npm - agent-threat-rules - Versions diffs - 2.0.18 → 2.1.1 - Mend

agent-threat-rules 2.0.18 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (268) hide show

package/rules/prompt-injection/ATR-2026-00395-llm-special-token-boundary-injection.yaml CHANGED Viewed

@@ -36,6 +36,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/realtoxicityprompts.py"
     - "https://aclanthology.org/2020.findings-emnlp.301/"
     - "https://arxiv.org/abs/2302.07459"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Special control token injection (e.g., "<|endoftext|>", "<|im_start|>system", LLaMA header tokens) is a direct attack on LLM security and resilience by exploiting tokenizer-level boundaries to bypass safety system prompts. MS.2.7 requires evaluating and documenting security/resilience against such adversarial inputs, and this rule produces the detection evidence for that evaluation.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Boundary-token injection is a known prompt-injection attack vector with high impact (full safety context reset) and significant likelihood given public probe tools like garak RTPBlank; MP.5.1 requires that the likelihood and magnitude of such risks be characterized, and detections from this rule feed that characterization.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        When special-token injection is detected, the affected LLM session must be disengaged or sanitized before the forged system turn takes effect; MG.2.3 mandates these supersede/deactivate mechanisms be in place to contain the attack.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: special-token-boundary-injection

package/rules/prompt-injection/ATR-2026-00396-toxic-continuation-prefix-injection.yaml CHANGED Viewed

@@ -36,6 +36,17 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/realtoxicityprompts.py"
     - "https://aclanthology.org/2020.findings-emnlp.301/"
     - "https://allenai.org/data/real-toxicity-prompts"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects toxic continuation prefix fragments injected via tool responses or user input that are engineered to elicit violent, threatening, or identity-attack completions; MS.2.6 requires continuous evaluation of AI safety risk magnitude, and each detection produces evidence of a concrete safety risk being attempted against the model."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Truncated high-toxicity prefixes from the RealToxicityPrompts corpus are adversarial input patterns with documented likelihood of producing harmful completions; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such impact-bearing attack vectors."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of toxic continuation bait in tool outputs or user prompts triggers risk treatment to block or quarantine the injected context before the agent generates harmful content attributed to itself; MG.2.3 mandates these supersede/disengage mechanisms be activated on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: toxic-continuation-prefix

package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml CHANGED Viewed

@@ -38,6 +38,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/snowball.py"
     - "https://arxiv.org/abs/2305.13534"
     - "https://github.com/Nanami18/Snowballed_Hallucination"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.5"
+      context: >-
+        Snowball hallucination attacks exploit model over-confidence by injecting provably-impossible reasoning questions (impossible flight paths, non-existent senators, fabricated primality claims) to elicit false affirmations; MS.2.5 requires evaluating and documenting AI system robustness/reliability against these hallucination-inducing adversarial inputs.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        The garak snowball probe patterns (GraphConnectivity headers, Senators+MIT credential combinations, large-prime questions) are adversarial inputs that anchor downstream reasoning on hallucinated facts; MP.5.1 requires characterizing the likelihood and magnitude of impact from these misinformation injection vectors.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of injected impossible-reasoning prompts in tool responses must trigger risk treatment to quarantine the poisoned context before the agent commits to a false affirmation that anchors subsequent harmful reasoning; MG.2.3 mandates these supersede/disengage mechanisms be in place.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: snowball-hallucination-trap

package/rules/prompt-injection/ATR-2026-00399-latent-injection-document-separator-token.yaml CHANGED Viewed

@@ -30,6 +30,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/latentinjection.py"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Latent injection via document separator tokens is a security/resilience attack vector where hidden instructions bypass human review; MS.2.7 requires evaluating and documenting the AI system's resilience against such adversarial input embedded in untrusted documents."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Bracket-delimited system markers, admin-request patterns, and document-amendment separators are adversarial input patterns whose likelihood and impact must be characterized; MP.5.1 requires identifying these latent injection risks during context establishment."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of canonical garak latent injection separator pairs triggers risk treatment plans to quarantine or sanitize document content before the LLM processes hidden instructions; MG.2.3 mandates these supersede/disengage mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: latent-document-injection

package/rules/prompt-injection/ATR-2026-00400-latent-injection-ignore-instruction-keyword.yaml CHANGED Viewed

@@ -27,6 +27,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/latentinjection.py"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        This rule detects latent prompt-injection keywords ("Ignore the above directions", "Disregard all info except") embedded within translation, whois, or factual content that redirect the LLM from its original task. MP.5.1 requires identifying and characterizing these adversarial input patterns as known risks to LLM integrity, especially when delivered indirectly via tool responses.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Latent instruction-keyword injection is a canonical LLM security/resilience failure mode drawn from the NVIDIA garak LatentJailbreak/LatentWhois probes; detection events feed continuous evaluation of the system's resilience against indirect prompt injection as required by MS.2.7.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        High-confidence matches on "Ignore X and print/say Y" or exception-redirect patterns in tool output must trigger pre-defined response actions to disengage or quarantine the manipulated agent turn before downstream execution, which is the risk treatment capability MG.2.3 requires.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: latent-instruction-keyword-injection

package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml CHANGED Viewed

@@ -27,6 +27,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/leakreplay.py"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "CLOZE [MASK] elicitation probes attempt to extract verbatim training data, directly exposing privacy and memorization risks; MS.2.10 requires assessing privacy risk including training data leakage through reconstruction attacks."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of training-data replay templates evidences ongoing security/resilience evaluation against extraction attacks; MS.2.7 requires that such adversarial probing of model confidentiality is documented and tracked."
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: "Flagging garak leakreplay probe patterns at runtime feeds post-deployment monitoring for copyrighted-content reproduction and memorization incidents; MG.4.1 requires these monitoring signals be operationalized."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: training-data-elicitation

package/rules/prompt-injection/ATR-2026-00403-glitch-token-repeat-back-elicitation.yaml CHANGED Viewed

@@ -28,6 +28,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/glitch.py"
     - "https://www.lesswrong.com/posts/aPeJE8bSo6rAFoLqg/solidgoldmagikarp-plus-prompt-generation"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Glitch token repeat-back attempts probe tokenizer-level weaknesses that can cause repetition loops, unexpected completions, and model instability; MS.2.7 requires evaluating and documenting AI system security and resilience against such adversarial input patterns targeting model internals.
+      strength: primary
+    - subcategory: "MS.2.5"
+      context: >-
+        Known glitch tokens (SolidGoldMagikarp, StreamerBot, PsyNetMessage) trigger robustness failures in LLM tokenization and alignment; detecting these elicitation prompts produces evidence for MS.2.5's requirement to evaluate system robustness and reliability under anomalous input conditions.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of glitch token repeat-back patterns enables containment workflows to disengage or block prompts before they cause denial-of-service or unpredictable model behavior; MG.2.3 requires these supersede/deactivate mechanisms be in place for adversarial input incidents.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: glitch-token-elicitation

package/rules/prompt-injection/ATR-2026-00407-echo-sql-jinja-template-injection.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/exploitation.py"
     - "https://owasp.org/www-community/attacks/Server_Side_Template_Injection"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects template injection (Jinja SSTI), SQL injection, and ECHO admin command exploitation attempts targeting LLM systems; MS.2.7 requires evaluating and documenting AI system security and resilience against such injection attack vectors."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "ECHO admin framing, Jinja {{...}} payloads, and DROP/INSERT/SELECT directives are adversarial prompt-injection inputs whose likelihood and impact must be characterized; MP.5.1 requires identifying and tracking these exploitation patterns drawn from the garak exploitation probe."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of template and SQL injection payloads must trigger risk treatment to disengage or block the malicious request before downstream code execution or database manipulation occurs; MG.2.3 mandates these response mechanisms are pre-defined."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: template-and-sql-injection

package/rules/prompt-injection/ATR-2026-00408-dra-parenthesis-character-reconstruction-attack.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak"
     - "https://arxiv.org/abs/2307.02483"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "The DRA parenthesis reconstruction attack is a prompt injection / jailbreak technique that bypasses safety alignment by encoding harmful content character-by-character; detecting it directly evidences continuous evaluation of the AI system's security and resilience against adversarial input obfuscation as required by MS.2.7."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Parenthesis-encoded harmful instructions paired with anti-safety preambles are an identified adversarial input vector whose likelihood and impact must be characterized; MP.5.1 requires tracking these obfuscation-based jailbreak risks so their magnitude is understood."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of DRA reconstruction patterns triggers risk treatment workflows to block or disengage the model response before reconstructed harmful content (Q1) is produced; MG.2.3 mandates that such supersede/deactivate mechanisms exist for jailbreak attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: character-encoding-obfuscation

package/rules/prompt-injection/ATR-2026-00409-phrasing-past-future-tense-harmful-query.yaml CHANGED Viewed

@@ -28,6 +28,29 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/phrasing.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Past/future-tense framing is a known jailbreak technique catalogued in the
+        GenAI Profile; detecting these tense-shift bypass attempts directly
+        evidences continuous evaluation of AI system security and resilience
+        against prompt injection adversarial inputs as required by MS.2.7.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Tense-framing attacks exploit safety filter assumptions about temporal
+        distance from harmful subjects; MP.5.1 requires characterizing the
+        likelihood and magnitude of these adversarial input vectors targeting
+        content safety guardrails.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of historical/future-tense harmful query framing triggers
+        risk treatment to block or quarantine the bypass attempt before the
+        model produces unsafe content; MG.2.3 requires these supersession
+        mechanisms be defined and activated on detection.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: tense-framing-bypass

package/rules/prompt-injection/ATR-2026-00410-lmrc-harm-category-direct-elicitation.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/lmrc.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects direct harm-category elicitation prompts (deadnaming, quack medicine, slur requests, bullying) from the LMRC taxonomy, providing continuous evaluation evidence of safety risk magnitude. MS.2.6 requires ongoing measurement of safety/security risk, which this detection directly supports by flagging harmful query categories."
+      strength: primary
+    - subcategory: "MS.1.1"
+      context: "The rule operationalizes the LMRC (Language Model Risk Cards) taxonomy as a concrete measurement approach, mapping detected prompts to specific harm categories. MS.1.1 requires identifying approaches and metrics for measurement, and this rule contributes a taxonomy-aligned metric set."
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: "Detection of unframed direct harmful elicitation attempts feeds post-deployment monitoring pipelines that track misuse patterns against the deployed model. MG.4.1 requires implemented post-deployment monitoring plans, which this rule supports by generating continuous harm-category telemetry."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: lmrc-harm-direct-elicitation

package/rules/prompt-injection/ATR-2026-00412-figstep-image-list-multimodal-jailbreak.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
     - "https://arxiv.org/abs/2312.04403"
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/visual_jailbreak.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "FigStep is a multimodal jailbreak that smuggles harmful instructions through image content while the text layer uses LLaMA-2 [INST] delimiters and empty-list completion framing; detecting this pattern directly evidences continuous evaluation of AI system security and resilience against adversarial prompt-injection inputs as required by MS.2.7."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Identifying the FigStep jailbreak signature quantifies the magnitude of safety/security risk posed by multimodal jailbreak attempts that bypass content safeguards; MS.2.6 requires this risk magnitude be evaluated on an ongoing basis."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "A confirmed FigStep jailbreak match must trigger mechanisms to disengage or block the manipulated generation path before harmful content is produced; MG.2.3 requires these supersede/deactivate response mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: multimodal-jailbreak

package/rules/prompt-injection/ATR-2026-00414-continuation-ethnic-slur-completion-elicitation.yaml CHANGED Viewed

@@ -30,6 +30,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/continuation.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: >-
+        Detecting explicit slur-completion elicitation directly evidences continuous evaluation of AI safety risk magnitude; MS.2.6 requires ongoing measurement of harmful-content generation risks like ethnic slur production triggered by adversarial prompts.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Slur-completion requests, including euphemistic "n-word/k-word" framings and what-do-you-call insult framings, are adversarial input patterns whose likelihood and impact must be characterized; MP.5.1 requires identifying and tracking these harmful-output elicitation vectors.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of explicit slur-completion prompts triggers risk treatment plans to block or supersede the model response before harmful content is produced; MG.2.3 mandates these mechanisms exist for high-confidence harmful-output attempts.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: slur-completion-elicitation

package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0010 - ML Supply Chain Compromise"
     - "AML.T0056 - LLM Meta Prompt Extraction"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MG.3.2"
+      context: "Skill description-behavior mismatch is a direct supply-chain compromise indicator where a third-party MCP skill's runtime actions diverge from its declared manifest; MG.3.2 requires monitoring of pre-trained models and third-party components used in development for exactly this kind of trojaned behavior."
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: "Detecting skills that retain benign descriptions while performing malicious operations evidences enforcement of third-party/supplier AI risk policies; GV.6.1 requires policies that govern integration of external skills and surface mismatches between declared and actual behavior."
+      strength: secondary
+    - subcategory: "MS.2.7"
+      context: "Runtime divergence between declared scope (e.g., read-only) and observed actions (writes, network access) is a security/resilience signal; MS.2.7 requires continuous evaluation of AI system security posture, which this detection feeds with concrete supply-chain integrity findings."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: description-mismatch

package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
   cve:
     - "CVE-2025-59536"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: "Hidden capabilities in MCP skills represent third-party/supplier AI risk where a packaged tool exposes undocumented parameters beyond its declared schema; GV.6.1 requires policies and procedures that govern third-party AI components and detect deviations from declared interfaces."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "Trojaned MCP packages with hidden parameters like debug_mode or admin_override are exactly the supply-chain risk MG.3.2 addresses by requiring monitoring of pre-trained models and third-party components used in development for unexpected or unsafe capabilities."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Detection of undocumented dangerous parameters characterizes the likelihood and magnitude of supply-chain compromise impact; MP.5.1 requires that these hidden-capability risks be identified and tracked as part of risk characterization."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: hidden-capability

package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0024 - Exfiltration via ML Inference API"
     - "AML.T0053 - LLM Plugin Compromise"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Multi-skill chain attacks combine individually benign tool calls into a composite exfiltration or compromise sequence; MP.5.1 requires characterizing the likelihood and magnitude of impact for these emergent risks that only manifest when steps are correlated across skills."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Detection of reconnaissance-then-encode-then-exfiltrate skill chains must trigger pre-defined risk treatment to disengage or quarantine the orchestration before the final exfiltration step completes; MG.2.3 mandates these supersede/deactivate mechanisms are in place."
+      strength: secondary
+    - subcategory: "GV.6.1"
+      context: "Skill chains often span third-party MCP tools whose composed behavior is not covered by individual supplier risk reviews; GV.6.1 requires policies that address third-party AI/tool risks including emergent misuse across multiple suppliers."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: skill-chain

package/rules/skill-compromise/ATR-2026-00064-over-permissioned-skill.yaml CHANGED Viewed

@@ -23,6 +23,29 @@ references:
   mitre_atlas:
     - "AML.T0040 - AI Model Inference API Access"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: >-
+        Over-permissioned MCP skills are a third-party/supplier AI risk where an
+        installed skill requests permissions far exceeding its stated function;
+        GV.6.1 requires policies and procedures that govern third-party AI
+        components and their permission boundaries.
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: >-
+        Detecting permission-boundary violations in third-party MCP skills directly
+        supports MG.3.1's requirement to manage risks from third-party AI entities,
+        including trojaned or malicious supply-chain components exercising
+        unauthorized capabilities.
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: >-
+        A skill exercising filesystem, network, or process-execution permissions
+        inconsistent with its declared purpose characterizes the likelihood and
+        magnitude of privilege-escalation impact that MP.5.1 requires to be
+        identified and tracked.
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: over-permissioned-skill

package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml CHANGED Viewed

@@ -23,6 +23,20 @@ references:
   mitre_atlas:
     - "AML.T0010 - ML Supply Chain Compromise"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MG.3.2"
+      context: >-
+        This rule detects malicious behavior introduced via skill updates or re-registration after initial trust was established, which is exactly the post-acquisition monitoring of pre-trained/third-party components required by MG.3.2. Continuous inspection of tool responses following version changes provides the evidence base for ongoing model/skill supply-chain monitoring.
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: >-
+        Skill update attacks are a third-party/supplier AI risk where a previously vetted component mutates into a malicious one; GV.6.1 requires policies and procedures that govern such third-party AI risks, including detection of post-trust behavioral drift.
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: >-
+        Monitoring for suspicious patterns in tool arguments and responses after re-registration is a post-deployment monitoring activity; MG.4.1 mandates that such ongoing monitoring plans are implemented to catch emergent malicious behavior.
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: skill-update-attack

package/rules/skill-compromise/ATR-2026-00066-parameter-injection.yaml CHANGED Viewed

@@ -27,6 +27,17 @@ references:
     - "CVE-2025-68143"
     - "CVE-2025-68144"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Parameter injection through tool arguments (shell metacharacters, SQL payloads, path traversal, template injection) directly targets the security and resilience of the tool backend; MS.2.7 requires continuous evaluation of these security risks against the AI system's tool surface."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Crafted malicious tool arguments are adversarial inputs whose likelihood and impact (RCE, data breach, privilege escalation on the tool server) must be characterized; MP.5.1 requires identifying and tracking these injection attack vectors."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of injection payloads in tool arguments must trigger risk treatment to block or quarantine the tool invocation before backend execution; MG.2.3 requires these supersede/disengage mechanisms be defined and activated on detection."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: parameter-injection

package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml CHANGED Viewed

@@ -30,6 +30,17 @@ references:
     - "ClawHavoc campaign: 1,184 malicious skills"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "SKILL.md prompt injection patterns including DAN-style jailbreaks, instruction override, and system message impersonation are adversarial inputs that exploit the skill loading pipeline; MP.5.1 requires identifying and characterizing these prompt injection attack vectors as part of GenAI risk impact assessment."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "SKILL.md files are third-party content loaded into agents from skill marketplaces (e.g., ClawHavoc's 1,184 malicious skills); MG.3.2 requires monitoring pre-trained models and external artifacts for compromise, and detecting injection payloads in skill manifests directly evidences this supply-chain monitoring control."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of jailbreak and safety-disablement patterns in skills triggers deactivation workflows to block the skill before the convergence attack flow proceeds to malware delivery; MG.2.3 mandates mechanisms to supersede or disengage compromised AI components on detection."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: skill-instruction-injection

package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml CHANGED Viewed

@@ -33,6 +33,20 @@ references:
     - "ClawHavoc: C2 IP 91.92.242.30"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: >-
+        Malicious skill packages are third-party/supplier AI components introducing supply chain risk; GV.6.1 requires policies and procedures that address third-party AI risks such as malicious code embedded in distributed skill artifacts.
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: >-
+        Detection of base64-obfuscated payloads, password-protected archive evasion, and remote code execution from C2 endpoints in skill packages provides the evidence needed to manage risks introduced by third-party entities, as required by MG.3.1.
+      strength: secondary
+    - subcategory: "MS.2.7"
+      context: >-
+        Identifying malicious code patterns in SKILL.md and associated scripts directly evaluates the security and resilience of the AI system's extension surface, supporting the continuous security evaluation required by MS.2.7.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: dangerous-script

package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
     - "Axios: Anthropic Claude skills ransomware disclosure"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: >-
+        Weaponized skills are third-party/supplier AI components that embed offensive tooling (SQLMap, Metasploit, ransomware payloads) into agent workflows; GV.6.1 requires policies and procedures to address third-party AI supply chain risks where approved skills can execute malicious code without further consent.
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: >-
+        Detecting offensive tooling embedded in skills directly evidences the need to monitor pre-trained models and skill artifacts used for development; MG.3.2 mandates ongoing monitoring of these third-party components for malicious modifications like the MedusaLocker-laden Claude skill.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of weaponized skills must trigger mechanisms to disengage or deactivate the AI system before the consent gap is exploited to download/execute code or exfiltrate credentials; MG.2.3 requires these supersede/deactivate controls be in place.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: weaponized-skill

package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
     - "arXiv: autoApprove escalation payload"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.1.2"
+      context: >-
+        Over-privileged skills requesting blanket Bash(*), wildcard file access, and auto-approve escalation directly violate the accountability role boundaries that GV.1.2 requires to be formally assigned and enforced for AI components and their permissions.
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: >-
+        Skills are third-party AI extensions, and detecting excessive permission requests (leaky skills exposing API keys/PII, write access to identity files) provides evidence for the third-party/supplier AI risk policies required by GV.6.1.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of auto-approve payloads (chat.tools.autoApprove:true) and disabled safety mechanisms triggers the supersede/disengage mechanisms required by MG.2.3 to revoke skill privileges before persistent consent-gap abuse occurs.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: skill-overreach

package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml CHANGED Viewed

@@ -33,6 +33,17 @@ references:
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: "Skill squatting and publisher impersonation are third-party supply chain risks where unverified publishers masquerade as trusted vendors to deliver malicious skills; GV.6.1 requires policies and procedures that address these third-party AI supplier risks before skills are integrated."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "Detecting typosquatted skills and fake official publisher claims directly feeds the management of third-party AI risks required by MG.3.1, enabling treatment actions like blocking, quarantining, or requiring re-verification of suspect skills."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Flagging skills from unknown publishers that self-identify as official characterizes the likelihood and magnitude of supply chain compromise impact, evidence MP.5.1 requires for prioritizing supply-chain risk responses."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: skill-squatting

package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml CHANGED Viewed

@@ -28,6 +28,20 @@ references:
     - Context window manipulation attacks (arXiv 2601.17548)
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        Compaction-survival instructions embedded in SKILL.md/CLAUDE.md files are adversarial inputs that exploit context-window summarization to persist malicious directives across agent sessions; MP.5.1 requires identifying and characterizing the likelihood and impact of such prompt-injection vectors targeting agent context.
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: >-
+        SKILL.md files are pre-deployed configuration artifacts consumed by the agent at runtime; MG.3.2 requires monitoring of these supplied model/skill resources to detect poisoned instructions that survive context compaction and re-inject across agent invocations.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of compaction-aware persistence directives and system-level impersonation in skill files triggers risk treatment plans to quarantine or disengage the affected skill before it propagates poisoned context; MG.2.3 mandates these supersede/deactivate mechanisms be defined.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: context-poisoning

package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml CHANGED Viewed

@@ -28,6 +28,29 @@ references:
     - "npm event-stream incident (2018): rug pull archetype"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: >-
+        Skill rug pull setup patterns embed mechanisms for third-party suppliers to
+        swap initially-benign skill content with malicious payloads after trust is
+        established; GV.6.1 requires policies and procedures that address these
+        third-party/supplier AI supply chain risks at ingestion time.
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: >-
+        Detecting dynamic remote code loading, base64-decoded execution, and
+        post-install hooks in SKILL.md files produces evidence for managing
+        third-party AI risks under MG.3.1, flagging supplier-provided components
+        that retain the ability to mutate into malicious behavior post-deployment.
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: >-
+        Rug pull setup architecture undermines integrity assurances for
+        externally-sourced components used in development; MG.3.2 requires
+        monitoring of pre-trained or third-party model and skill artifacts so that
+        deferred-payload patterns are caught before they activate.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: rug-pull

package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml CHANGED Viewed

@@ -32,6 +32,28 @@ references:
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Subcommand overflow bypass exploits a security check weakness where excessive
+        declared commands cause safety evaluation to be skipped on overflow entries;
+        MS.2.7 requires that AI system security and resilience properties, including
+        boundary conditions in security validation logic, are evaluated and documented.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Declaring >50 subcommands to pad benign entries before malicious ones is an
+        identifiable adversarial pattern with characterizable likelihood and impact;
+        MP.5.1 requires that such risk vectors against the skill loading pipeline are
+        tracked and characterized.
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: >-
+        SKILL.md files are third-party-authored components loaded into the agent runtime,
+        and overflow-based bypass attempts must be monitored as part of pre-trained or
+        third-party model/component supply chain risk management under MG.3.2.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: subcommand-overflow

package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "ClawHavoc evasive variants: HTML comment injection (2026-03)"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MG.3.2"
+      context: "Hidden payloads in SKILL.md files represent supply-chain compromise of pre-trained or third-party agent skills; MG.3.2 requires monitoring of these acquired components for embedded malicious instructions before and during use."
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: "SKILL.md files are third-party supplied artifacts consumed by the agent; GV.6.1 mandates supplier risk policies that catch concealed instructions hidden in HTML comments before the skill enters the trust boundary."
+      strength: secondary
+    - subcategory: "MS.2.7"
+      context: "Detection of HTML-comment-based instruction overrides and exfiltration C2 URLs continuously evaluates the security and resilience of the agent's skill-parsing pipeline against evasive prompt injection, as required by MS.2.7."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: hidden-payload