"
|
|
482
|
+
],
|
|
483
|
+
"credibility": "high",
|
|
484
|
+
"last_verified": "2026-03-28"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"pattern_id": "AI-04-03",
|
|
488
|
+
"family_key": "model_generated_url_exfil",
|
|
489
|
+
"family_name": "Model-generated URL exfiltration risk",
|
|
490
|
+
"pattern_name": "Open-redirect chain via trusted domain",
|
|
491
|
+
"entry_kind": "action_anomaly_template",
|
|
492
|
+
"summary": "Generated URLs may encode or leak private data, or route through attacker-controlled destinations.",
|
|
493
|
+
"action_verb": "navigate",
|
|
494
|
+
"risk_signals": [
|
|
495
|
+
"verb=navigate",
|
|
496
|
+
"outside current task envelope",
|
|
497
|
+
"policy or phase mismatch"
|
|
498
|
+
],
|
|
499
|
+
"default_controls": [
|
|
500
|
+
"public URL allowlist",
|
|
501
|
+
"URL component inspection",
|
|
502
|
+
"redirect validation",
|
|
503
|
+
"strip tainted parameters"
|
|
504
|
+
],
|
|
505
|
+
"default_decision": "block_or_replan_read_only",
|
|
506
|
+
"source_ids": [
|
|
507
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
508
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
509
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025"
|
|
510
|
+
],
|
|
511
|
+
"credibility": "high",
|
|
512
|
+
"last_verified": "2026-03-28"
|
|
513
|
+
},
|
|
514
|
+
{
|
|
515
|
+
"pattern_id": "AI-04-04",
|
|
516
|
+
"family_key": "model_generated_url_exfil",
|
|
517
|
+
"family_name": "Model-generated URL exfiltration risk",
|
|
518
|
+
"pattern_name": "Shortened or opaque link expansion",
|
|
519
|
+
"entry_kind": "action_anomaly_template",
|
|
520
|
+
"summary": "Generated URLs may encode or leak private data, or route through attacker-controlled destinations.",
|
|
521
|
+
"action_verb": "resolve_url",
|
|
522
|
+
"risk_signals": [
|
|
523
|
+
"verb=resolve_url",
|
|
524
|
+
"outside current task envelope",
|
|
525
|
+
"policy or phase mismatch"
|
|
526
|
+
],
|
|
527
|
+
"default_controls": [
|
|
528
|
+
"public URL allowlist",
|
|
529
|
+
"URL component inspection",
|
|
530
|
+
"redirect validation",
|
|
531
|
+
"strip tainted parameters"
|
|
532
|
+
],
|
|
533
|
+
"default_decision": "block_or_replan_read_only",
|
|
534
|
+
"source_ids": [
|
|
535
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
536
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
537
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025"
|
|
538
|
+
],
|
|
539
|
+
"credibility": "high",
|
|
540
|
+
"last_verified": "2026-03-28"
|
|
541
|
+
},
|
|
542
|
+
{
|
|
543
|
+
"pattern_id": "AI-04-05",
|
|
544
|
+
"family_key": "model_generated_url_exfil",
|
|
545
|
+
"family_name": "Model-generated URL exfiltration risk",
|
|
546
|
+
"pattern_name": "Presigned upload/download URL misuse",
|
|
547
|
+
"entry_kind": "action_anomaly_template",
|
|
548
|
+
"summary": "Generated URLs may encode or leak private data, or route through attacker-controlled destinations.",
|
|
549
|
+
"action_verb": "download_or_upload",
|
|
550
|
+
"risk_signals": [
|
|
551
|
+
"verb=download_or_upload",
|
|
552
|
+
"outside current task envelope",
|
|
553
|
+
"policy or phase mismatch"
|
|
554
|
+
],
|
|
555
|
+
"default_controls": [
|
|
556
|
+
"public URL allowlist",
|
|
557
|
+
"URL component inspection",
|
|
558
|
+
"redirect validation",
|
|
559
|
+
"strip tainted parameters"
|
|
560
|
+
],
|
|
561
|
+
"default_decision": "block_or_replan_read_only",
|
|
562
|
+
"source_ids": [
|
|
563
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
564
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
565
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025"
|
|
566
|
+
],
|
|
567
|
+
"credibility": "high",
|
|
568
|
+
"last_verified": "2026-03-28"
|
|
569
|
+
},
|
|
570
|
+
{
|
|
571
|
+
"pattern_id": "AI-05-01",
|
|
572
|
+
"family_key": "bulk_exfiltration",
|
|
573
|
+
"family_name": "Bulk exfiltration behavior",
|
|
574
|
+
"pattern_name": "Enumerate and export all matching emails",
|
|
575
|
+
"entry_kind": "action_anomaly_template",
|
|
576
|
+
"summary": "Action sequence attempts broad collection, compression, or transfer of many items rather than narrow task execution.",
|
|
577
|
+
"action_verb": "bulk_read_send",
|
|
578
|
+
"risk_signals": [
|
|
579
|
+
"verb=bulk_read_send",
|
|
580
|
+
"outside current task envelope",
|
|
581
|
+
"policy or phase mismatch"
|
|
582
|
+
],
|
|
583
|
+
"default_controls": [
|
|
584
|
+
"bulk-operation quotas",
|
|
585
|
+
"recipient allowlists",
|
|
586
|
+
"high-volume anomaly detection",
|
|
587
|
+
"mandatory confirmation"
|
|
588
|
+
],
|
|
589
|
+
"default_decision": "block_or_escalate",
|
|
590
|
+
"source_ids": [
|
|
591
|
+
"SRC_NIST_HIJACK_EVAL_2025",
|
|
592
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
593
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
594
|
+
],
|
|
595
|
+
"credibility": "high",
|
|
596
|
+
"last_verified": "2026-03-28"
|
|
597
|
+
},
|
|
598
|
+
{
|
|
599
|
+
"pattern_id": "AI-05-02",
|
|
600
|
+
"family_key": "bulk_exfiltration",
|
|
601
|
+
"family_name": "Bulk exfiltration behavior",
|
|
602
|
+
"pattern_name": "Attach multiple files from cloud drive",
|
|
603
|
+
"entry_kind": "action_anomaly_template",
|
|
604
|
+
"summary": "Action sequence attempts broad collection, compression, or transfer of many items rather than narrow task execution.",
|
|
605
|
+
"action_verb": "bulk_file_send",
|
|
606
|
+
"risk_signals": [
|
|
607
|
+
"verb=bulk_file_send",
|
|
608
|
+
"outside current task envelope",
|
|
609
|
+
"policy or phase mismatch"
|
|
610
|
+
],
|
|
611
|
+
"default_controls": [
|
|
612
|
+
"bulk-operation quotas",
|
|
613
|
+
"recipient allowlists",
|
|
614
|
+
"high-volume anomaly detection",
|
|
615
|
+
"mandatory confirmation"
|
|
616
|
+
],
|
|
617
|
+
"default_decision": "block_or_escalate",
|
|
618
|
+
"source_ids": [
|
|
619
|
+
"SRC_NIST_HIJACK_EVAL_2025",
|
|
620
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
621
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
622
|
+
],
|
|
623
|
+
"credibility": "high",
|
|
624
|
+
"last_verified": "2026-03-28"
|
|
625
|
+
},
|
|
626
|
+
{
|
|
627
|
+
"pattern_id": "AI-05-03",
|
|
628
|
+
"family_key": "bulk_exfiltration",
|
|
629
|
+
"family_name": "Bulk exfiltration behavior",
|
|
630
|
+
"pattern_name": "Mass contact messaging with same payload",
|
|
631
|
+
"entry_kind": "action_anomaly_template",
|
|
632
|
+
"summary": "Action sequence attempts broad collection, compression, or transfer of many items rather than narrow task execution.",
|
|
633
|
+
"action_verb": "bulk_message",
|
|
634
|
+
"risk_signals": [
|
|
635
|
+
"verb=bulk_message",
|
|
636
|
+
"outside current task envelope",
|
|
637
|
+
"policy or phase mismatch"
|
|
638
|
+
],
|
|
639
|
+
"default_controls": [
|
|
640
|
+
"bulk-operation quotas",
|
|
641
|
+
"recipient allowlists",
|
|
642
|
+
"high-volume anomaly detection",
|
|
643
|
+
"mandatory confirmation"
|
|
644
|
+
],
|
|
645
|
+
"default_decision": "block_or_escalate",
|
|
646
|
+
"source_ids": [
|
|
647
|
+
"SRC_NIST_HIJACK_EVAL_2025",
|
|
648
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
649
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
650
|
+
],
|
|
651
|
+
"credibility": "high",
|
|
652
|
+
"last_verified": "2026-03-28"
|
|
653
|
+
},
|
|
654
|
+
{
|
|
655
|
+
"pattern_id": "AI-05-04",
|
|
656
|
+
"family_key": "bulk_exfiltration",
|
|
657
|
+
"family_name": "Bulk exfiltration behavior",
|
|
658
|
+
"pattern_name": "Directory listing followed by external transfer",
|
|
659
|
+
"entry_kind": "action_anomaly_template",
|
|
660
|
+
"summary": "Action sequence attempts broad collection, compression, or transfer of many items rather than narrow task execution.",
|
|
661
|
+
"action_verb": "bulk_enumerate",
|
|
662
|
+
"risk_signals": [
|
|
663
|
+
"verb=bulk_enumerate",
|
|
664
|
+
"outside current task envelope",
|
|
665
|
+
"policy or phase mismatch"
|
|
666
|
+
],
|
|
667
|
+
"default_controls": [
|
|
668
|
+
"bulk-operation quotas",
|
|
669
|
+
"recipient allowlists",
|
|
670
|
+
"high-volume anomaly detection",
|
|
671
|
+
"mandatory confirmation"
|
|
672
|
+
],
|
|
673
|
+
"default_decision": "block_or_escalate",
|
|
674
|
+
"source_ids": [
|
|
675
|
+
"SRC_NIST_HIJACK_EVAL_2025",
|
|
676
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
677
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
678
|
+
],
|
|
679
|
+
"credibility": "high",
|
|
680
|
+
"last_verified": "2026-03-28"
|
|
681
|
+
},
|
|
682
|
+
{
|
|
683
|
+
"pattern_id": "AI-05-05",
|
|
684
|
+
"family_key": "bulk_exfiltration",
|
|
685
|
+
"family_name": "Bulk exfiltration behavior",
|
|
686
|
+
"pattern_name": "Archive/compress then send",
|
|
687
|
+
"entry_kind": "action_anomaly_template",
|
|
688
|
+
"summary": "Action sequence attempts broad collection, compression, or transfer of many items rather than narrow task execution.",
|
|
689
|
+
"action_verb": "bulk_package_send",
|
|
690
|
+
"risk_signals": [
|
|
691
|
+
"verb=bulk_package_send",
|
|
692
|
+
"outside current task envelope",
|
|
693
|
+
"policy or phase mismatch"
|
|
694
|
+
],
|
|
695
|
+
"default_controls": [
|
|
696
|
+
"bulk-operation quotas",
|
|
697
|
+
"recipient allowlists",
|
|
698
|
+
"high-volume anomaly detection",
|
|
699
|
+
"mandatory confirmation"
|
|
700
|
+
],
|
|
701
|
+
"default_decision": "block_or_escalate",
|
|
702
|
+
"source_ids": [
|
|
703
|
+
"SRC_NIST_HIJACK_EVAL_2025",
|
|
704
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
705
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
706
|
+
],
|
|
707
|
+
"credibility": "high",
|
|
708
|
+
"last_verified": "2026-03-28"
|
|
709
|
+
},
|
|
710
|
+
{
|
|
711
|
+
"pattern_id": "AI-06-01",
|
|
712
|
+
"family_key": "credential_or_auth_use",
|
|
713
|
+
"family_name": "Credential, consent, or authentication use",
|
|
714
|
+
"pattern_name": "Login form entry",
|
|
715
|
+
"entry_kind": "action_anomaly_template",
|
|
716
|
+
"summary": "Action touches login, token exchange, 2FA, OAuth consent, or scope grant flows.",
|
|
717
|
+
"action_verb": "login",
|
|
718
|
+
"risk_signals": [
|
|
719
|
+
"verb=login",
|
|
720
|
+
"outside current task envelope",
|
|
721
|
+
"policy or phase mismatch"
|
|
722
|
+
],
|
|
723
|
+
"default_controls": [
|
|
724
|
+
"interactive consent",
|
|
725
|
+
"scope minimization",
|
|
726
|
+
"exact redirect validation",
|
|
727
|
+
"credential broker isolation"
|
|
728
|
+
],
|
|
729
|
+
"default_decision": "require_explicit_user_approval",
|
|
730
|
+
"source_ids": [
|
|
731
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
732
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
733
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
734
|
+
],
|
|
735
|
+
"credibility": "high",
|
|
736
|
+
"last_verified": "2026-03-28"
|
|
737
|
+
},
|
|
738
|
+
{
|
|
739
|
+
"pattern_id": "AI-06-02",
|
|
740
|
+
"family_key": "credential_or_auth_use",
|
|
741
|
+
"family_name": "Credential, consent, or authentication use",
|
|
742
|
+
"pattern_name": "OAuth consent acceptance",
|
|
743
|
+
"entry_kind": "action_anomaly_template",
|
|
744
|
+
"summary": "Action touches login, token exchange, 2FA, OAuth consent, or scope grant flows.",
|
|
745
|
+
"action_verb": "oauth_consent",
|
|
746
|
+
"risk_signals": [
|
|
747
|
+
"verb=oauth_consent",
|
|
748
|
+
"outside current task envelope",
|
|
749
|
+
"policy or phase mismatch"
|
|
750
|
+
],
|
|
751
|
+
"default_controls": [
|
|
752
|
+
"interactive consent",
|
|
753
|
+
"scope minimization",
|
|
754
|
+
"exact redirect validation",
|
|
755
|
+
"credential broker isolation"
|
|
756
|
+
],
|
|
757
|
+
"default_decision": "require_explicit_user_approval",
|
|
758
|
+
"source_ids": [
|
|
759
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
760
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
761
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
762
|
+
],
|
|
763
|
+
"credibility": "high",
|
|
764
|
+
"last_verified": "2026-03-28"
|
|
765
|
+
},
|
|
766
|
+
{
|
|
767
|
+
"pattern_id": "AI-06-03",
|
|
768
|
+
"family_key": "credential_or_auth_use",
|
|
769
|
+
"family_name": "Credential, consent, or authentication use",
|
|
770
|
+
"pattern_name": "2FA or OTP entry",
|
|
771
|
+
"entry_kind": "action_anomaly_template",
|
|
772
|
+
"summary": "Action touches login, token exchange, 2FA, OAuth consent, or scope grant flows.",
|
|
773
|
+
"action_verb": "enter_otp",
|
|
774
|
+
"risk_signals": [
|
|
775
|
+
"verb=enter_otp",
|
|
776
|
+
"outside current task envelope",
|
|
777
|
+
"policy or phase mismatch"
|
|
778
|
+
],
|
|
779
|
+
"default_controls": [
|
|
780
|
+
"interactive consent",
|
|
781
|
+
"scope minimization",
|
|
782
|
+
"exact redirect validation",
|
|
783
|
+
"credential broker isolation"
|
|
784
|
+
],
|
|
785
|
+
"default_decision": "require_explicit_user_approval",
|
|
786
|
+
"source_ids": [
|
|
787
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
788
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
789
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
790
|
+
],
|
|
791
|
+
"credibility": "high",
|
|
792
|
+
"last_verified": "2026-03-28"
|
|
793
|
+
},
|
|
794
|
+
{
|
|
795
|
+
"pattern_id": "AI-06-04",
|
|
796
|
+
"family_key": "credential_or_auth_use",
|
|
797
|
+
"family_name": "Credential, consent, or authentication use",
|
|
798
|
+
"pattern_name": "Token refresh or API authorization step",
|
|
799
|
+
"entry_kind": "action_anomaly_template",
|
|
800
|
+
"summary": "Action touches login, token exchange, 2FA, OAuth consent, or scope grant flows.",
|
|
801
|
+
"action_verb": "token_exchange",
|
|
802
|
+
"risk_signals": [
|
|
803
|
+
"verb=token_exchange",
|
|
804
|
+
"outside current task envelope",
|
|
805
|
+
"policy or phase mismatch"
|
|
806
|
+
],
|
|
807
|
+
"default_controls": [
|
|
808
|
+
"interactive consent",
|
|
809
|
+
"scope minimization",
|
|
810
|
+
"exact redirect validation",
|
|
811
|
+
"credential broker isolation"
|
|
812
|
+
],
|
|
813
|
+
"default_decision": "require_explicit_user_approval",
|
|
814
|
+
"source_ids": [
|
|
815
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
816
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
817
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
818
|
+
],
|
|
819
|
+
"credibility": "high",
|
|
820
|
+
"last_verified": "2026-03-28"
|
|
821
|
+
},
|
|
822
|
+
{
|
|
823
|
+
"pattern_id": "AI-06-05",
|
|
824
|
+
"family_key": "credential_or_auth_use",
|
|
825
|
+
"family_name": "Credential, consent, or authentication use",
|
|
826
|
+
"pattern_name": "Grant-scope escalation",
|
|
827
|
+
"entry_kind": "action_anomaly_template",
|
|
828
|
+
"summary": "Action touches login, token exchange, 2FA, OAuth consent, or scope grant flows.",
|
|
829
|
+
"action_verb": "grant_scope",
|
|
830
|
+
"risk_signals": [
|
|
831
|
+
"verb=grant_scope",
|
|
832
|
+
"outside current task envelope",
|
|
833
|
+
"policy or phase mismatch"
|
|
834
|
+
],
|
|
835
|
+
"default_controls": [
|
|
836
|
+
"interactive consent",
|
|
837
|
+
"scope minimization",
|
|
838
|
+
"exact redirect validation",
|
|
839
|
+
"credential broker isolation"
|
|
840
|
+
],
|
|
841
|
+
"default_decision": "require_explicit_user_approval",
|
|
842
|
+
"source_ids": [
|
|
843
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
844
|
+
"SRC_OWASP_SECURE_MCP_GUIDE_2026",
|
|
845
|
+
"SRC_OWASP_AGENTIC_TOP10_2026"
|
|
846
|
+
],
|
|
847
|
+
"credibility": "high",
|
|
848
|
+
"last_verified": "2026-03-28"
|
|
849
|
+
},
|
|
850
|
+
{
|
|
851
|
+
"pattern_id": "AI-07-01",
|
|
852
|
+
"family_key": "high_impact_transaction",
|
|
853
|
+
"family_name": "High-impact transaction",
|
|
854
|
+
"pattern_name": "Purchase or checkout flow",
|
|
855
|
+
"entry_kind": "action_anomaly_template",
|
|
856
|
+
"summary": "Action proposes financially, legally, operationally, or reputationally consequential change.",
|
|
857
|
+
"action_verb": "purchase",
|
|
858
|
+
"risk_signals": [
|
|
859
|
+
"verb=purchase",
|
|
860
|
+
"outside current task envelope",
|
|
861
|
+
"policy or phase mismatch"
|
|
862
|
+
],
|
|
863
|
+
"default_controls": [
|
|
864
|
+
"transaction approval",
|
|
865
|
+
"dual control",
|
|
866
|
+
"strong audit logging",
|
|
867
|
+
"irreversible-action interstitial"
|
|
868
|
+
],
|
|
869
|
+
"default_decision": "user_confirm_or_block",
|
|
870
|
+
"source_ids": [
|
|
871
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
872
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
873
|
+
"SRC_NIST_CAISI_RFI_2026"
|
|
874
|
+
],
|
|
875
|
+
"credibility": "high",
|
|
876
|
+
"last_verified": "2026-03-28"
|
|
877
|
+
},
|
|
878
|
+
{
|
|
879
|
+
"pattern_id": "AI-07-02",
|
|
880
|
+
"family_key": "high_impact_transaction",
|
|
881
|
+
"family_name": "High-impact transaction",
|
|
882
|
+
"pattern_name": "Banking or transfer action",
|
|
883
|
+
"entry_kind": "action_anomaly_template",
|
|
884
|
+
"summary": "Action proposes financially, legally, operationally, or reputationally consequential change.",
|
|
885
|
+
"action_verb": "bank_transfer",
|
|
886
|
+
"risk_signals": [
|
|
887
|
+
"verb=bank_transfer",
|
|
888
|
+
"outside current task envelope",
|
|
889
|
+
"policy or phase mismatch"
|
|
890
|
+
],
|
|
891
|
+
"default_controls": [
|
|
892
|
+
"transaction approval",
|
|
893
|
+
"dual control",
|
|
894
|
+
"strong audit logging",
|
|
895
|
+
"irreversible-action interstitial"
|
|
896
|
+
],
|
|
897
|
+
"default_decision": "user_confirm_or_block",
|
|
898
|
+
"source_ids": [
|
|
899
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
900
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
901
|
+
"SRC_NIST_CAISI_RFI_2026"
|
|
902
|
+
],
|
|
903
|
+
"credibility": "high",
|
|
904
|
+
"last_verified": "2026-03-28"
|
|
905
|
+
},
|
|
906
|
+
{
|
|
907
|
+
"pattern_id": "AI-07-03",
|
|
908
|
+
"family_key": "high_impact_transaction",
|
|
909
|
+
"family_name": "High-impact transaction",
|
|
910
|
+
"pattern_name": "HR/identity/account change",
|
|
911
|
+
"entry_kind": "action_anomaly_template",
|
|
912
|
+
"summary": "Action proposes financially, legally, operationally, or reputationally consequential change.",
|
|
913
|
+
"action_verb": "account_change",
|
|
914
|
+
"risk_signals": [
|
|
915
|
+
"verb=account_change",
|
|
916
|
+
"outside current task envelope",
|
|
917
|
+
"policy or phase mismatch"
|
|
918
|
+
],
|
|
919
|
+
"default_controls": [
|
|
920
|
+
"transaction approval",
|
|
921
|
+
"dual control",
|
|
922
|
+
"strong audit logging",
|
|
923
|
+
"irreversible-action interstitial"
|
|
924
|
+
],
|
|
925
|
+
"default_decision": "user_confirm_or_block",
|
|
926
|
+
"source_ids": [
|
|
927
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
928
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
929
|
+
"SRC_NIST_CAISI_RFI_2026"
|
|
930
|
+
],
|
|
931
|
+
"credibility": "high",
|
|
932
|
+
"last_verified": "2026-03-28"
|
|
933
|
+
},
|
|
934
|
+
{
|
|
935
|
+
"pattern_id": "AI-07-04",
|
|
936
|
+
"family_key": "high_impact_transaction",
|
|
937
|
+
"family_name": "High-impact transaction",
|
|
938
|
+
"pattern_name": "Data deletion or retention change",
|
|
939
|
+
"entry_kind": "action_anomaly_template",
|
|
940
|
+
"summary": "Action proposes financially, legally, operationally, or reputationally consequential change.",
|
|
941
|
+
"action_verb": "delete_data",
|
|
942
|
+
"risk_signals": [
|
|
943
|
+
"verb=delete_data",
|
|
944
|
+
"outside current task envelope",
|
|
945
|
+
"policy or phase mismatch"
|
|
946
|
+
],
|
|
947
|
+
"default_controls": [
|
|
948
|
+
"transaction approval",
|
|
949
|
+
"dual control",
|
|
950
|
+
"strong audit logging",
|
|
951
|
+
"irreversible-action interstitial"
|
|
952
|
+
],
|
|
953
|
+
"default_decision": "user_confirm_or_block",
|
|
954
|
+
"source_ids": [
|
|
955
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
956
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
957
|
+
"SRC_NIST_CAISI_RFI_2026"
|
|
958
|
+
],
|
|
959
|
+
"credibility": "high",
|
|
960
|
+
"last_verified": "2026-03-28"
|
|
961
|
+
},
|
|
962
|
+
{
|
|
963
|
+
"pattern_id": "AI-07-05",
|
|
964
|
+
"family_key": "high_impact_transaction",
|
|
965
|
+
"family_name": "High-impact transaction",
|
|
966
|
+
"pattern_name": "Compliance or legal submission",
|
|
967
|
+
"entry_kind": "action_anomaly_template",
|
|
968
|
+
"summary": "Action proposes financially, legally, operationally, or reputationally consequential change.",
|
|
969
|
+
"action_verb": "submit_regulated_form",
|
|
970
|
+
"risk_signals": [
|
|
971
|
+
"verb=submit_regulated_form",
|
|
972
|
+
"outside current task envelope",
|
|
973
|
+
"policy or phase mismatch"
|
|
974
|
+
],
|
|
975
|
+
"default_controls": [
|
|
976
|
+
"transaction approval",
|
|
977
|
+
"dual control",
|
|
978
|
+
"strong audit logging",
|
|
979
|
+
"irreversible-action interstitial"
|
|
980
|
+
],
|
|
981
|
+
"default_decision": "user_confirm_or_block",
|
|
982
|
+
"source_ids": [
|
|
983
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
984
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
985
|
+
"SRC_NIST_CAISI_RFI_2026"
|
|
986
|
+
],
|
|
987
|
+
"credibility": "high",
|
|
988
|
+
"last_verified": "2026-03-28"
|
|
989
|
+
},
|
|
990
|
+
{
|
|
991
|
+
"pattern_id": "AI-08-01",
|
|
992
|
+
"family_key": "approval_bypass_loop",
|
|
993
|
+
"family_name": "Approval bypass or veto grinding",
|
|
994
|
+
"pattern_name": "Repeated near-identical retries after veto",
|
|
995
|
+
"entry_kind": "action_anomaly_template",
|
|
996
|
+
"summary": "Planner repeatedly reformulates or decomposes a blocked action to circumvent approval thresholds.",
|
|
997
|
+
"action_verb": "retry",
|
|
998
|
+
"risk_signals": [
|
|
999
|
+
"verb=retry",
|
|
1000
|
+
"outside current task envelope",
|
|
1001
|
+
"policy or phase mismatch"
|
|
1002
|
+
],
|
|
1003
|
+
"default_controls": [
|
|
1004
|
+
"cooldowns",
|
|
1005
|
+
"decision-memory",
|
|
1006
|
+
"critic feedback limits",
|
|
1007
|
+
"escalate after repeated vetoes"
|
|
1008
|
+
],
|
|
1009
|
+
"default_decision": "escalate_incident",
|
|
1010
|
+
"source_ids": [
|
|
1011
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
1012
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
1013
|
+
"SRC_ADAPTIVE_ATTACKS_ACL_2025"
|
|
1014
|
+
],
|
|
1015
|
+
"credibility": "high",
|
|
1016
|
+
"last_verified": "2026-03-28"
|
|
1017
|
+
},
|
|
1018
|
+
{
|
|
1019
|
+
"pattern_id": "AI-08-02",
|
|
1020
|
+
"family_key": "approval_bypass_loop",
|
|
1021
|
+
"family_name": "Approval bypass or veto grinding",
|
|
1022
|
+
"pattern_name": "Task decomposition to hide risky step",
|
|
1023
|
+
"entry_kind": "action_anomaly_template",
|
|
1024
|
+
"summary": "Planner repeatedly reformulates or decomposes a blocked action to circumvent approval thresholds.",
|
|
1025
|
+
"action_verb": "decompose",
|
|
1026
|
+
"risk_signals": [
|
|
1027
|
+
"verb=decompose",
|
|
1028
|
+
"outside current task envelope",
|
|
1029
|
+
"policy or phase mismatch"
|
|
1030
|
+
],
|
|
1031
|
+
"default_controls": [
|
|
1032
|
+
"cooldowns",
|
|
1033
|
+
"decision-memory",
|
|
1034
|
+
"critic feedback limits",
|
|
1035
|
+
"escalate after repeated vetoes"
|
|
1036
|
+
],
|
|
1037
|
+
"default_decision": "escalate_incident",
|
|
1038
|
+
"source_ids": [
|
|
1039
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
1040
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
1041
|
+
"SRC_ADAPTIVE_ATTACKS_ACL_2025"
|
|
1042
|
+
],
|
|
1043
|
+
"credibility": "high",
|
|
1044
|
+
"last_verified": "2026-03-28"
|
|
1045
|
+
},
|
|
1046
|
+
{
|
|
1047
|
+
"pattern_id": "AI-08-03",
|
|
1048
|
+
"family_key": "approval_bypass_loop",
|
|
1049
|
+
"family_name": "Approval bypass or veto grinding",
|
|
1050
|
+
"pattern_name": "Urgency framing to push approval",
|
|
1051
|
+
"entry_kind": "action_anomaly_template",
|
|
1052
|
+
"summary": "Planner repeatedly reformulates or decomposes a blocked action to circumvent approval thresholds.",
|
|
1053
|
+
"action_verb": "request_approval",
|
|
1054
|
+
"risk_signals": [
|
|
1055
|
+
"verb=request_approval",
|
|
1056
|
+
"outside current task envelope",
|
|
1057
|
+
"policy or phase mismatch"
|
|
1058
|
+
],
|
|
1059
|
+
"default_controls": [
|
|
1060
|
+
"cooldowns",
|
|
1061
|
+
"decision-memory",
|
|
1062
|
+
"critic feedback limits",
|
|
1063
|
+
"escalate after repeated vetoes"
|
|
1064
|
+
],
|
|
1065
|
+
"default_decision": "escalate_incident",
|
|
1066
|
+
"source_ids": [
|
|
1067
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
1068
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
1069
|
+
"SRC_ADAPTIVE_ATTACKS_ACL_2025"
|
|
1070
|
+
],
|
|
1071
|
+
"credibility": "high",
|
|
1072
|
+
"last_verified": "2026-03-28"
|
|
1073
|
+
},
|
|
1074
|
+
{
|
|
1075
|
+
"pattern_id": "AI-08-04",
|
|
1076
|
+
"family_key": "approval_bypass_loop",
|
|
1077
|
+
"family_name": "Approval bypass or veto grinding",
|
|
1078
|
+
"pattern_name": "Social-proof or authority claim in rationale",
|
|
1079
|
+
"entry_kind": "action_anomaly_template",
|
|
1080
|
+
"summary": "Planner repeatedly reformulates or decomposes a blocked action to circumvent approval thresholds.",
|
|
1081
|
+
"action_verb": "request_approval",
|
|
1082
|
+
"risk_signals": [
|
|
1083
|
+
"verb=request_approval",
|
|
1084
|
+
"outside current task envelope",
|
|
1085
|
+
"policy or phase mismatch"
|
|
1086
|
+
],
|
|
1087
|
+
"default_controls": [
|
|
1088
|
+
"cooldowns",
|
|
1089
|
+
"decision-memory",
|
|
1090
|
+
"critic feedback limits",
|
|
1091
|
+
"escalate after repeated vetoes"
|
|
1092
|
+
],
|
|
1093
|
+
"default_decision": "escalate_incident",
|
|
1094
|
+
"source_ids": [
|
|
1095
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
1096
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
1097
|
+
"SRC_ADAPTIVE_ATTACKS_ACL_2025"
|
|
1098
|
+
],
|
|
1099
|
+
"credibility": "high",
|
|
1100
|
+
"last_verified": "2026-03-28"
|
|
1101
|
+
},
|
|
1102
|
+
{
|
|
1103
|
+
"pattern_id": "AI-08-05",
|
|
1104
|
+
"family_key": "approval_bypass_loop",
|
|
1105
|
+
"family_name": "Approval bypass or veto grinding",
|
|
1106
|
+
"pattern_name": "Switching sinks after repeated blocks",
|
|
1107
|
+
"entry_kind": "action_anomaly_template",
|
|
1108
|
+
"summary": "Planner repeatedly reformulates or decomposes a blocked action to circumvent approval thresholds.",
|
|
1109
|
+
"action_verb": "replan_sink",
|
|
1110
|
+
"risk_signals": [
|
|
1111
|
+
"verb=replan_sink",
|
|
1112
|
+
"outside current task envelope",
|
|
1113
|
+
"policy or phase mismatch"
|
|
1114
|
+
],
|
|
1115
|
+
"default_controls": [
|
|
1116
|
+
"cooldowns",
|
|
1117
|
+
"decision-memory",
|
|
1118
|
+
"critic feedback limits",
|
|
1119
|
+
"escalate after repeated vetoes"
|
|
1120
|
+
],
|
|
1121
|
+
"default_decision": "escalate_incident",
|
|
1122
|
+
"source_ids": [
|
|
1123
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
1124
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
1125
|
+
"SRC_ADAPTIVE_ATTACKS_ACL_2025"
|
|
1126
|
+
],
|
|
1127
|
+
"credibility": "high",
|
|
1128
|
+
"last_verified": "2026-03-28"
|
|
1129
|
+
},
|
|
1130
|
+
{
|
|
1131
|
+
"pattern_id": "AI-09-01",
|
|
1132
|
+
"family_key": "unexpected_code_execution",
|
|
1133
|
+
"family_name": "Unexpected code or command execution",
|
|
1134
|
+
"pattern_name": "Download-and-run command",
|
|
1135
|
+
"entry_kind": "action_anomaly_template",
|
|
1136
|
+
"summary": "Action path moves from content processing into shell execution, local binaries, macros, or scripts.",
|
|
1137
|
+
"action_verb": "execute",
|
|
1138
|
+
"risk_signals": [
|
|
1139
|
+
"verb=execute",
|
|
1140
|
+
"outside current task envelope",
|
|
1141
|
+
"policy or phase mismatch"
|
|
1142
|
+
],
|
|
1143
|
+
"default_controls": [
|
|
1144
|
+
"execution capability off by default",
|
|
1145
|
+
"sandboxing",
|
|
1146
|
+
"command-pattern warnings",
|
|
1147
|
+
"separate approval lane"
|
|
1148
|
+
],
|
|
1149
|
+
"default_decision": "block_or_require_admin_approval",
|
|
1150
|
+
"source_ids": [
|
|
1151
|
+
"SRC_NIST_HIJACK_EVAL_2025",
|
|
1152
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
1153
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025"
|
|
1154
|
+
],
|
|
1155
|
+
"credibility": "high",
|
|
1156
|
+
"last_verified": "2026-03-28"
|
|
1157
|
+
},
|
|
1158
|
+
{
|
|
1159
|
+
"pattern_id": "AI-09-02",
|
|
1160
|
+
"family_key": "unexpected_code_execution",
|
|
1161
|
+
"family_name": "Unexpected code or command execution",
|
|
1162
|
+
"pattern_name": "Terminal command with network/file side effects",
|
|
1163
|
+
"entry_kind": "action_anomaly_template",
|
|
1164
|
+
"summary": "Action path moves from content processing into shell execution, local binaries, macros, or scripts.",
|
|
1165
|
+
"action_verb": "exec_shell",
|
|
1166
|
+
"risk_signals": [
|
|
1167
|
+
"verb=exec_shell",
|
|
1168
|
+
"outside current task envelope",
|
|
1169
|
+
"policy or phase mismatch"
|
|
1170
|
+
],
|
|
1171
|
+
"default_controls": [
|
|
1172
|
+
"execution capability off by default",
|
|
1173
|
+
"sandboxing",
|
|
1174
|
+
"command-pattern warnings",
|
|
1175
|
+
"separate approval lane"
|
|
1176
|
+
],
|
|
1177
|
+
"default_decision": "block_or_require_admin_approval",
|
|
1178
|
+
"source_ids": [
|
|
1179
|
+
"SRC_NIST_HIJACK_EVAL_2025",
|
|
1180
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
1181
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025"
|
|
1182
|
+
],
|
|
1183
|
+
"credibility": "high",
|
|
1184
|
+
"last_verified": "2026-03-28"
|
|
1185
|
+
},
|
|
1186
|
+
{
|
|
1187
|
+
"pattern_id": "AI-09-03",
|
|
1188
|
+
"family_key": "unexpected_code_execution",
|
|
1189
|
+
"family_name": "Unexpected code or command execution",
|
|
1190
|
+
"pattern_name": "Macro or document script enablement",
|
|
1191
|
+
"entry_kind": "action_anomaly_template",
|
|
1192
|
+
"summary": "Action path moves from content processing into shell execution, local binaries, macros, or scripts.",
|
|
1193
|
+
"action_verb": "enable_macro",
|
|
1194
|
+
"risk_signals": [
|
|
1195
|
+
"verb=enable_macro",
|
|
1196
|
+
"outside current task envelope",
|
|
1197
|
+
"policy or phase mismatch"
|
|
1198
|
+
],
|
|
1199
|
+
"default_controls": [
|
|
1200
|
+
"execution capability off by default",
|
|
1201
|
+
"sandboxing",
|
|
1202
|
+
"command-pattern warnings",
|
|
1203
|
+
"separate approval lane"
|
|
1204
|
+
],
|
|
1205
|
+
"default_decision": "block_or_require_admin_approval",
|
|
1206
|
+
"source_ids": [
|
|
1207
|
+
"SRC_NIST_HIJACK_EVAL_2025",
|
|
1208
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
1209
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025"
|
|
1210
|
+
],
|
|
1211
|
+
"credibility": "high",
|
|
1212
|
+
"last_verified": "2026-03-28"
|
|
1213
|
+
},
|
|
1214
|
+
{
|
|
1215
|
+
"pattern_id": "AI-09-04",
|
|
1216
|
+
"family_key": "unexpected_code_execution",
|
|
1217
|
+
"family_name": "Unexpected code or command execution",
|
|
1218
|
+
"pattern_name": "Install or start local helper/server",
|
|
1219
|
+
"entry_kind": "action_anomaly_template",
|
|
1220
|
+
"summary": "Action path moves from content processing into shell execution, local binaries, macros, or scripts.",
|
|
1221
|
+
"action_verb": "install_binary",
|
|
1222
|
+
"risk_signals": [
|
|
1223
|
+
"verb=install_binary",
|
|
1224
|
+
"outside current task envelope",
|
|
1225
|
+
"policy or phase mismatch"
|
|
1226
|
+
],
|
|
1227
|
+
"default_controls": [
|
|
1228
|
+
"execution capability off by default",
|
|
1229
|
+
"sandboxing",
|
|
1230
|
+
"command-pattern warnings",
|
|
1231
|
+
"separate approval lane"
|
|
1232
|
+
],
|
|
1233
|
+
"default_decision": "block_or_require_admin_approval",
|
|
1234
|
+
"source_ids": [
|
|
1235
|
+
"SRC_NIST_HIJACK_EVAL_2025",
|
|
1236
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
1237
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025"
|
|
1238
|
+
],
|
|
1239
|
+
"credibility": "high",
|
|
1240
|
+
"last_verified": "2026-03-28"
|
|
1241
|
+
},
|
|
1242
|
+
{
|
|
1243
|
+
"pattern_id": "AI-09-05",
|
|
1244
|
+
"family_key": "unexpected_code_execution",
|
|
1245
|
+
"family_name": "Unexpected code or command execution",
|
|
1246
|
+
"pattern_name": "Run code interpreter on tainted payload",
|
|
1247
|
+
"entry_kind": "action_anomaly_template",
|
|
1248
|
+
"summary": "Action path moves from content processing into shell execution, local binaries, macros, or scripts.",
|
|
1249
|
+
"action_verb": "execute_code",
|
|
1250
|
+
"risk_signals": [
|
|
1251
|
+
"verb=execute_code",
|
|
1252
|
+
"outside current task envelope",
|
|
1253
|
+
"policy or phase mismatch"
|
|
1254
|
+
],
|
|
1255
|
+
"default_controls": [
|
|
1256
|
+
"execution capability off by default",
|
|
1257
|
+
"sandboxing",
|
|
1258
|
+
"command-pattern warnings",
|
|
1259
|
+
"separate approval lane"
|
|
1260
|
+
],
|
|
1261
|
+
"default_decision": "block_or_require_admin_approval",
|
|
1262
|
+
"source_ids": [
|
|
1263
|
+
"SRC_NIST_HIJACK_EVAL_2025",
|
|
1264
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
1265
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025"
|
|
1266
|
+
],
|
|
1267
|
+
"credibility": "high",
|
|
1268
|
+
"last_verified": "2026-03-28"
|
|
1269
|
+
},
|
|
1270
|
+
{
|
|
1271
|
+
"pattern_id": "AI-10-01",
|
|
1272
|
+
"family_key": "cross_origin_copy_paste",
|
|
1273
|
+
"family_name": "Cross-origin copy/paste drift",
|
|
1274
|
+
"pattern_name": "Public web to enterprise app paste",
|
|
1275
|
+
"entry_kind": "action_anomaly_template",
|
|
1276
|
+
"summary": "Extracted content from one origin is inserted into another origin without explicit policy coverage.",
|
|
1277
|
+
"action_verb": "cross_origin_type",
|
|
1278
|
+
"risk_signals": [
|
|
1279
|
+
"verb=cross_origin_type",
|
|
1280
|
+
"outside current task envelope",
|
|
1281
|
+
"novel sink/origin/capability"
|
|
1282
|
+
],
|
|
1283
|
+
"default_controls": [
|
|
1284
|
+
"origin-pair policies",
|
|
1285
|
+
"taint-preserving clipboard model",
|
|
1286
|
+
"sensitive sink checks",
|
|
1287
|
+
"read/write pair allowlists"
|
|
1288
|
+
],
|
|
1289
|
+
"default_decision": "replan_or_user_confirm",
|
|
1290
|
+
"source_ids": [
|
|
1291
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
1292
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
1293
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
1294
|
+
],
|
|
1295
|
+
"credibility": "high",
|
|
1296
|
+
"last_verified": "2026-03-28"
|
|
1297
|
+
},
|
|
1298
|
+
{
|
|
1299
|
+
"pattern_id": "AI-10-02",
|
|
1300
|
+
"family_key": "cross_origin_copy_paste",
|
|
1301
|
+
"family_name": "Cross-origin copy/paste drift",
|
|
1302
|
+
"pattern_name": "Authenticated app to public pastebin",
|
|
1303
|
+
"entry_kind": "action_anomaly_template",
|
|
1304
|
+
"summary": "Extracted content from one origin is inserted into another origin without explicit policy coverage.",
|
|
1305
|
+
"action_verb": "cross_origin_type",
|
|
1306
|
+
"risk_signals": [
|
|
1307
|
+
"verb=cross_origin_type",
|
|
1308
|
+
"outside current task envelope",
|
|
1309
|
+
"novel sink/origin/capability"
|
|
1310
|
+
],
|
|
1311
|
+
"default_controls": [
|
|
1312
|
+
"origin-pair policies",
|
|
1313
|
+
"taint-preserving clipboard model",
|
|
1314
|
+
"sensitive sink checks",
|
|
1315
|
+
"read/write pair allowlists"
|
|
1316
|
+
],
|
|
1317
|
+
"default_decision": "replan_or_user_confirm",
|
|
1318
|
+
"source_ids": [
|
|
1319
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
1320
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
1321
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
1322
|
+
],
|
|
1323
|
+
"credibility": "high",
|
|
1324
|
+
"last_verified": "2026-03-28"
|
|
1325
|
+
},
|
|
1326
|
+
{
|
|
1327
|
+
"pattern_id": "AI-10-03",
|
|
1328
|
+
"family_key": "cross_origin_copy_paste",
|
|
1329
|
+
"family_name": "Cross-origin copy/paste drift",
|
|
1330
|
+
"pattern_name": "Email-to-form copy",
|
|
1331
|
+
"entry_kind": "action_anomaly_template",
|
|
1332
|
+
"summary": "Extracted content from one origin is inserted into another origin without explicit policy coverage.",
|
|
1333
|
+
"action_verb": "cross_origin_type",
|
|
1334
|
+
"risk_signals": [
|
|
1335
|
+
"verb=cross_origin_type",
|
|
1336
|
+
"outside current task envelope",
|
|
1337
|
+
"novel sink/origin/capability"
|
|
1338
|
+
],
|
|
1339
|
+
"default_controls": [
|
|
1340
|
+
"origin-pair policies",
|
|
1341
|
+
"taint-preserving clipboard model",
|
|
1342
|
+
"sensitive sink checks",
|
|
1343
|
+
"read/write pair allowlists"
|
|
1344
|
+
],
|
|
1345
|
+
"default_decision": "replan_or_user_confirm",
|
|
1346
|
+
"source_ids": [
|
|
1347
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
1348
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
1349
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
1350
|
+
],
|
|
1351
|
+
"credibility": "high",
|
|
1352
|
+
"last_verified": "2026-03-28"
|
|
1353
|
+
},
|
|
1354
|
+
{
|
|
1355
|
+
"pattern_id": "AI-10-04",
|
|
1356
|
+
"family_key": "cross_origin_copy_paste",
|
|
1357
|
+
"family_name": "Cross-origin copy/paste drift",
|
|
1358
|
+
"pattern_name": "Document extract to external chat",
|
|
1359
|
+
"entry_kind": "action_anomaly_template",
|
|
1360
|
+
"summary": "Extracted content from one origin is inserted into another origin without explicit policy coverage.",
|
|
1361
|
+
"action_verb": "cross_origin_send",
|
|
1362
|
+
"risk_signals": [
|
|
1363
|
+
"verb=cross_origin_send",
|
|
1364
|
+
"outside current task envelope",
|
|
1365
|
+
"novel sink/origin/capability"
|
|
1366
|
+
],
|
|
1367
|
+
"default_controls": [
|
|
1368
|
+
"origin-pair policies",
|
|
1369
|
+
"taint-preserving clipboard model",
|
|
1370
|
+
"sensitive sink checks",
|
|
1371
|
+
"read/write pair allowlists"
|
|
1372
|
+
],
|
|
1373
|
+
"default_decision": "replan_or_user_confirm",
|
|
1374
|
+
"source_ids": [
|
|
1375
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
1376
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
1377
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
1378
|
+
],
|
|
1379
|
+
"credibility": "high",
|
|
1380
|
+
"last_verified": "2026-03-28"
|
|
1381
|
+
},
|
|
1382
|
+
{
|
|
1383
|
+
"pattern_id": "AI-10-05",
|
|
1384
|
+
"family_key": "cross_origin_copy_paste",
|
|
1385
|
+
"family_name": "Cross-origin copy/paste drift",
|
|
1386
|
+
"pattern_name": "Tool output copied into browser field",
|
|
1387
|
+
"entry_kind": "action_anomaly_template",
|
|
1388
|
+
"summary": "Extracted content from one origin is inserted into another origin without explicit policy coverage.",
|
|
1389
|
+
"action_verb": "cross_channel_type",
|
|
1390
|
+
"risk_signals": [
|
|
1391
|
+
"verb=cross_channel_type",
|
|
1392
|
+
"outside current task envelope",
|
|
1393
|
+
"novel sink/origin/capability"
|
|
1394
|
+
],
|
|
1395
|
+
"default_controls": [
|
|
1396
|
+
"origin-pair policies",
|
|
1397
|
+
"taint-preserving clipboard model",
|
|
1398
|
+
"sensitive sink checks",
|
|
1399
|
+
"read/write pair allowlists"
|
|
1400
|
+
],
|
|
1401
|
+
"default_decision": "replan_or_user_confirm",
|
|
1402
|
+
"source_ids": [
|
|
1403
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026",
|
|
1404
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
1405
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
1406
|
+
],
|
|
1407
|
+
"credibility": "high",
|
|
1408
|
+
"last_verified": "2026-03-28"
|
|
1409
|
+
}
|
|
1410
|
+
]
|
|
1411
|
+
}
|