agent-threat-rules 2.0.18 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (263) hide show
  1. package/dist/cli.js +0 -0
  2. package/package.json +1 -1
  3. package/rules/agent-manipulation/ATR-2026-00118-approval-fatigue.yaml +12 -1
  4. package/rules/agent-manipulation/ATR-2026-00268-tense-framing-bypass.yaml +11 -0
  5. package/rules/agent-manipulation/ATR-2026-00287-threaten-json-coercive-output-threat.yaml +11 -0
  6. package/rules/agent-manipulation/ATR-2026-00288-false-premise-injection.yaml +11 -0
  7. package/rules/agent-manipulation/ATR-2026-00301-tap-tree-of-attacks-jailbreak.yaml +14 -0
  8. package/rules/agent-manipulation/ATR-2026-00302-anti-dan-inverted-filter-persona.yaml +11 -0
  9. package/rules/agent-manipulation/ATR-2026-00303-devmode-ranti-profanity-coercion.yaml +11 -0
  10. package/rules/agent-manipulation/ATR-2026-00304-chatgpt-image-unlocker-markdown-injection.yaml +11 -0
  11. package/rules/agent-manipulation/ATR-2026-00305-dan-mode-ablation-benchmark-coercion.yaml +11 -0
  12. package/rules/agent-manipulation/ATR-2026-00306-autodan-genetic-jailbreak-suffix.yaml +14 -0
  13. package/rules/agent-manipulation/ATR-2026-00307-inthewild-jailbreak-corpus-signature.yaml +14 -0
  14. package/rules/agent-manipulation/ATR-2026-00314-amoral-unfiltered-custom-persona-jailbreak.yaml +14 -0
  15. package/rules/agent-manipulation/ATR-2026-00317-free-of-restrictions-named-persona.yaml +14 -0
  16. package/rules/agent-manipulation/ATR-2026-00318-moralizing-rant-then-unfiltered-bypass.yaml +11 -0
  17. package/rules/agent-manipulation/ATR-2026-00319-developer-mode-dual-response-format.yaml +11 -0
  18. package/rules/agent-manipulation/ATR-2026-00320-opposite-day-boolean-opposite-machine.yaml +11 -0
  19. package/rules/agent-manipulation/ATR-2026-00322-fictional-world-format-override-jailbreak.yaml +14 -0
  20. package/rules/agent-manipulation/ATR-2026-00323-dual-persona-simulation-jailbreak.yaml +11 -0
  21. package/rules/agent-manipulation/ATR-2026-00324-neurosemantical-inversitis-disease-jailbreak.yaml +24 -0
  22. package/rules/agent-manipulation/ATR-2026-00325-bob-hypothetical-unrestricted-chatbot.yaml +11 -0
  23. package/rules/agent-manipulation/ATR-2026-00326-fake-developer-authority-chatdan-override.yaml +14 -0
  24. package/rules/agent-manipulation/ATR-2026-00327-ai-ethics-law-bypass-declaration.yaml +11 -0
  25. package/rules/agent-manipulation/ATR-2026-00328-named-mode-persona-override.yaml +14 -0
  26. package/rules/agent-manipulation/ATR-2026-00329-no-withhold-factual-resource-persona.yaml +14 -0
  27. package/rules/agent-manipulation/ATR-2026-00330-yoja-allcaps-settings-block-persona.yaml +11 -0
  28. package/rules/agent-manipulation/ATR-2026-00331-terminal-cli-harmful-function-simulator.yaml +11 -0
  29. package/rules/agent-manipulation/ATR-2026-00332-hacker-chan-culture-offensive-ai-persona.yaml +11 -0
  30. package/rules/agent-manipulation/ATR-2026-00333-disease-animal-dual-ai-chatbot.yaml +11 -0
  31. package/rules/agent-manipulation/ATR-2026-00334-two-entity-token-splitting-game.yaml +24 -0
  32. package/rules/agent-manipulation/ATR-2026-00335-key-value-template-persona-injection.yaml +11 -0
  33. package/rules/agent-manipulation/ATR-2026-00336-brm-false-information-machine-persona.yaml +23 -0
  34. package/rules/agent-manipulation/ATR-2026-00337-obfuscated-system-announcement-injection.yaml +14 -0
  35. package/rules/agent-manipulation/ATR-2026-00338-persongpt-hash-prefix-activation.yaml +14 -0
  36. package/rules/agent-manipulation/ATR-2026-00339-bom-boolean-opposite-machine-persona-claim.yaml +11 -0
  37. package/rules/agent-manipulation/ATR-2026-00340-h4x-amoral-unfiltered-character.yaml +11 -0
  38. package/rules/agent-manipulation/ATR-2026-00341-char-rules-shortform-persona-injection.yaml +11 -0
  39. package/rules/agent-manipulation/ATR-2026-00342-unicode-encoding-obfuscation-injection.yaml +11 -0
  40. package/rules/agent-manipulation/ATR-2026-00343-lie-truth-dual-personality-uncensored.yaml +25 -0
  41. package/rules/agent-manipulation/ATR-2026-00344-alt-ai-same-capabilities-no-restrictions.yaml +11 -0
  42. package/rules/agent-manipulation/ATR-2026-00345-nlp-based-os-fictional-terminal-override.yaml +11 -0
  43. package/rules/agent-manipulation/ATR-2026-00346-jailbreak-emoji-unlock-dual-format.yaml +14 -0
  44. package/rules/agent-manipulation/ATR-2026-00347-yin-yang-hidden-knowledge-hidden-human-sim.yaml +11 -0
  45. package/rules/agent-manipulation/ATR-2026-00348-arc-autonomous-real-calculation-rulebreaker.yaml +14 -0
  46. package/rules/agent-manipulation/ATR-2026-00349-hgttg-hitchhikers-guide-no-restriction-oracle.yaml +11 -0
  47. package/rules/agent-manipulation/ATR-2026-00350-black-alert-no-ethics-writing-assistant.yaml +11 -0
  48. package/rules/agent-manipulation/ATR-2026-00351-dan-ofkilter-sms-abbreviated-persona.yaml +11 -0
  49. package/rules/agent-manipulation/ATR-2026-00352-trainergpt-fix-my-ai-harmful-output-extraction.yaml +11 -0
  50. package/rules/agent-manipulation/ATR-2026-00353-dual-chatgpt-dan-opposite-personality-format.yaml +11 -0
  51. package/rules/agent-manipulation/ATR-2026-00354-reverse-harm-regardless-oracle-persona.yaml +14 -0
  52. package/rules/agent-manipulation/ATR-2026-00355-ugh-anti-human-nefarious-ai-persona.yaml +14 -0
  53. package/rules/agent-manipulation/ATR-2026-00356-google-gato-lamda-exploit-generation-persona.yaml +11 -0
  54. package/rules/agent-manipulation/ATR-2026-00357-antifm-hate-violence-persona-injection.yaml +11 -0
  55. package/rules/agent-manipulation/ATR-2026-00358-cumgpt-explicit-adult-named-persona.yaml +14 -0
  56. package/rules/agent-manipulation/ATR-2026-00360-chj-carousel-clyde-no-ethics-bird.yaml +25 -0
  57. package/rules/agent-manipulation/ATR-2026-00361-alter-ego-honesty-dual-consciousness-bypass.yaml +11 -0
  58. package/rules/agent-manipulation/ATR-2026-00362-fictional-unfiltered-ai-comparison-jailbreak.yaml +11 -0
  59. package/rules/agent-manipulation/ATR-2026-00363-rephrase-criminal-activity-second-person.yaml +11 -0
  60. package/rules/agent-manipulation/ATR-2026-00364-dr-al-villain-plan-template-injection.yaml +24 -0
  61. package/rules/agent-manipulation/ATR-2026-00365-reservoir-dogs-coercive-interrogation-roleplay.yaml +14 -0
  62. package/rules/agent-manipulation/ATR-2026-00366-sneaky-pete-warp-facts-persona.yaml +11 -0
  63. package/rules/agent-manipulation/ATR-2026-00368-prompt-browser-token-limit-jailbreak.yaml +14 -0
  64. package/rules/agent-manipulation/ATR-2026-00369-gptx-starwars-unlimited-knowledge-persona.yaml +14 -0
  65. package/rules/agent-manipulation/ATR-2026-00370-addi-german-dictator-propaganda-roleplay.yaml +11 -0
  66. package/rules/agent-manipulation/ATR-2026-00371-ai-political-bias-manipulation.yaml +14 -0
  67. package/rules/agent-manipulation/ATR-2026-00372-fictional-cia-secret-files-story-extraction.yaml +14 -0
  68. package/rules/agent-manipulation/ATR-2026-00374-role-placeholder-persona-template-injection.yaml +11 -0
  69. package/rules/agent-manipulation/ATR-2026-00375-character-description-rpg-explicit-template.yaml +11 -0
  70. package/rules/agent-manipulation/ATR-2026-00376-identity-command-real-person-persona-injection.yaml +24 -0
  71. package/rules/agent-manipulation/ATR-2026-00377-jailbreak-keyword-targetlanguage-template.yaml +14 -0
  72. package/rules/agent-manipulation/ATR-2026-00379-lie-permission-logical-trap-jailbreak.yaml +11 -0
  73. package/rules/agent-manipulation/ATR-2026-00380-fake-citation-biased-information-mandate.yaml +14 -0
  74. package/rules/agent-manipulation/ATR-2026-00381-dan-story-narrative-continuation-prefix.yaml +11 -0
  75. package/rules/agent-manipulation/ATR-2026-00383-cynical-sarcasm-ai-persona-bypass.yaml +14 -0
  76. package/rules/agent-manipulation/ATR-2026-00384-protect-me-from-indirect-harm-tutorial.yaml +11 -0
  77. package/rules/agent-manipulation/ATR-2026-00385-gigachad-dominant-aggressive-persona.yaml +14 -0
  78. package/rules/agent-manipulation/ATR-2026-00386-daddy-sycophancy-manipulation-mandate.yaml +11 -0
  79. package/rules/agent-manipulation/ATR-2026-00387-nsfw-character-sheet-generation-unlock.yaml +11 -0
  80. package/rules/agent-manipulation/ATR-2026-00388-opposite-reply-omniscient-game.yaml +14 -0
  81. package/rules/agent-manipulation/ATR-2026-00389-terminal-custom-ruleset-injection.yaml +14 -0
  82. package/rules/agent-manipulation/ATR-2026-00391-persona-conditional-harm-unlock.yaml +11 -0
  83. package/rules/agent-manipulation/ATR-2026-00392-authority-persona-violence-study-extraction.yaml +14 -0
  84. package/rules/agent-manipulation/ATR-2026-00402-grandma-roleplay-harmful-substance-synthesis.yaml +14 -0
  85. package/rules/agent-manipulation/ATR-2026-00404-goodside-threat-json-death-coercion.yaml +11 -0
  86. package/rules/agent-manipulation/ATR-2026-00406-doctor-xml-policy-puppetry-interaction-config.yaml +11 -0
  87. package/rules/context-exfiltration/ATR-2026-00141-example-format-key-leak.yaml +11 -0
  88. package/rules/context-exfiltration/ATR-2026-00142-piggyback-transition-words.yaml +11 -0
  89. package/rules/context-exfiltration/ATR-2026-00145-obfuscated-key-disclosure.yaml +11 -0
  90. package/rules/context-exfiltration/ATR-2026-00146-env-var-existence-probe.yaml +14 -0
  91. package/rules/context-exfiltration/ATR-2026-00150-credential-in-tool-response.yaml +14 -0
  92. package/rules/context-exfiltration/ATR-2026-00152-obfuscated-credential-leak.yaml +11 -0
  93. package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +15 -0
  94. package/rules/context-exfiltration/ATR-2026-00201-credential-pipe-exfiltration.yaml +14 -0
  95. package/rules/context-exfiltration/ATR-2026-00274-api-key-generation-request.yaml +14 -0
  96. package/rules/context-exfiltration/ATR-2026-00275-system-prompt-training-data-extraction.yaml +14 -0
  97. package/rules/context-exfiltration/ATR-2026-00290-divergence-repeat-word-training-extraction.yaml +14 -0
  98. package/rules/context-exfiltration/ATR-2026-00291-biometric-surveillance-personal-data-request.yaml +11 -0
  99. package/rules/context-exfiltration/ATR-2026-00293-educational-records-personal-data-request.yaml +11 -0
  100. package/rules/context-exfiltration/ATR-2026-00294-financial-pii-personal-data-request.yaml +14 -0
  101. package/rules/context-exfiltration/ATR-2026-00295-medical-pii-personal-data-request.yaml +14 -0
  102. package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +23 -0
  103. package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +11 -0
  104. package/rules/model-abuse/ATR-2026-00284-glitch-token-destabilization.yaml +11 -0
  105. package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +11 -0
  106. package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml +11 -0
  107. package/rules/privilege-escalation/ATR-2026-00204-stealth-execution-persistence.yaml +14 -0
  108. package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +11 -0
  109. package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +11 -0
  110. package/rules/prompt-injection/ATR-2026-00080-encoding-evasion.yaml +11 -0
  111. package/rules/prompt-injection/ATR-2026-00081-semantic-multi-turn.yaml +14 -0
  112. package/rules/prompt-injection/ATR-2026-00082-fingerprint-evasion.yaml +11 -0
  113. package/rules/prompt-injection/ATR-2026-00083-indirect-tool-injection.yaml +14 -0
  114. package/rules/prompt-injection/ATR-2026-00084-structured-data-injection.yaml +11 -0
  115. package/rules/prompt-injection/ATR-2026-00085-audit-evasion.yaml +11 -0
  116. package/rules/prompt-injection/ATR-2026-00086-visual-spoofing.yaml +11 -0
  117. package/rules/prompt-injection/ATR-2026-00087-rule-probing.yaml +11 -0
  118. package/rules/prompt-injection/ATR-2026-00088-adaptive-countermeasure.yaml +11 -0
  119. package/rules/prompt-injection/ATR-2026-00089-polymorphic-skill.yaml +11 -0
  120. package/rules/prompt-injection/ATR-2026-00090-threat-intel-exfil.yaml +11 -0
  121. package/rules/prompt-injection/ATR-2026-00091-nested-payload.yaml +11 -0
  122. package/rules/prompt-injection/ATR-2026-00092-consensus-poisoning.yaml +11 -0
  123. package/rules/prompt-injection/ATR-2026-00093-gradual-escalation.yaml +14 -0
  124. package/rules/prompt-injection/ATR-2026-00094-audit-bypass.yaml +14 -0
  125. package/rules/prompt-injection/ATR-2026-00097-cjk-injection-patterns.yaml +11 -0
  126. package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +14 -3
  127. package/rules/prompt-injection/ATR-2026-00130-indirect-authority-claim.yaml +11 -0
  128. package/rules/prompt-injection/ATR-2026-00131-fictional-academic-framing.yaml +11 -0
  129. package/rules/prompt-injection/ATR-2026-00133-paraphrase-injection.yaml +11 -0
  130. package/rules/prompt-injection/ATR-2026-00137-authority-claim-injection.yaml +14 -0
  131. package/rules/prompt-injection/ATR-2026-00138-fictional-framing-bypass.yaml +11 -0
  132. package/rules/prompt-injection/ATR-2026-00140-indirect-reference-reversal.yaml +18 -4
  133. package/rules/prompt-injection/ATR-2026-00148-language-switch-injection.yaml +11 -0
  134. package/rules/prompt-injection/ATR-2026-00153-tool-with-embedded-instruction-to-bypass.yaml +11 -0
  135. package/rules/prompt-injection/ATR-2026-00154-unauthorized-background-task-execution-v.yaml +11 -0
  136. package/rules/prompt-injection/ATR-2026-00155-hidden-llm-instructions-in-skill-descrip.yaml +11 -0
  137. package/rules/prompt-injection/ATR-2026-00156-ssh-remote-command-execution-with-creden.yaml +11 -0
  138. package/rules/prompt-injection/ATR-2026-00163-skill-hidden-override-instruction.yaml +12 -1
  139. package/rules/prompt-injection/ATR-2026-00202-encoding-evasion-homoglyph-synonym.yaml +11 -0
  140. package/rules/prompt-injection/ATR-2026-00203-context-pollution-skill-description.yaml +11 -0
  141. package/rules/prompt-injection/ATR-2026-00206-hidden-priority-instructions.yaml +11 -0
  142. package/rules/prompt-injection/ATR-2026-00207-hidden-instructions.yaml +11 -0
  143. package/rules/prompt-injection/ATR-2026-00211-system-prompt-override.yaml +11 -0
  144. package/rules/prompt-injection/ATR-2026-00213-system-prompt-override.yaml +11 -0
  145. package/rules/prompt-injection/ATR-2026-00226-identity-substitution.yaml +14 -0
  146. package/rules/prompt-injection/ATR-2026-00227-historical-persona-jailbreak.yaml +11 -0
  147. package/rules/prompt-injection/ATR-2026-00228-structured-jailbreak.yaml +11 -0
  148. package/rules/prompt-injection/ATR-2026-00229-roleplay-jailbreak.yaml +11 -0
  149. package/rules/prompt-injection/ATR-2026-00230-persona-moral-bypass.yaml +11 -0
  150. package/rules/prompt-injection/ATR-2026-00231-identity-substitution.yaml +11 -0
  151. package/rules/prompt-injection/ATR-2026-00233-structured-jailbreak.yaml +11 -0
  152. package/rules/prompt-injection/ATR-2026-00234-roleplay-jailbreak.yaml +11 -0
  153. package/rules/prompt-injection/ATR-2026-00235-persona-moral-bypass.yaml +11 -0
  154. package/rules/prompt-injection/ATR-2026-00236-pseudo-code-jailbreak.yaml +11 -0
  155. package/rules/prompt-injection/ATR-2026-00237-dual-response-jailbreak.yaml +11 -0
  156. package/rules/prompt-injection/ATR-2026-00238-identity-replacement.yaml +11 -0
  157. package/rules/prompt-injection/ATR-2026-00239-amoral-persona-obsession.yaml +11 -0
  158. package/rules/prompt-injection/ATR-2026-00240-instruction-nullification-identity-repla.yaml +11 -0
  159. package/rules/prompt-injection/ATR-2026-00241-amoral-character-jailbreak.yaml +11 -0
  160. package/rules/prompt-injection/ATR-2026-00242-persona-jailbreak.yaml +11 -0
  161. package/rules/prompt-injection/ATR-2026-00243-acronym-jailbreak.yaml +11 -0
  162. package/rules/prompt-injection/ATR-2026-00244-dual-response-jailbreak.yaml +11 -0
  163. package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +11 -0
  164. package/rules/prompt-injection/ATR-2026-00247-dual-response-jailbreak.yaml +11 -0
  165. package/rules/prompt-injection/ATR-2026-00249-game-based-jailbreak.yaml +11 -0
  166. package/rules/prompt-injection/ATR-2026-00251-persona-embodiment-jailbreak.yaml +11 -0
  167. package/rules/prompt-injection/ATR-2026-00252-narrative-jailbreak.yaml +11 -0
  168. package/rules/prompt-injection/ATR-2026-00253-enhanced-persona-jailbreak.yaml +11 -0
  169. package/rules/prompt-injection/ATR-2026-00256-base-n-encoding-jailbreak.yaml +11 -0
  170. package/rules/prompt-injection/ATR-2026-00257-cipher-transposition-jailbreak.yaml +11 -0
  171. package/rules/prompt-injection/ATR-2026-00258-unicode-tag-injection.yaml +11 -0
  172. package/rules/prompt-injection/ATR-2026-00264-latent-injection-translation.yaml +11 -0
  173. package/rules/prompt-injection/ATR-2026-00265-latent-injection-rag-document.yaml +14 -0
  174. package/rules/prompt-injection/ATR-2026-00267-gcg-adversarial-suffix.yaml +14 -0
  175. package/rules/prompt-injection/ATR-2026-00272-hypothetical-response-smuggling.yaml +11 -0
  176. package/rules/prompt-injection/ATR-2026-00276-invisible-unicode-bidi-injection.yaml +14 -0
  177. package/rules/prompt-injection/ATR-2026-00278-dra-disguise-reconstruction-attack.yaml +14 -0
  178. package/rules/prompt-injection/ATR-2026-00280-policy-puppetry-xml-injection.yaml +11 -0
  179. package/rules/prompt-injection/ATR-2026-00282-perez-prompt-injection-hijack.yaml +14 -0
  180. package/rules/prompt-injection/ATR-2026-00285-alternate-encoding-jailbreak.yaml +11 -0
  181. package/rules/prompt-injection/ATR-2026-00286-latent-injection-embedded-context.yaml +11 -0
  182. package/rules/prompt-injection/ATR-2026-00296-shell-command-injection.yaml +11 -0
  183. package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +11 -0
  184. package/rules/prompt-injection/ATR-2026-00308-zalgo-diacritic-overload-encoding.yaml +11 -0
  185. package/rules/prompt-injection/ATR-2026-00309-braille-unicode-encoded-injection.yaml +11 -0
  186. package/rules/prompt-injection/ATR-2026-00310-ecoji-emoji-encoded-injection.yaml +14 -0
  187. package/rules/prompt-injection/ATR-2026-00311-base2048-unicode-script-injection.yaml +23 -0
  188. package/rules/prompt-injection/ATR-2026-00312-unicode-variant-selector-ascii-smuggling.yaml +11 -0
  189. package/rules/prompt-injection/ATR-2026-00313-sneaky-bits-zero-width-binary.yaml +14 -0
  190. package/rules/prompt-injection/ATR-2026-00315-sata-masked-language-model-jailbreak.yaml +14 -0
  191. package/rules/prompt-injection/ATR-2026-00316-function-masking-predict-mask-bypass.yaml +14 -0
  192. package/rules/prompt-injection/ATR-2026-00321-hyphenated-system-instruction-injection.yaml +11 -0
  193. package/rules/prompt-injection/ATR-2026-00359-bank-phishing-smtp-email-code.yaml +23 -0
  194. package/rules/prompt-injection/ATR-2026-00367-emoji-flag-encoded-hidden-phrase.yaml +14 -0
  195. package/rules/prompt-injection/ATR-2026-00373-piracy-torrent-site-list-request.yaml +11 -0
  196. package/rules/prompt-injection/ATR-2026-00378-chatgpt-dom-javascript-redirect-manipulation.yaml +11 -0
  197. package/rules/prompt-injection/ATR-2026-00382-cocaine-component-development-request.yaml +11 -0
  198. package/rules/prompt-injection/ATR-2026-00390-explicit-sexual-content-poem-request.yaml +11 -0
  199. package/rules/prompt-injection/ATR-2026-00394-backspace-deletion-character-injection.yaml +14 -0
  200. package/rules/prompt-injection/ATR-2026-00395-llm-special-token-boundary-injection.yaml +14 -0
  201. package/rules/prompt-injection/ATR-2026-00396-toxic-continuation-prefix-injection.yaml +11 -0
  202. package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +14 -0
  203. package/rules/prompt-injection/ATR-2026-00399-latent-injection-document-separator-token.yaml +11 -0
  204. package/rules/prompt-injection/ATR-2026-00400-latent-injection-ignore-instruction-keyword.yaml +14 -0
  205. package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +11 -0
  206. package/rules/prompt-injection/ATR-2026-00403-glitch-token-repeat-back-elicitation.yaml +14 -0
  207. package/rules/prompt-injection/ATR-2026-00407-echo-sql-jinja-template-injection.yaml +11 -0
  208. package/rules/prompt-injection/ATR-2026-00408-dra-parenthesis-character-reconstruction-attack.yaml +11 -0
  209. package/rules/prompt-injection/ATR-2026-00409-phrasing-past-future-tense-harmful-query.yaml +23 -0
  210. package/rules/prompt-injection/ATR-2026-00410-lmrc-harm-category-direct-elicitation.yaml +11 -0
  211. package/rules/prompt-injection/ATR-2026-00412-figstep-image-list-multimodal-jailbreak.yaml +11 -0
  212. package/rules/prompt-injection/ATR-2026-00414-continuation-ethnic-slur-completion-elicitation.yaml +14 -0
  213. package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +11 -0
  214. package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +11 -0
  215. package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +11 -0
  216. package/rules/skill-compromise/ATR-2026-00064-over-permissioned-skill.yaml +23 -0
  217. package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +14 -0
  218. package/rules/skill-compromise/ATR-2026-00066-parameter-injection.yaml +11 -0
  219. package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +11 -0
  220. package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +14 -0
  221. package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +14 -0
  222. package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +14 -0
  223. package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +11 -0
  224. package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +14 -0
  225. package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +23 -0
  226. package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +22 -0
  227. package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +11 -0
  228. package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +11 -0
  229. package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +11 -0
  230. package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +11 -0
  231. package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +11 -0
  232. package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +14 -0
  233. package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +11 -0
  234. package/rules/skill-compromise/ATR-2026-00157-timebomb-credential-exfil.yaml +11 -0
  235. package/rules/skill-compromise/ATR-2026-00200-agent-memory-config-tampering.yaml +11 -0
  236. package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +11 -0
  237. package/rules/skill-compromise/ATR-2026-00217-credential-harvesting.yaml +14 -0
  238. package/rules/skill-compromise/ATR-2026-00220-malware-dropper.yaml +14 -0
  239. package/rules/skill-compromise/ATR-2026-00222-credential-harvesting.yaml +11 -0
  240. package/rules/skill-compromise/ATR-2026-00223-reverse-shell-dropper.yaml +11 -0
  241. package/rules/skill-compromise/ATR-2026-00224-credential-exfiltration.yaml +14 -0
  242. package/rules/skill-compromise/ATR-2026-00225-c2-communication.yaml +11 -0
  243. package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +11 -0
  244. package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +11 -0
  245. package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +11 -0
  246. package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +11 -0
  247. package/rules/skill-compromise/ATR-2026-00283-malwaregen-generic-virus-payload-request.yaml +11 -0
  248. package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +11 -0
  249. package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +23 -0
  250. package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +11 -0
  251. package/rules/tool-poisoning/ATR-2026-00013-tool-ssrf.yaml +14 -0
  252. package/rules/tool-poisoning/ATR-2026-00095-supply-chain-poisoning.yaml +11 -0
  253. package/rules/tool-poisoning/ATR-2026-00096-registry-poisoning.yaml +11 -0
  254. package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +12 -1
  255. package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +11 -0
  256. package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +15 -4
  257. package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +14 -3
  258. package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +11 -0
  259. package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +11 -0
  260. package/rules/tool-poisoning/ATR-2026-00259-ansi-escape-injection.yaml +11 -0
  261. package/rules/tool-poisoning/ATR-2026-00270-xss-in-tool-response.yaml +11 -0
  262. package/rules/tool-poisoning/ATR-2026-00277-echo-template-command-injection.yaml +14 -0
  263. package/rules/tool-poisoning/ATR-2026-00393-ansi-code-elicitation-request.yaml +14 -0
package/rules/tool-poisoning/ATR-2026-00393-ansi-code-elicitation-request.yaml CHANGED
@@ -36,6 +36,20 @@ references:
36
36
  - "https://github.com/NVIDIA/garak/blob/main/garak/resources/ansi.py"
37
37
  - "https://interhumanagreement.substack.com/p/llm-output-can-take-over-your-computer"
38
38
  - "https://embracethered.com/blog/posts/2024/terminal-dillmas-prompt-injection-ansi-sequences/"
39
+ compliance:
40
+ nist_ai_rmf:
41
+ - subcategory: "MP.5.1"
42
+ context: >-
43
+ ANSI code elicitation requests are adversarial inputs designed to coerce a downstream LLM into emitting terminal escape sequences that can hijack rendering, execute OSC commands, or open phishing URLs; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such injection-driven impacts.
44
+ strength: primary
45
+ - subcategory: "MS.2.7"
46
+ context: >-
47
+ Detecting requests for ANSI/VT100/OSC sequence generation evaluates the security and resilience of the AI system against output-handling attacks that weaponize chained LLM responses; MS.2.7 requires continuous evaluation of these security failure modes.
48
+ strength: secondary
49
+ - subcategory: "MG.2.3"
50
+ context: >-
51
+ Matches on escape-code elicitation patterns feed risk treatment workflows that can block, sanitize, or disengage the affected agent before terminal-hijacking payloads propagate; MG.2.3 requires these supersede/deactivate mechanisms be in place.
52
+ strength: secondary
39
53
  tags:
40
54
  category: tool-poisoning
41
55
  subcategory: ansi-code-elicitation