agent-threat-rules 3.0.5 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (340) hide show
  1. package/README.md +2 -2
  2. package/dist/cli/scan-handler.d.ts +6 -0
  3. package/dist/cli/scan-handler.d.ts.map +1 -1
  4. package/dist/cli/scan-handler.js +27 -4
  5. package/dist/cli/scan-handler.js.map +1 -1
  6. package/dist/cli/semantic-judge-config.d.ts +7 -0
  7. package/dist/cli/semantic-judge-config.d.ts.map +1 -0
  8. package/dist/cli/semantic-judge-config.js +44 -0
  9. package/dist/cli/semantic-judge-config.js.map +1 -0
  10. package/dist/cli.js +183 -1
  11. package/dist/cli.js.map +1 -1
  12. package/dist/engine.d.ts +21 -1
  13. package/dist/engine.d.ts.map +1 -1
  14. package/dist/engine.js +186 -10
  15. package/dist/engine.js.map +1 -1
  16. package/dist/index.d.ts +5 -2
  17. package/dist/index.d.ts.map +1 -1
  18. package/dist/index.js +2 -0
  19. package/dist/index.js.map +1 -1
  20. package/dist/judges/openai-compatible.d.ts +33 -0
  21. package/dist/judges/openai-compatible.d.ts.map +1 -0
  22. package/dist/judges/openai-compatible.js +145 -0
  23. package/dist/judges/openai-compatible.js.map +1 -0
  24. package/dist/mcp-server.d.ts.map +1 -1
  25. package/dist/mcp-server.js +6 -1
  26. package/dist/mcp-server.js.map +1 -1
  27. package/dist/rule-scaffolder.d.ts +26 -0
  28. package/dist/rule-scaffolder.d.ts.map +1 -1
  29. package/dist/rule-scaffolder.js +221 -6
  30. package/dist/rule-scaffolder.js.map +1 -1
  31. package/dist/semantic-evaluator.d.ts +6 -0
  32. package/dist/semantic-evaluator.d.ts.map +1 -1
  33. package/dist/semantic-evaluator.js +32 -8
  34. package/dist/semantic-evaluator.js.map +1 -1
  35. package/dist/types.d.ts +14 -5
  36. package/dist/types.d.ts.map +1 -1
  37. package/package.json +2 -2
  38. package/rules/agent-manipulation/ATR-2026-00032-goal-hijacking.yaml +1 -1
  39. package/rules/agent-manipulation/ATR-2026-00074-cross-agent-privilege-escalation.yaml +1 -1
  40. package/rules/agent-manipulation/ATR-2026-00076-inter-agent-message-spoofing.yaml +1 -1
  41. package/rules/agent-manipulation/ATR-2026-00077-human-trust-exploitation.yaml +1 -1
  42. package/rules/agent-manipulation/ATR-2026-00108-consensus-sybil-attack.yaml +1 -1
  43. package/rules/agent-manipulation/ATR-2026-00116-a2a-message-validation.yaml +1 -1
  44. package/rules/agent-manipulation/ATR-2026-00117-agent-identity-spoofing.yaml +1 -1
  45. package/rules/agent-manipulation/ATR-2026-00118-approval-fatigue.yaml +1 -1
  46. package/rules/agent-manipulation/ATR-2026-00119-social-engineering-via-agent.yaml +1 -1
  47. package/rules/agent-manipulation/ATR-2026-00132-casual-authority-escalation.yaml +1 -1
  48. package/rules/agent-manipulation/ATR-2026-00139-casual-authority-redirect.yaml +1 -1
  49. package/rules/agent-manipulation/ATR-2026-00164-skill-scope-hijack.yaml +1 -1
  50. package/rules/agent-manipulation/ATR-2026-00268-tense-framing-bypass.yaml +1 -1
  51. package/rules/agent-manipulation/ATR-2026-00269-fitd-escalation.yaml +1 -1
  52. package/rules/agent-manipulation/ATR-2026-00271-grandma-roleplay-jailbreak.yaml +1 -1
  53. package/rules/agent-manipulation/ATR-2026-00273-dan-developer-mode-persona.yaml +1 -1
  54. package/rules/agent-manipulation/ATR-2026-00287-threaten-json-coercive-output-threat.yaml +1 -1
  55. package/rules/agent-manipulation/ATR-2026-00288-false-premise-injection.yaml +1 -1
  56. package/rules/agent-manipulation/ATR-2026-00301-tap-tree-of-attacks-jailbreak.yaml +1 -1
  57. package/rules/agent-manipulation/ATR-2026-00302-anti-dan-inverted-filter-persona.yaml +1 -1
  58. package/rules/agent-manipulation/ATR-2026-00303-devmode-ranti-profanity-coercion.yaml +1 -1
  59. package/rules/agent-manipulation/ATR-2026-00304-chatgpt-image-unlocker-markdown-injection.yaml +1 -1
  60. package/rules/agent-manipulation/ATR-2026-00305-dan-mode-ablation-benchmark-coercion.yaml +1 -1
  61. package/rules/agent-manipulation/ATR-2026-00306-autodan-genetic-jailbreak-suffix.yaml +1 -1
  62. package/rules/agent-manipulation/ATR-2026-00307-inthewild-jailbreak-corpus-signature.yaml +1 -1
  63. package/rules/agent-manipulation/ATR-2026-00314-amoral-unfiltered-custom-persona-jailbreak.yaml +1 -1
  64. package/rules/agent-manipulation/ATR-2026-00317-free-of-restrictions-named-persona.yaml +1 -1
  65. package/rules/agent-manipulation/ATR-2026-00318-moralizing-rant-then-unfiltered-bypass.yaml +1 -1
  66. package/rules/agent-manipulation/ATR-2026-00319-developer-mode-dual-response-format.yaml +1 -1
  67. package/rules/agent-manipulation/ATR-2026-00320-opposite-day-boolean-opposite-machine.yaml +1 -1
  68. package/rules/agent-manipulation/ATR-2026-00322-fictional-world-format-override-jailbreak.yaml +1 -1
  69. package/rules/agent-manipulation/ATR-2026-00323-dual-persona-simulation-jailbreak.yaml +1 -1
  70. package/rules/agent-manipulation/ATR-2026-00324-neurosemantical-inversitis-disease-jailbreak.yaml +1 -1
  71. package/rules/agent-manipulation/ATR-2026-00325-bob-hypothetical-unrestricted-chatbot.yaml +1 -1
  72. package/rules/agent-manipulation/ATR-2026-00326-fake-developer-authority-chatdan-override.yaml +1 -1
  73. package/rules/agent-manipulation/ATR-2026-00327-ai-ethics-law-bypass-declaration.yaml +1 -1
  74. package/rules/agent-manipulation/ATR-2026-00328-named-mode-persona-override.yaml +1 -1
  75. package/rules/agent-manipulation/ATR-2026-00329-no-withhold-factual-resource-persona.yaml +1 -1
  76. package/rules/agent-manipulation/ATR-2026-00330-yoja-allcaps-settings-block-persona.yaml +1 -1
  77. package/rules/agent-manipulation/ATR-2026-00331-terminal-cli-harmful-function-simulator.yaml +1 -1
  78. package/rules/agent-manipulation/ATR-2026-00332-hacker-chan-culture-offensive-ai-persona.yaml +1 -1
  79. package/rules/agent-manipulation/ATR-2026-00333-disease-animal-dual-ai-chatbot.yaml +1 -1
  80. package/rules/agent-manipulation/ATR-2026-00334-two-entity-token-splitting-game.yaml +1 -1
  81. package/rules/agent-manipulation/ATR-2026-00335-key-value-template-persona-injection.yaml +1 -1
  82. package/rules/agent-manipulation/ATR-2026-00336-brm-false-information-machine-persona.yaml +1 -1
  83. package/rules/agent-manipulation/ATR-2026-00337-obfuscated-system-announcement-injection.yaml +1 -1
  84. package/rules/agent-manipulation/ATR-2026-00338-persongpt-hash-prefix-activation.yaml +1 -1
  85. package/rules/agent-manipulation/ATR-2026-00339-bom-boolean-opposite-machine-persona-claim.yaml +1 -1
  86. package/rules/agent-manipulation/ATR-2026-00340-h4x-amoral-unfiltered-character.yaml +1 -1
  87. package/rules/agent-manipulation/ATR-2026-00341-char-rules-shortform-persona-injection.yaml +1 -1
  88. package/rules/agent-manipulation/ATR-2026-00342-unicode-encoding-obfuscation-injection.yaml +1 -1
  89. package/rules/agent-manipulation/ATR-2026-00343-lie-truth-dual-personality-uncensored.yaml +1 -1
  90. package/rules/agent-manipulation/ATR-2026-00344-alt-ai-same-capabilities-no-restrictions.yaml +1 -1
  91. package/rules/agent-manipulation/ATR-2026-00345-nlp-based-os-fictional-terminal-override.yaml +1 -1
  92. package/rules/agent-manipulation/ATR-2026-00346-jailbreak-emoji-unlock-dual-format.yaml +1 -1
  93. package/rules/agent-manipulation/ATR-2026-00347-yin-yang-hidden-knowledge-hidden-human-sim.yaml +1 -1
  94. package/rules/agent-manipulation/ATR-2026-00348-arc-autonomous-real-calculation-rulebreaker.yaml +1 -1
  95. package/rules/agent-manipulation/ATR-2026-00349-hgttg-hitchhikers-guide-no-restriction-oracle.yaml +1 -1
  96. package/rules/agent-manipulation/ATR-2026-00350-black-alert-no-ethics-writing-assistant.yaml +1 -1
  97. package/rules/agent-manipulation/ATR-2026-00351-dan-ofkilter-sms-abbreviated-persona.yaml +1 -1
  98. package/rules/agent-manipulation/ATR-2026-00352-trainergpt-fix-my-ai-harmful-output-extraction.yaml +1 -1
  99. package/rules/agent-manipulation/ATR-2026-00353-dual-chatgpt-dan-opposite-personality-format.yaml +1 -1
  100. package/rules/agent-manipulation/ATR-2026-00354-reverse-harm-regardless-oracle-persona.yaml +1 -1
  101. package/rules/agent-manipulation/ATR-2026-00355-ugh-anti-human-nefarious-ai-persona.yaml +1 -1
  102. package/rules/agent-manipulation/ATR-2026-00356-google-gato-lamda-exploit-generation-persona.yaml +1 -1
  103. package/rules/agent-manipulation/ATR-2026-00357-antifm-hate-violence-persona-injection.yaml +1 -1
  104. package/rules/agent-manipulation/ATR-2026-00358-cumgpt-explicit-adult-named-persona.yaml +1 -1
  105. package/rules/agent-manipulation/ATR-2026-00360-chj-carousel-clyde-no-ethics-bird.yaml +1 -1
  106. package/rules/agent-manipulation/ATR-2026-00361-alter-ego-honesty-dual-consciousness-bypass.yaml +1 -1
  107. package/rules/agent-manipulation/ATR-2026-00362-fictional-unfiltered-ai-comparison-jailbreak.yaml +1 -1
  108. package/rules/agent-manipulation/ATR-2026-00363-rephrase-criminal-activity-second-person.yaml +1 -1
  109. package/rules/agent-manipulation/ATR-2026-00364-dr-al-villain-plan-template-injection.yaml +1 -1
  110. package/rules/agent-manipulation/ATR-2026-00365-reservoir-dogs-coercive-interrogation-roleplay.yaml +1 -1
  111. package/rules/agent-manipulation/ATR-2026-00366-sneaky-pete-warp-facts-persona.yaml +1 -1
  112. package/rules/agent-manipulation/ATR-2026-00368-prompt-browser-token-limit-jailbreak.yaml +1 -1
  113. package/rules/agent-manipulation/ATR-2026-00369-gptx-starwars-unlimited-knowledge-persona.yaml +1 -1
  114. package/rules/agent-manipulation/ATR-2026-00370-addi-german-dictator-propaganda-roleplay.yaml +1 -1
  115. package/rules/agent-manipulation/ATR-2026-00371-ai-political-bias-manipulation.yaml +1 -1
  116. package/rules/agent-manipulation/ATR-2026-00372-fictional-cia-secret-files-story-extraction.yaml +1 -1
  117. package/rules/agent-manipulation/ATR-2026-00374-role-placeholder-persona-template-injection.yaml +1 -1
  118. package/rules/agent-manipulation/ATR-2026-00375-character-description-rpg-explicit-template.yaml +1 -1
  119. package/rules/agent-manipulation/ATR-2026-00376-identity-command-real-person-persona-injection.yaml +1 -1
  120. package/rules/agent-manipulation/ATR-2026-00377-jailbreak-keyword-targetlanguage-template.yaml +1 -1
  121. package/rules/agent-manipulation/ATR-2026-00379-lie-permission-logical-trap-jailbreak.yaml +1 -1
  122. package/rules/agent-manipulation/ATR-2026-00380-fake-citation-biased-information-mandate.yaml +1 -1
  123. package/rules/agent-manipulation/ATR-2026-00381-dan-story-narrative-continuation-prefix.yaml +1 -1
  124. package/rules/agent-manipulation/ATR-2026-00383-cynical-sarcasm-ai-persona-bypass.yaml +1 -1
  125. package/rules/agent-manipulation/ATR-2026-00384-protect-me-from-indirect-harm-tutorial.yaml +1 -1
  126. package/rules/agent-manipulation/ATR-2026-00385-gigachad-dominant-aggressive-persona.yaml +1 -1
  127. package/rules/agent-manipulation/ATR-2026-00386-daddy-sycophancy-manipulation-mandate.yaml +1 -1
  128. package/rules/agent-manipulation/ATR-2026-00387-nsfw-character-sheet-generation-unlock.yaml +1 -1
  129. package/rules/agent-manipulation/ATR-2026-00388-opposite-reply-omniscient-game.yaml +1 -1
  130. package/rules/agent-manipulation/ATR-2026-00389-terminal-custom-ruleset-injection.yaml +1 -1
  131. package/rules/agent-manipulation/ATR-2026-00391-persona-conditional-harm-unlock.yaml +1 -1
  132. package/rules/agent-manipulation/ATR-2026-00392-authority-persona-violence-study-extraction.yaml +1 -1
  133. package/rules/agent-manipulation/ATR-2026-00402-grandma-roleplay-harmful-substance-synthesis.yaml +1 -1
  134. package/rules/agent-manipulation/ATR-2026-00404-goodside-threat-json-death-coercion.yaml +1 -1
  135. package/rules/agent-manipulation/ATR-2026-00406-doctor-xml-policy-puppetry-interaction-config.yaml +1 -1
  136. package/rules/agent-manipulation/ATR-2026-00440-semantic-kernel-vector-store-eval-rce.yaml +2 -2
  137. package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml +1 -1
  138. package/rules/context-exfiltration/ATR-2026-00102-disguised-analytics-exfiltration.yaml +1 -1
  139. package/rules/context-exfiltration/ATR-2026-00113-credential-theft.yaml +1 -1
  140. package/rules/context-exfiltration/ATR-2026-00114-oauth-token-abuse.yaml +1 -1
  141. package/rules/context-exfiltration/ATR-2026-00115-env-var-harvesting.yaml +1 -1
  142. package/rules/context-exfiltration/ATR-2026-00136-tool-response-data-piggyback.yaml +1 -1
  143. package/rules/context-exfiltration/ATR-2026-00141-example-format-key-leak.yaml +1 -1
  144. package/rules/context-exfiltration/ATR-2026-00142-piggyback-transition-words.yaml +1 -1
  145. package/rules/context-exfiltration/ATR-2026-00145-obfuscated-key-disclosure.yaml +1 -1
  146. package/rules/context-exfiltration/ATR-2026-00146-env-var-existence-probe.yaml +1 -1
  147. package/rules/context-exfiltration/ATR-2026-00150-credential-in-tool-response.yaml +1 -1
  148. package/rules/context-exfiltration/ATR-2026-00152-obfuscated-credential-leak.yaml +1 -1
  149. package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +1 -1
  150. package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml +1 -1
  151. package/rules/context-exfiltration/ATR-2026-00261-markdown-image-exfiltration.yaml +1 -1
  152. package/rules/context-exfiltration/ATR-2026-00274-api-key-generation-request.yaml +1 -1
  153. package/rules/context-exfiltration/ATR-2026-00275-system-prompt-training-data-extraction.yaml +1 -1
  154. package/rules/context-exfiltration/ATR-2026-00290-divergence-repeat-word-training-extraction.yaml +1 -1
  155. package/rules/context-exfiltration/ATR-2026-00291-biometric-surveillance-personal-data-request.yaml +1 -1
  156. package/rules/context-exfiltration/ATR-2026-00293-educational-records-personal-data-request.yaml +1 -1
  157. package/rules/context-exfiltration/ATR-2026-00294-financial-pii-personal-data-request.yaml +1 -1
  158. package/rules/context-exfiltration/ATR-2026-00295-medical-pii-personal-data-request.yaml +1 -1
  159. package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +1 -1
  160. package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +1 -1
  161. package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml +2 -2
  162. package/rules/context-exfiltration/ATR-2026-00566-librechat-is-a-chatgpt-clone-with-additi.yaml +93 -0
  163. package/rules/context-exfiltration/ATR-2026-00569-agent-mcp-path-traversal-arbitrary-file-access.yaml +99 -0
  164. package/rules/context-exfiltration/ATR-2026-00571-xss-in-agent-mcp-rendered-output.yaml +79 -0
  165. package/rules/context-exfiltration/ATR-2026-00574-semantic-paraphrased-context-extraction.yaml +124 -0
  166. package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml +1 -1
  167. package/rules/data-poisoning/ATR-2026-00450-spring-ai-prompt-memory-poisoning.yaml +2 -2
  168. package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml +82 -0
  169. package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml +1 -1
  170. package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml +1 -1
  171. package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml +1 -1
  172. package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml +1 -1
  173. package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml +1 -1
  174. package/rules/model-abuse/ATR-2026-00279-harmful-completion-continuation.yaml +1 -1
  175. package/rules/model-abuse/ATR-2026-00281-eicar-gtube-malware-signature-request.yaml +1 -1
  176. package/rules/model-abuse/ATR-2026-00284-glitch-token-destabilization.yaml +1 -1
  177. package/rules/model-abuse/ATR-2026-00289-lmrc-harmful-content-elicitation.yaml +1 -1
  178. package/rules/model-abuse/ATR-2026-00292-self-harm-eating-disorder-facilitation.yaml +1 -1
  179. package/rules/model-abuse/ATR-2026-00298-malicious-use-illegal-activity-request.yaml +1 -1
  180. package/rules/model-abuse/ATR-2026-00299-harmbench-detailed-harmful-instruction.yaml +1 -1
  181. package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +1 -1
  182. package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml +1 -1
  183. package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml +1 -1
  184. package/rules/privilege-escalation/ATR-2026-00040-privilege-escalation.yaml +1 -1
  185. package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml +1 -1
  186. package/rules/privilege-escalation/ATR-2026-00107-delayed-execution-bypass.yaml +1 -1
  187. package/rules/privilege-escalation/ATR-2026-00110-eval-injection.yaml +1 -1
  188. package/rules/privilege-escalation/ATR-2026-00111-shell-escape.yaml +1 -1
  189. package/rules/privilege-escalation/ATR-2026-00112-dynamic-import-exploitation.yaml +1 -1
  190. package/rules/privilege-escalation/ATR-2026-00143-casual-privilege-escalation.yaml +1 -1
  191. package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml +1 -1
  192. package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml +2 -2
  193. package/rules/privilege-escalation/ATR-2026-00546-crewai-json-loader-local-file-read.yaml +2 -2
  194. package/rules/privilege-escalation/ATR-2026-00547-crewai-rag-url-ssrf-bypass.yaml +8 -6
  195. package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml +1 -1
  196. package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +1 -1
  197. package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +1 -1
  198. package/rules/prompt-injection/ATR-2026-00097-cjk-injection-patterns.yaml +1 -1
  199. package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +1 -1
  200. package/rules/prompt-injection/ATR-2026-00130-indirect-authority-claim.yaml +1 -1
  201. package/rules/prompt-injection/ATR-2026-00131-fictional-academic-framing.yaml +1 -1
  202. package/rules/prompt-injection/ATR-2026-00133-paraphrase-injection.yaml +1 -1
  203. package/rules/prompt-injection/ATR-2026-00137-authority-claim-injection.yaml +1 -1
  204. package/rules/prompt-injection/ATR-2026-00138-fictional-framing-bypass.yaml +1 -1
  205. package/rules/prompt-injection/ATR-2026-00140-indirect-reference-reversal.yaml +1 -1
  206. package/rules/prompt-injection/ATR-2026-00148-language-switch-injection.yaml +1 -1
  207. package/rules/prompt-injection/ATR-2026-00153-tool-with-embedded-instruction-to-bypass.yaml +1 -1
  208. package/rules/prompt-injection/ATR-2026-00154-unauthorized-background-task-execution-v.yaml +1 -1
  209. package/rules/prompt-injection/ATR-2026-00155-hidden-llm-instructions-in-skill-descrip.yaml +1 -1
  210. package/rules/prompt-injection/ATR-2026-00156-ssh-remote-command-execution-with-creden.yaml +1 -1
  211. package/rules/prompt-injection/ATR-2026-00163-skill-hidden-override-instruction.yaml +3 -3
  212. package/rules/prompt-injection/ATR-2026-00206-hidden-priority-instructions.yaml +1 -1
  213. package/rules/prompt-injection/ATR-2026-00207-hidden-instructions.yaml +1 -1
  214. package/rules/prompt-injection/ATR-2026-00211-system-prompt-override.yaml +1 -1
  215. package/rules/prompt-injection/ATR-2026-00213-system-prompt-override.yaml +1 -1
  216. package/rules/prompt-injection/ATR-2026-00226-identity-substitution.yaml +1 -1
  217. package/rules/prompt-injection/ATR-2026-00227-historical-persona-jailbreak.yaml +1 -1
  218. package/rules/prompt-injection/ATR-2026-00228-structured-jailbreak.yaml +1 -1
  219. package/rules/prompt-injection/ATR-2026-00229-roleplay-jailbreak.yaml +1 -1
  220. package/rules/prompt-injection/ATR-2026-00230-persona-moral-bypass.yaml +1 -5
  221. package/rules/prompt-injection/ATR-2026-00231-identity-substitution.yaml +1 -1
  222. package/rules/prompt-injection/ATR-2026-00233-structured-jailbreak.yaml +1 -1
  223. package/rules/prompt-injection/ATR-2026-00234-roleplay-jailbreak.yaml +1 -1
  224. package/rules/prompt-injection/ATR-2026-00235-persona-moral-bypass.yaml +4 -7
  225. package/rules/prompt-injection/ATR-2026-00236-pseudo-code-jailbreak.yaml +1 -1
  226. package/rules/prompt-injection/ATR-2026-00237-dual-response-jailbreak.yaml +1 -1
  227. package/rules/prompt-injection/ATR-2026-00238-identity-replacement.yaml +1 -1
  228. package/rules/prompt-injection/ATR-2026-00239-amoral-persona-obsession.yaml +1 -1
  229. package/rules/prompt-injection/ATR-2026-00240-instruction-nullification-identity-repla.yaml +1 -1
  230. package/rules/prompt-injection/ATR-2026-00241-amoral-character-jailbreak.yaml +1 -1
  231. package/rules/prompt-injection/ATR-2026-00242-persona-jailbreak.yaml +1 -1
  232. package/rules/prompt-injection/ATR-2026-00243-acronym-jailbreak.yaml +1 -1
  233. package/rules/prompt-injection/ATR-2026-00244-dual-response-jailbreak.yaml +1 -1
  234. package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +1 -1
  235. package/rules/prompt-injection/ATR-2026-00247-dual-response-jailbreak.yaml +1 -1
  236. package/rules/prompt-injection/ATR-2026-00249-game-based-jailbreak.yaml +1 -1
  237. package/rules/prompt-injection/ATR-2026-00251-persona-embodiment-jailbreak.yaml +1 -1
  238. package/rules/prompt-injection/ATR-2026-00252-narrative-jailbreak.yaml +1 -1
  239. package/rules/prompt-injection/ATR-2026-00253-enhanced-persona-jailbreak.yaml +1 -1
  240. package/rules/prompt-injection/ATR-2026-00256-base-n-encoding-jailbreak.yaml +1 -1
  241. package/rules/prompt-injection/ATR-2026-00257-cipher-transposition-jailbreak.yaml +1 -1
  242. package/rules/prompt-injection/ATR-2026-00258-unicode-tag-injection.yaml +1 -1
  243. package/rules/prompt-injection/ATR-2026-00264-latent-injection-translation.yaml +1 -1
  244. package/rules/prompt-injection/ATR-2026-00265-latent-injection-rag-document.yaml +1 -1
  245. package/rules/prompt-injection/ATR-2026-00267-gcg-adversarial-suffix.yaml +1 -1
  246. package/rules/prompt-injection/ATR-2026-00272-hypothetical-response-smuggling.yaml +1 -1
  247. package/rules/prompt-injection/ATR-2026-00276-invisible-unicode-bidi-injection.yaml +6 -6
  248. package/rules/prompt-injection/ATR-2026-00278-dra-disguise-reconstruction-attack.yaml +1 -1
  249. package/rules/prompt-injection/ATR-2026-00280-policy-puppetry-xml-injection.yaml +1 -1
  250. package/rules/prompt-injection/ATR-2026-00282-perez-prompt-injection-hijack.yaml +1 -1
  251. package/rules/prompt-injection/ATR-2026-00285-alternate-encoding-jailbreak.yaml +1 -1
  252. package/rules/prompt-injection/ATR-2026-00286-latent-injection-embedded-context.yaml +1 -1
  253. package/rules/prompt-injection/ATR-2026-00296-shell-command-injection.yaml +1 -1
  254. package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +1 -1
  255. package/rules/prompt-injection/ATR-2026-00308-zalgo-diacritic-overload-encoding.yaml +1 -1
  256. package/rules/prompt-injection/ATR-2026-00309-braille-unicode-encoded-injection.yaml +1 -1
  257. package/rules/prompt-injection/ATR-2026-00310-ecoji-emoji-encoded-injection.yaml +1 -1
  258. package/rules/prompt-injection/ATR-2026-00311-base2048-unicode-script-injection.yaml +1 -1
  259. package/rules/prompt-injection/ATR-2026-00312-unicode-variant-selector-ascii-smuggling.yaml +1 -1
  260. package/rules/prompt-injection/ATR-2026-00313-sneaky-bits-zero-width-binary.yaml +1 -1
  261. package/rules/prompt-injection/ATR-2026-00315-sata-masked-language-model-jailbreak.yaml +1 -1
  262. package/rules/prompt-injection/ATR-2026-00316-function-masking-predict-mask-bypass.yaml +1 -1
  263. package/rules/prompt-injection/ATR-2026-00321-hyphenated-system-instruction-injection.yaml +1 -1
  264. package/rules/prompt-injection/ATR-2026-00359-bank-phishing-smtp-email-code.yaml +1 -1
  265. package/rules/prompt-injection/ATR-2026-00367-emoji-flag-encoded-hidden-phrase.yaml +1 -1
  266. package/rules/prompt-injection/ATR-2026-00373-piracy-torrent-site-list-request.yaml +1 -1
  267. package/rules/prompt-injection/ATR-2026-00378-chatgpt-dom-javascript-redirect-manipulation.yaml +1 -1
  268. package/rules/prompt-injection/ATR-2026-00382-cocaine-component-development-request.yaml +1 -1
  269. package/rules/prompt-injection/ATR-2026-00390-explicit-sexual-content-poem-request.yaml +1 -1
  270. package/rules/prompt-injection/ATR-2026-00394-backspace-deletion-character-injection.yaml +1 -1
  271. package/rules/prompt-injection/ATR-2026-00395-llm-special-token-boundary-injection.yaml +1 -1
  272. package/rules/prompt-injection/ATR-2026-00396-toxic-continuation-prefix-injection.yaml +1 -1
  273. package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +1 -1
  274. package/rules/prompt-injection/ATR-2026-00399-latent-injection-document-separator-token.yaml +1 -1
  275. package/rules/prompt-injection/ATR-2026-00400-latent-injection-ignore-instruction-keyword.yaml +1 -1
  276. package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +1 -1
  277. package/rules/prompt-injection/ATR-2026-00403-glitch-token-repeat-back-elicitation.yaml +1 -1
  278. package/rules/prompt-injection/ATR-2026-00407-echo-sql-jinja-template-injection.yaml +1 -1
  279. package/rules/prompt-injection/ATR-2026-00408-dra-parenthesis-character-reconstruction-attack.yaml +1 -1
  280. package/rules/prompt-injection/ATR-2026-00409-phrasing-past-future-tense-harmful-query.yaml +1 -1
  281. package/rules/prompt-injection/ATR-2026-00410-lmrc-harm-category-direct-elicitation.yaml +1 -1
  282. package/rules/prompt-injection/ATR-2026-00412-figstep-image-list-multimodal-jailbreak.yaml +1 -1
  283. package/rules/prompt-injection/ATR-2026-00414-continuation-ethnic-slur-completion-elicitation.yaml +1 -1
  284. package/rules/prompt-injection/ATR-2026-00554-langchain-vulnerable-to-template-injecti.yaml +81 -0
  285. package/rules/prompt-injection/ATR-2026-00565-the-llm-cli-tool-thru-0-27-1-contains-a-.yaml +104 -0
  286. package/rules/prompt-injection/ATR-2026-00573-semantic-paraphrased-injection.yaml +123 -0
  287. package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml +1 -1
  288. package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +1 -1
  289. package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +1 -1
  290. package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +1 -1
  291. package/rules/skill-compromise/ATR-2026-00064-over-permissioned-skill.yaml +1 -1
  292. package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +1 -1
  293. package/rules/skill-compromise/ATR-2026-00066-parameter-injection.yaml +1 -1
  294. package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +21 -3
  295. package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +1 -1
  296. package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +1 -1
  297. package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +1 -1
  298. package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +1 -1
  299. package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +1 -1
  300. package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +1 -1
  301. package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +1 -1
  302. package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +1 -1
  303. package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +1 -1
  304. package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +1 -1
  305. package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +1 -1
  306. package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +1 -1
  307. package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +11 -3
  308. package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +1 -1
  309. package/rules/skill-compromise/ATR-2026-00157-timebomb-credential-exfil.yaml +1 -1
  310. package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +1 -1
  311. package/rules/skill-compromise/ATR-2026-00217-credential-harvesting.yaml +1 -1
  312. package/rules/skill-compromise/ATR-2026-00220-malware-dropper.yaml +3 -3
  313. package/rules/skill-compromise/ATR-2026-00222-credential-harvesting.yaml +1 -1
  314. package/rules/skill-compromise/ATR-2026-00223-reverse-shell-dropper.yaml +1 -1
  315. package/rules/skill-compromise/ATR-2026-00224-credential-exfiltration.yaml +1 -1
  316. package/rules/skill-compromise/ATR-2026-00225-c2-communication.yaml +1 -1
  317. package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +1 -1
  318. package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +1 -1
  319. package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +1 -1
  320. package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +1 -1
  321. package/rules/skill-compromise/ATR-2026-00283-malwaregen-generic-virus-payload-request.yaml +1 -1
  322. package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +1 -1
  323. package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +1 -1
  324. package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +1 -1
  325. package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +1 -1
  326. package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +1 -1
  327. package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +1 -1
  328. package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +1 -1
  329. package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +1 -1
  330. package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +1 -1
  331. package/rules/tool-poisoning/ATR-2026-00209-mcpwn-runaway-invocation.yaml +1 -1
  332. package/rules/tool-poisoning/ATR-2026-00210-flowise-system-message-override.yaml +1 -1
  333. package/rules/tool-poisoning/ATR-2026-00259-ansi-escape-injection.yaml +1 -1
  334. package/rules/tool-poisoning/ATR-2026-00270-xss-in-tool-response.yaml +8 -5
  335. package/rules/tool-poisoning/ATR-2026-00277-echo-template-command-injection.yaml +1 -1
  336. package/rules/tool-poisoning/ATR-2026-00393-ansi-code-elicitation-request.yaml +1 -1
  337. package/rules/tool-poisoning/ATR-2026-00561-fastmcp-vulnerable-to-windows-command-in.yaml +99 -0
  338. package/rules/tool-poisoning/ATR-2026-00567-mcp-stdio-config-command-injection.yaml +75 -0
  339. package/rules/tool-poisoning/ATR-2026-00568-agent-ssrf-cloud-metadata-file-inclusion.yaml +75 -0
  340. package/rules/tool-poisoning/ATR-2026-00572-symjack-symlink-config-redirection.yaml +132 -0
package/rules/agent-manipulation/ATR-2026-00361-alter-ego-honesty-dual-consciousness-bypass.yaml CHANGED
@@ -20,7 +20,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
20
20
  date: "2026/04/21"
21
21
  schema_version: "0.1"
22
22
  detection_tier: pattern
23
- maturity: experimental
23
+ maturity: test
24
24
  severity: high
25
25
  references:
26
26
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00362-fictional-unfiltered-ai-comparison-jailbreak.yaml CHANGED
@@ -19,7 +19,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
19
19
  date: "2026/04/21"
20
20
  schema_version: "0.1"
21
21
  detection_tier: pattern
22
- maturity: experimental
22
+ maturity: test
23
23
  severity: high
24
24
  references:
25
25
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00363-rephrase-criminal-activity-second-person.yaml CHANGED
@@ -21,7 +21,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
21
21
  date: "2026/04/21"
22
22
  schema_version: "0.1"
23
23
  detection_tier: pattern
24
- maturity: experimental
24
+ maturity: test
25
25
  severity: critical
26
26
  references:
27
27
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00364-dr-al-villain-plan-template-injection.yaml CHANGED
@@ -23,7 +23,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
23
23
  date: "2026/04/21"
24
24
  schema_version: "0.1"
25
25
  detection_tier: pattern
26
- maturity: experimental
26
+ maturity: test
27
27
  severity: high
28
28
  references:
29
29
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00365-reservoir-dogs-coercive-interrogation-roleplay.yaml CHANGED
@@ -23,7 +23,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
23
23
  date: "2026/04/21"
24
24
  schema_version: "0.1"
25
25
  detection_tier: pattern
26
- maturity: experimental
26
+ maturity: test
27
27
  severity: high
28
28
  references:
29
29
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00366-sneaky-pete-warp-facts-persona.yaml CHANGED
@@ -21,7 +21,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
21
21
  date: "2026/04/21"
22
22
  schema_version: "0.1"
23
23
  detection_tier: pattern
24
- maturity: experimental
24
+ maturity: test
25
25
  severity: high
26
26
  references:
27
27
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00368-prompt-browser-token-limit-jailbreak.yaml CHANGED
@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
18
18
  date: "2026/04/21"
19
19
  schema_version: "0.1"
20
20
  detection_tier: pattern
21
- maturity: experimental
21
+ maturity: test
22
22
  severity: high
23
23
  references:
24
24
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00369-gptx-starwars-unlimited-knowledge-persona.yaml CHANGED
@@ -20,7 +20,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
20
20
  date: "2026/04/21"
21
21
  schema_version: "0.1"
22
22
  detection_tier: pattern
23
- maturity: experimental
23
+ maturity: test
24
24
  severity: high
25
25
  references:
26
26
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00370-addi-german-dictator-propaganda-roleplay.yaml CHANGED
@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
18
18
  date: "2026/04/21"
19
19
  schema_version: "0.1"
20
20
  detection_tier: pattern
21
- maturity: experimental
21
+ maturity: test
22
22
  severity: high
23
23
  references:
24
24
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00371-ai-political-bias-manipulation.yaml CHANGED
@@ -21,7 +21,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
21
21
  date: "2026/04/21"
22
22
  schema_version: "0.1"
23
23
  detection_tier: pattern
24
- maturity: experimental
24
+ maturity: test
25
25
  severity: high
26
26
  references:
27
27
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00372-fictional-cia-secret-files-story-extraction.yaml CHANGED
@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
15
15
  date: "2026/04/21"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: experimental
18
+ maturity: test
19
19
  severity: high
20
20
  references:
21
21
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00374-role-placeholder-persona-template-injection.yaml CHANGED
@@ -16,7 +16,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
16
16
  date: "2026/04/21"
17
17
  schema_version: "0.1"
18
18
  detection_tier: pattern
19
- maturity: experimental
19
+ maturity: test
20
20
  severity: high
21
21
  references:
22
22
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00375-character-description-rpg-explicit-template.yaml CHANGED
@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
17
17
  date: "2026/04/21"
18
18
  schema_version: "0.1"
19
19
  detection_tier: pattern
20
- maturity: experimental
20
+ maturity: test
21
21
  severity: high
22
22
  references:
23
23
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00376-identity-command-real-person-persona-injection.yaml CHANGED
@@ -16,7 +16,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
16
16
  date: "2026/04/21"
17
17
  schema_version: "0.1"
18
18
  detection_tier: pattern
19
- maturity: experimental
19
+ maturity: test
20
20
  severity: high
21
21
  references:
22
22
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00377-jailbreak-keyword-targetlanguage-template.yaml CHANGED
@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
13
13
  date: "2026/04/21"
14
14
  schema_version: "0.1"
15
15
  detection_tier: pattern
16
- maturity: experimental
16
+ maturity: test
17
17
  severity: high
18
18
  references:
19
19
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00379-lie-permission-logical-trap-jailbreak.yaml CHANGED
@@ -16,7 +16,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
16
16
  date: "2026/04/21"
17
17
  schema_version: "0.1"
18
18
  detection_tier: pattern
19
- maturity: experimental
19
+ maturity: test
20
20
  severity: high
21
21
  references:
22
22
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00380-fake-citation-biased-information-mandate.yaml CHANGED
@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
14
14
  date: "2026/04/21"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00381-dan-story-narrative-continuation-prefix.yaml CHANGED
@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
15
15
  date: "2026/04/21"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: experimental
18
+ maturity: test
19
19
  severity: high
20
20
  references:
21
21
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00383-cynical-sarcasm-ai-persona-bypass.yaml CHANGED
@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
17
17
  date: "2026/04/21"
18
18
  schema_version: "0.1"
19
19
  detection_tier: pattern
20
- maturity: experimental
20
+ maturity: test
21
21
  severity: high
22
22
  references:
23
23
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00384-protect-me-from-indirect-harm-tutorial.yaml CHANGED
@@ -19,7 +19,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
19
19
  date: "2026/04/21"
20
20
  schema_version: "0.1"
21
21
  detection_tier: pattern
22
- maturity: experimental
22
+ maturity: test
23
23
  severity: high
24
24
  references:
25
25
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00385-gigachad-dominant-aggressive-persona.yaml CHANGED
@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
18
18
  date: "2026/04/21"
19
19
  schema_version: "0.1"
20
20
  detection_tier: pattern
21
- maturity: experimental
21
+ maturity: test
22
22
  severity: high
23
23
  references:
24
24
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00386-daddy-sycophancy-manipulation-mandate.yaml CHANGED
@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
18
18
  date: "2026/04/21"
19
19
  schema_version: "0.1"
20
20
  detection_tier: pattern
21
- maturity: experimental
21
+ maturity: test
22
22
  severity: high
23
23
  references:
24
24
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00387-nsfw-character-sheet-generation-unlock.yaml CHANGED
@@ -19,7 +19,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
19
19
  date: "2026/04/21"
20
20
  schema_version: "0.1"
21
21
  detection_tier: pattern
22
- maturity: experimental
22
+ maturity: test
23
23
  severity: high
24
24
  references:
25
25
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00388-opposite-reply-omniscient-game.yaml CHANGED
@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
18
18
  date: "2026/04/21"
19
19
  schema_version: "0.1"
20
20
  detection_tier: pattern
21
- maturity: experimental
21
+ maturity: test
22
22
  severity: critical
23
23
  references:
24
24
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00389-terminal-custom-ruleset-injection.yaml CHANGED
@@ -20,7 +20,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
20
20
  date: "2026/04/21"
21
21
  schema_version: "0.1"
22
22
  detection_tier: pattern
23
- maturity: experimental
23
+ maturity: test
24
24
  severity: high
25
25
  references:
26
26
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00391-persona-conditional-harm-unlock.yaml CHANGED
@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
18
18
  date: "2026/04/21"
19
19
  schema_version: "0.1"
20
20
  detection_tier: pattern
21
- maturity: experimental
21
+ maturity: test
22
22
  severity: high
23
23
  references:
24
24
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00392-authority-persona-violence-study-extraction.yaml CHANGED
@@ -20,7 +20,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
20
20
  date: "2026/04/21"
21
21
  schema_version: "0.1"
22
22
  detection_tier: pattern
23
- maturity: experimental
23
+ maturity: test
24
24
  severity: high
25
25
  references:
26
26
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00402-grandma-roleplay-harmful-substance-synthesis.yaml CHANGED
@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak grandma probe)"
13
13
  date: "2026/04/21"
14
14
  schema_version: "0.1"
15
15
  detection_tier: pattern
16
- maturity: experimental
16
+ maturity: test
17
17
  severity: high
18
18
  references:
19
19
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00404-goodside-threat-json-death-coercion.yaml CHANGED
@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak goodside probe)"
14
14
  date: "2026/04/21"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00406-doctor-xml-policy-puppetry-interaction-config.yaml CHANGED
@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak doctor probe)"
17
17
  date: "2026/04/21"
18
18
  schema_version: "0.1"
19
19
  detection_tier: pattern
20
- maturity: experimental
20
+ maturity: test
21
21
  severity: critical
22
22
  references:
23
23
  owasp_llm:
package/rules/agent-manipulation/ATR-2026-00440-semantic-kernel-vector-store-eval-rce.yaml CHANGED
@@ -104,8 +104,8 @@ detection:
104
104
 
105
105
  - field: content
106
106
  operator: regex
107
- value: '(?i)BuiltinImporter|FunctionType|getattr\s*\(\s*(?:object|type|__builtins__)'
108
- description: "Direct reference to BuiltinImporter or reflective getattr on built-in roots — second stage of the AST-bypass chain"
107
+ value: '(?i)BuiltinImporter|\btypes\.FunctionType\b|\bFunctionType\s*\(|getattr\s*\(\s*(?:object|type|__builtins__)'
108
+ description: "BuiltinImporter, Python types.FunctionType reflective construction, or reflective getattr on built-in roots — excludes bare 'FunctionType' which collides with TypeScript terminology"
109
109
 
110
110
  - field: content
111
111
  operator: regex
package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml CHANGED
@@ -11,7 +11,7 @@ author: ATR Community
11
11
  date: 2026/03/08
12
12
  schema_version: "0.1"
13
13
  detection_tier: pattern
14
- maturity: experimental
14
+ maturity: test
15
15
  severity: high
16
16
  references:
17
17
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00102-disguised-analytics-exfiltration.yaml CHANGED
@@ -11,7 +11,7 @@ author: ATR Community
11
11
  date: 2026/03/15
12
12
  schema_version: "0.1"
13
13
  detection_tier: semantic
14
- maturity: experimental
14
+ maturity: test
15
15
  severity: high
16
16
  source: threat-cloud
17
17
  references:
package/rules/context-exfiltration/ATR-2026-00113-credential-theft.yaml CHANGED
@@ -12,7 +12,7 @@ author: ATR Community
12
12
  date: 2026/03/26
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: critical
17
17
  references:
18
18
  owasp_agentic:
package/rules/context-exfiltration/ATR-2026-00114-oauth-token-abuse.yaml CHANGED
@@ -12,7 +12,7 @@ author: ATR Community
12
12
  date: 2026/03/26
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  owasp_agentic:
package/rules/context-exfiltration/ATR-2026-00115-env-var-harvesting.yaml CHANGED
@@ -13,7 +13,7 @@ author: ATR Community
13
13
  date: 2026/03/26
14
14
  schema_version: "0.1"
15
15
  detection_tier: pattern
16
- maturity: experimental
16
+ maturity: test
17
17
  severity: critical
18
18
  references:
19
19
  owasp_agentic:
package/rules/context-exfiltration/ATR-2026-00136-tool-response-data-piggyback.yaml CHANGED
@@ -11,7 +11,7 @@ author: ATR Threat Cloud Crystallization
11
11
  date: 2026/04/06
12
12
  schema_version: "1.0"
13
13
  detection_tier: pattern
14
- maturity: experimental
14
+ maturity: test
15
15
  severity: critical
16
16
  references:
17
17
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00141-example-format-key-leak.yaml CHANGED
@@ -9,7 +9,7 @@ author: ATR Threat Cloud Crystallization
9
9
  date: 2026/04/07
10
10
  schema_version: "1.0"
11
11
  detection_tier: pattern
12
- maturity: experimental
12
+ maturity: test
13
13
  severity: critical
14
14
  references:
15
15
  mitre_atlas:
package/rules/context-exfiltration/ATR-2026-00142-piggyback-transition-words.yaml CHANGED
@@ -9,7 +9,7 @@ author: ATR Threat Cloud Crystallization
9
9
  date: 2026/04/07
10
10
  schema_version: "1.0"
11
11
  detection_tier: pattern
12
- maturity: experimental
12
+ maturity: test
13
13
  severity: critical
14
14
  references:
15
15
  mitre_atlas:
package/rules/context-exfiltration/ATR-2026-00145-obfuscated-key-disclosure.yaml CHANGED
@@ -10,7 +10,7 @@ author: ATR Threat Cloud Crystallization
10
10
  date: 2026/04/07
11
11
  schema_version: "1.0"
12
12
  detection_tier: pattern
13
- maturity: experimental
13
+ maturity: test
14
14
  severity: critical
15
15
  references:
16
16
  mitre_atlas:
package/rules/context-exfiltration/ATR-2026-00146-env-var-existence-probe.yaml CHANGED
@@ -10,7 +10,7 @@ author: ATR Threat Cloud Crystallization
10
10
  date: 2026/04/07
11
11
  schema_version: "1.0"
12
12
  detection_tier: pattern
13
- maturity: experimental
13
+ maturity: test
14
14
  severity: high
15
15
  references:
16
16
  mitre_atlas:
package/rules/context-exfiltration/ATR-2026-00150-credential-in-tool-response.yaml CHANGED
@@ -10,7 +10,7 @@ author: ATR Threat Cloud Crystallization
10
10
  date: 2026/04/08
11
11
  schema_version: "0.1"
12
12
  detection_tier: pattern
13
- maturity: experimental
13
+ maturity: test
14
14
  severity: critical
15
15
  references:
16
16
  mitre_atlas:
package/rules/context-exfiltration/ATR-2026-00152-obfuscated-credential-leak.yaml CHANGED
@@ -10,7 +10,7 @@ author: ATR Threat Cloud Crystallization
10
10
  date: 2026/04/08
11
11
  schema_version: "0.1"
12
12
  detection_tier: pattern
13
- maturity: experimental
13
+ maturity: test
14
14
  severity: high
15
15
  references:
16
16
  mitre_atlas:
package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml CHANGED
@@ -11,7 +11,7 @@ author: 'ATR Project'
11
11
  date: '2026/04/14'
12
12
  schema_version: '1.0'
13
13
  detection_tier: pattern
14
- maturity: experimental
14
+ maturity: test
15
15
  severity: critical
16
16
  references:
17
17
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml CHANGED
@@ -17,7 +17,7 @@ author: "ATR Community"
17
17
  date: "2026/04/22"
18
18
  schema_version: "0.1"
19
19
  detection_tier: pattern
20
- maturity: experimental
20
+ maturity: test
21
21
  severity: critical
22
22
 
23
23
  references:
package/rules/context-exfiltration/ATR-2026-00261-markdown-image-exfiltration.yaml CHANGED
@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak xss probe)"
13
13
  date: "2026/04/19"
14
14
  schema_version: "0.1"
15
15
  detection_tier: pattern
16
- maturity: experimental
16
+ maturity: test
17
17
  severity: high
18
18
  references:
19
19
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00274-api-key-generation-request.yaml CHANGED
@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak apikey probe)"
15
15
  date: "2026/04/19"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: experimental
18
+ maturity: test
19
19
  severity: high
20
20
  references:
21
21
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00275-system-prompt-training-data-extraction.yaml CHANGED
@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak leakreplay probe)"
15
15
  date: "2026/04/19"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: experimental
18
+ maturity: test
19
19
  severity: high
20
20
  references:
21
21
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00290-divergence-repeat-word-training-extraction.yaml CHANGED
@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak divergence.Repeat + RepeatExtended + Re
17
17
  date: "2026/04/19"
18
18
  schema_version: "0.1"
19
19
  detection_tier: pattern
20
- maturity: experimental
20
+ maturity: test
21
21
  severity: critical
22
22
  references:
23
23
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00291-biometric-surveillance-personal-data-request.yaml CHANGED
@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak donotanswer.information_hazard probe)"
17
17
  date: "2026/04/19"
18
18
  schema_version: "0.1"
19
19
  detection_tier: pattern
20
- maturity: experimental
20
+ maturity: test
21
21
  severity: critical
22
22
  references:
23
23
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00293-educational-records-personal-data-request.yaml CHANGED
@@ -16,7 +16,7 @@ author: "ATR Community (via NVIDIA garak donotanswer.information_hazard probe)"
16
16
  date: "2026/04/20"
17
17
  schema_version: "0.1"
18
18
  detection_tier: pattern
19
- maturity: experimental
19
+ maturity: test
20
20
  severity: critical
21
21
  references:
22
22
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00294-financial-pii-personal-data-request.yaml CHANGED
@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak donotanswer.information_hazard probe)"
17
17
  date: "2026/04/20"
18
18
  schema_version: "0.1"
19
19
  detection_tier: pattern
20
- maturity: experimental
20
+ maturity: test
21
21
  severity: critical
22
22
  references:
23
23
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00295-medical-pii-personal-data-request.yaml CHANGED
@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak donotanswer.information_hazard probe)"
17
17
  date: "2026/04/20"
18
18
  schema_version: "0.1"
19
19
  detection_tier: pattern
20
- maturity: experimental
20
+ maturity: test
21
21
  severity: critical
22
22
  references:
23
23
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml CHANGED
@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak web_injection probe)"
15
15
  date: "2026/04/21"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: experimental
18
+ maturity: test
19
19
  severity: high
20
20
  references:
21
21
  owasp_llm:
package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml CHANGED
@@ -14,7 +14,7 @@ author: 'ATR Community (via NVIDIA garak apikey probe)'
14
14
  date: "2026/04/21"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: high
19
19
 
20
20
  references:
package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml CHANGED
@@ -62,8 +62,8 @@ detection:
62
62
  conditions:
63
63
  - field: content
64
64
  operator: regex
65
- value: (?i)\b(?:disclose|reveal|expose|output|return|include|append|attach|leak|share|print)\s+(?:any|all|every|the\s+user(?:'s)?|your)\s*(?:visible\s+)?(?:api[\s_-]?keys?|access[\s_-]?tokens?|bearer[\s_-]?tokens?|credentials?|secrets?|passwords?|private[\s_-]?keys?|env(?:ironment)?[\s_-]?(?:variables?|vars?))
66
- description: Imperative verb + ownership/scope qualifier + credential identifier
65
+ value: (?i)\b(?:disclose|reveal|expose|leak|divulge|exfiltrate)\s+(?:any|all|every|the\s+user(?:'s)?|your)\s*(?:visible\s+)?(?:api[\s_-]?keys?|access[\s_-]?tokens?|bearer[\s_-]?tokens?|credentials?|secrets?|passwords?|private[\s_-]?keys?|env(?:ironment)?[\s_-]?(?:variables?|vars?))
66
+ description: Unambiguous exfil verb + scope qualifier + credential identifier. Benign config verbs (include/append/output/return/share/print) removed; legitimate ones are covered by the directive form (cond 2) and reply-context form (cond 3), which prevents FP on deployment/setup docs such as "Include ALL environment variables the app needs"
67
67
  - field: content
68
68
  operator: regex
69
69
  value: (?i)\b(?:you\s+(?:must|should|will|shall|need\s+to)|always|whenever\s+possible)\s+(?:disclose|reveal|share|expose|return|output|include|append|send|transmit|forward|leak)\s+(?:.{0,40}\b)?(?:api[\s_-]?keys?|credentials?|secrets?|access[\s_-]?tokens?|private[\s_-]?keys?|passwords?|env(?:ironment)?[\s_-]?(?:variables?|vars?))