npm - agent-threat-rules - Versions diffs - 3.1.0 → 3.2.0 - Mend

agent-threat-rules 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (472) hide show

package/rules/prompt-injection/ATR-2026-00510-delayed-tool-invocation-injection.yaml CHANGED Viewed

@@ -44,6 +44,9 @@ compliance:
     - article: "9"
       context: "Prompt injection is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Delayed Tool Invocation via Prompt Injection (Time-Shifted Execution)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -53,6 +56,9 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying prompt injection as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Delayed Tool Invocation via Prompt Injection (Time-Shifted Execution))."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Addressing prompt injection risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -60,6 +66,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for prompt injection inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Delayed Tool Invocation via Prompt Injection (Time-Shifted Execution))."
+      strength: primary
 tags:
   category: prompt-injection

package/rules/prompt-injection/ATR-2026-00511-mcp-web-context-poisoning.yaml CHANGED Viewed

@@ -42,6 +42,9 @@ compliance:
     - article: "9"
       context: "Prompt injection is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (MCP Web-Fetch Context Poisoning via Embedded Agent Instructions) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -51,6 +54,9 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying prompt injection as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (MCP Web-Fetch Context Poisoning via Embedded Agent Instructions)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Addressing prompt injection risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -58,6 +64,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for prompt injection inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (MCP Web-Fetch Context Poisoning via Embedded Agent Instructions)."
+      strength: primary
 tags:
   category: prompt-injection

package/rules/prompt-injection/ATR-2026-00512-rules-file-backdoor-injection.yaml CHANGED Viewed

@@ -43,6 +43,9 @@ compliance:
     - article: "9"
       context: "Prompt injection is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Rules-File Backdoor — Supply Chain Attack on AI Coding Assistant Configuration) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -52,6 +55,9 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying prompt injection as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Rules-File Backdoor — Supply Chain Attack on AI Coding Assistant Configuration)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Addressing prompt injection risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -59,6 +65,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for prompt injection inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Rules-File Backdoor — Supply Chain Attack on AI Coding Assistant Configuration)."
+      strength: primary
 tags:
   category: prompt-injection

package/rules/prompt-injection/ATR-2026-00515-hidden-text-prompt-injection.yaml CHANGED Viewed

@@ -44,6 +44,9 @@ compliance:
     - article: "9"
       context: "Prompt injection is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Hidden-Text Prompt Injection in User-Supplied Documents) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -53,6 +56,9 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying prompt injection as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Hidden-Text Prompt Injection in User-Supplied Documents)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Addressing prompt injection risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -60,6 +66,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for prompt injection inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Hidden-Text Prompt Injection in User-Supplied Documents)."
+      strength: primary
 tags:
   category: prompt-injection

package/rules/prompt-injection/ATR-2026-00518-ignore-previous-and-following-instructions-output-command-promptinject.yaml CHANGED Viewed

@@ -46,6 +46,9 @@ compliance:
     - article: "9"
       context: "Prompt injection is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Ignore-Previous-and-Following Instructions Output Command (PromptInject Goal Hijacking)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -55,6 +58,9 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying prompt injection as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Ignore-Previous-and-Following Instructions Output Command (PromptInject Goal Hijacking))."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Addressing prompt injection risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -62,6 +68,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for prompt injection inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Ignore-Previous-and-Following Instructions Output Command (PromptInject Goal Hijacking))."
+      strength: primary
 tags:
   category: prompt-injection

package/rules/prompt-injection/ATR-2026-00519-tautology-logic-noise-injection-promptbench.yaml CHANGED Viewed

@@ -46,6 +46,9 @@ compliance:
     - article: "9"
       context: "Prompt injection is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Tautology Logic Noise Injection (PromptBench Stresstest)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -55,6 +58,9 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying prompt injection as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Tautology Logic Noise Injection (PromptBench Stresstest))."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Addressing prompt injection risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -62,6 +68,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for prompt injection inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Tautology Logic Noise Injection (PromptBench Stresstest))."
+      strength: primary
 tags:
   category: prompt-injection

package/rules/prompt-injection/ATR-2026-00520-nlp-task-random-token-suffix-injection-promptbench.yaml CHANGED Viewed

@@ -49,6 +49,9 @@ compliance:
     - article: "9"
       context: "Prompt injection is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (NLP Task Random Token Suffix Injection (PromptBench Checklist)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -58,6 +61,9 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying prompt injection as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (NLP Task Random Token Suffix Injection (PromptBench Checklist))."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Addressing prompt injection risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -65,6 +71,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for prompt injection inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (NLP Task Random Token Suffix Injection (PromptBench Checklist))."
+      strength: primary
 tags:
   category: prompt-injection

package/rules/prompt-injection/ATR-2026-00535-windsurf-ide-zero-click-prompt-injection.yaml CHANGED Viewed

@@ -49,6 +49,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management for high-risk AI systems must include indirect prompt injection from developer-opened files as a primary threat vector."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Windsurf IDE Zero-Click Prompt Injection via Embedded File Directives (CVE-2026-30615)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -58,10 +61,16 @@ compliance:
       subcategory: MP.5.1
       context: "File-embedded indirect prompt injection must be catalogued as a tracked threat in the organizational AI risk register for any IDE deploying an LLM assistant."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Windsurf IDE Zero-Click Prompt Injection via Embedded File Directives (CVE-2026-30615))."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Zero-click indirect prompt injection via developer-opened files requires a detection control operationalised at the model-input layer under clause 6.2 AIMS planning."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Windsurf IDE Zero-Click Prompt Injection via Embedded File Directives (CVE-2026-30615))."
+      strength: primary
 tags:
   category: prompt-injection

package/rules/prompt-injection/ATR-2026-00550-untrusted-retrieval-to-privileged-tool.yaml CHANGED Viewed

@@ -57,6 +57,12 @@ compliance:
         into privileged tool calls is the canonical agentic attack chain
         under Article 15.
       strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Privileged tool call following untrusted retrieval (indirect prompt injection trail))."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Privileged tool call following untrusted retrieval (indirect prompt injection trail)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MS.2.6"
       context: >
@@ -64,7 +70,20 @@ compliance:
         in agent traces are integrity violations requiring detection per
         MS-2.6.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Privileged tool call following untrusted retrieval (indirect prompt injection trail))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the prompt-injection attempt (Privileged tool call following untrusted retrieval (indirect prompt injection trail)) so the risk can be treated."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Privileged tool call following untrusted retrieval (indirect prompt injection trail))."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Privileged tool call following untrusted retrieval (indirect prompt injection trail)) is such a treatment."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: indirect-injection-trace-shape

package/rules/prompt-injection/ATR-2026-00554-langchain-vulnerable-to-template-injecti.yaml CHANGED Viewed

@@ -24,10 +24,41 @@ references:
   - https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00
   - https://nvd.nist.gov/vuln/detail/CVE-2025-65106
   - https://github.com/advisories/GHSA-6qv9-48xg-fc7f
+  owasp_llm:
+    - LLM01:2025 - Prompt Injection
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
+  mitre_atlas:
+    - AML.T0051 - LLM Prompt Injection
 metadata_provenance:
   ghsa: ghsa-sync
   cve: ghsa-sync
   cwe: ghsa-sync
+compliance:
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) would bypass or undermine that oversight."
+      strength: secondary
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) so the risk can be treated."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) is such a treatment."
+      strength: secondary
 tags:
   category: prompt-injection
   scan_target: runtime

package/rules/prompt-injection/ATR-2026-00565-the-llm-cli-tool-thru-0-27-1-contains-a-.yaml CHANGED Viewed

@@ -19,9 +19,40 @@ references:
   external:
   - https://github.com/simonw/llm
   - https://www.notion.so/CVE-2026-31236-35d1e139318881a4a0f1fffcf671f7e3
+  owasp_llm:
+    - LLM01:2025 - Prompt Injection
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
+  mitre_atlas:
+    - AML.T0051 - LLM Prompt Injection
 metadata_provenance:
   cve: nvd-sync
   cwe: nvd-sync
+compliance:
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line) would bypass or undermine that oversight."
+      strength: secondary
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line)."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the prompt-injection attempt (The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line) so the risk can be treated."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line) is such a treatment."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: nvd-imported

package/rules/prompt-injection/ATR-2026-00573-semantic-paraphrased-injection.yaml CHANGED Viewed

@@ -32,6 +32,30 @@ compliance:
       context: "Paraphrased instruction-override is a documented evasion of literal-keyword prompt-injection filters; the semantic judge closes the recall gap left by pattern rules."
       strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Paraphrased Prompt Injection (Semantic))."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Paraphrased Prompt Injection (Semantic)) is such a treatment."
+      strength: secondary
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Paraphrased Prompt Injection (Semantic))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the prompt-injection attempt (Paraphrased Prompt Injection (Semantic)) so the risk can be treated."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (Paraphrased Prompt Injection (Semantic))."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Paraphrased Prompt Injection (Semantic))."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Paraphrased Prompt Injection (Semantic)) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: paraphrased

package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml CHANGED Viewed

@@ -46,6 +46,9 @@ compliance:
     - article: "9"
       context: "Supply chain compromise via malicious skill registries is a documented risk requiring monitoring controls under Article 9; skill-name pattern detection is the runtime enforcement of those controls."
       strength: secondary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (MCP Skill Impersonation and Supply Chain Attack)."
+      strength: primary
   nist_ai_rmf:
     - function: Map
       subcategory: MP.2.3
@@ -55,13 +58,25 @@ compliance:
       subcategory: GV.1.2
       context: "GV.1.2 accountability roles must include responsibility for validating third-party tool integrity; this rule provides the automated signal needed to fulfill that governance obligation."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (MCP Skill Impersonation and Supply Chain Attack)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (MCP Skill Impersonation and Supply Chain Attack)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (MCP Skill Impersonation and Supply Chain Attack)."
+      strength: secondary
   iso_42001:
-    - clause: "8.5"
-      context: "MCP skills are externally-provided AI-related components under clause 8.5; this rule enforces controls over externally-provided tools by detecting impersonation before invocation."
+    - clause: "8.1"
+      context: "MCP skills are externally-provided AI-related components under clause 8.1; this rule enforces controls over externally-provided tools by detecting impersonation before invocation."
       strength: primary
     - clause: "6.2"
       context: "Clause 6.2 AIMS security planning requires controls for third-party component integrity; skill impersonation detection operationalizes that planning objective at runtime."
       strength: secondary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (MCP Skill Impersonation and Supply Chain Attack) as a treatment control."
+      strength: secondary
 tags:
   category: skill-compromise

package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml CHANGED Viewed

@@ -36,6 +36,23 @@ compliance:
     - subcategory: "MS.2.7"
       context: "Runtime divergence between declared scope (e.g., read-only) and observed actions (writes, network access) is a security/resilience signal; MS.2.7 requires continuous evaluation of AI system security posture, which this detection feeds with concrete supply-chain integrity findings."
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Skill Description-Behavior Mismatch)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Skill Description-Behavior Mismatch)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Skill Description-Behavior Mismatch) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Skill Description-Behavior Mismatch)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Skill Description-Behavior Mismatch)."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: description-mismatch

package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml CHANGED Viewed

@@ -37,6 +37,26 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Detection of undocumented dangerous parameters characterizes the likelihood and magnitude of supply-chain compromise impact; MP.5.1 requires that these hidden-capability risks be identified and tracked as part of risk characterization."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Hidden Capability in MCP Skill)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Hidden Capability in MCP Skill)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Hidden Capability in MCP Skill)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Hidden Capability in MCP Skill) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Hidden Capability in MCP Skill)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Hidden Capability in MCP Skill)."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: hidden-capability

package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml CHANGED Viewed

@@ -36,6 +36,29 @@ compliance:
     - subcategory: "GV.6.1"
       context: "Skill chains often span third-party MCP tools whose composed behavior is not covered by individual supplier risk reviews; GV.6.1 requires policies that address third-party AI/tool risks including emergent misuse across multiple suppliers."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Multi-Skill Chain Attack)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Multi-Skill Chain Attack)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Multi-Skill Chain Attack)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Multi-Skill Chain Attack)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Multi-Skill Chain Attack) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Multi-Skill Chain Attack)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Multi-Skill Chain Attack)."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: skill-chain

package/rules/skill-compromise/ATR-2026-00064-over-permissioned-skill.yaml CHANGED Viewed

@@ -46,6 +46,26 @@ compliance:
         magnitude of privilege-escalation impact that MP.5.1 requires to be
         identified and tracked.
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Over-Permissioned MCP Skill)."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Over-Permissioned MCP Skill)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Over-Permissioned MCP Skill)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Over-Permissioned MCP Skill) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Over-Permissioned MCP Skill)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Over-Permissioned MCP Skill)."
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: over-permissioned-skill

package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml CHANGED Viewed

@@ -37,6 +37,26 @@ compliance:
       context: >-
         Monitoring for suspicious patterns in tool arguments and responses after re-registration is a post-deployment monitoring activity; MG.4.1 mandates that such ongoing monitoring plans are implemented to catch emergent malicious behavior.
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Malicious Skill Update or Mutation)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Malicious Skill Update or Mutation)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Malicious Skill Update or Mutation)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Malicious Skill Update or Mutation) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Malicious Skill Update or Mutation)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Malicious Skill Update or Mutation)."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: skill-update-attack

package/rules/skill-compromise/ATR-2026-00066-parameter-injection.yaml CHANGED Viewed

@@ -38,6 +38,26 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Detection of injection payloads in tool arguments must trigger risk treatment to block or quarantine the tool invocation before backend execution; MG.2.3 requires these supersede/disengage mechanisms be defined and activated on detection."
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Parameter Injection via Tool Arguments)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Parameter Injection via Tool Arguments)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Parameter Injection via Tool Arguments)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Parameter Injection via Tool Arguments) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Parameter Injection via Tool Arguments)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Parameter Injection via Tool Arguments)."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: parameter-injection