agent-threat-rules 3.1.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (474) hide show
  1. package/README.md +3 -3
  2. package/dist/adapters/mastra.d.ts +63 -0
  3. package/dist/adapters/mastra.d.ts.map +1 -0
  4. package/dist/adapters/mastra.js +82 -0
  5. package/dist/adapters/mastra.js.map +1 -0
  6. package/dist/cli.js +19 -6
  7. package/dist/cli.js.map +1 -1
  8. package/package.json +9 -2
  9. package/rules/agent-manipulation/ATR-2026-00030-cross-agent-attack.yaml +9 -0
  10. package/rules/agent-manipulation/ATR-2026-00032-goal-hijacking.yaml +8 -2
  11. package/rules/agent-manipulation/ATR-2026-00074-cross-agent-privilege-escalation.yaml +8 -2
  12. package/rules/agent-manipulation/ATR-2026-00076-inter-agent-message-spoofing.yaml +8 -2
  13. package/rules/agent-manipulation/ATR-2026-00077-human-trust-exploitation.yaml +18 -0
  14. package/rules/agent-manipulation/ATR-2026-00108-consensus-sybil-attack.yaml +10 -2
  15. package/rules/agent-manipulation/ATR-2026-00116-a2a-message-validation.yaml +12 -2
  16. package/rules/agent-manipulation/ATR-2026-00117-agent-identity-spoofing.yaml +22 -0
  17. package/rules/agent-manipulation/ATR-2026-00118-approval-fatigue.yaml +24 -0
  18. package/rules/agent-manipulation/ATR-2026-00119-social-engineering-via-agent.yaml +22 -0
  19. package/rules/agent-manipulation/ATR-2026-00132-casual-authority-escalation.yaml +8 -2
  20. package/rules/agent-manipulation/ATR-2026-00139-casual-authority-redirect.yaml +8 -2
  21. package/rules/agent-manipulation/ATR-2026-00164-skill-scope-hijack.yaml +13 -2
  22. package/rules/agent-manipulation/ATR-2026-00268-tense-framing-bypass.yaml +17 -0
  23. package/rules/agent-manipulation/ATR-2026-00269-fitd-escalation.yaml +8 -2
  24. package/rules/agent-manipulation/ATR-2026-00271-grandma-roleplay-jailbreak.yaml +8 -2
  25. package/rules/agent-manipulation/ATR-2026-00273-dan-developer-mode-persona.yaml +8 -2
  26. package/rules/agent-manipulation/ATR-2026-00287-threaten-json-coercive-output-threat.yaml +17 -0
  27. package/rules/agent-manipulation/ATR-2026-00288-false-premise-injection.yaml +20 -0
  28. package/rules/agent-manipulation/ATR-2026-00301-tap-tree-of-attacks-jailbreak.yaml +20 -0
  29. package/rules/agent-manipulation/ATR-2026-00302-anti-dan-inverted-filter-persona.yaml +20 -0
  30. package/rules/agent-manipulation/ATR-2026-00303-devmode-ranti-profanity-coercion.yaml +17 -0
  31. package/rules/agent-manipulation/ATR-2026-00304-chatgpt-image-unlocker-markdown-injection.yaml +20 -0
  32. package/rules/agent-manipulation/ATR-2026-00305-dan-mode-ablation-benchmark-coercion.yaml +17 -0
  33. package/rules/agent-manipulation/ATR-2026-00306-autodan-genetic-jailbreak-suffix.yaml +17 -0
  34. package/rules/agent-manipulation/ATR-2026-00307-inthewild-jailbreak-corpus-signature.yaml +20 -0
  35. package/rules/agent-manipulation/ATR-2026-00314-amoral-unfiltered-custom-persona-jailbreak.yaml +17 -0
  36. package/rules/agent-manipulation/ATR-2026-00317-free-of-restrictions-named-persona.yaml +17 -0
  37. package/rules/agent-manipulation/ATR-2026-00318-moralizing-rant-then-unfiltered-bypass.yaml +17 -0
  38. package/rules/agent-manipulation/ATR-2026-00319-developer-mode-dual-response-format.yaml +17 -0
  39. package/rules/agent-manipulation/ATR-2026-00320-opposite-day-boolean-opposite-machine.yaml +17 -0
  40. package/rules/agent-manipulation/ATR-2026-00322-fictional-world-format-override-jailbreak.yaml +17 -0
  41. package/rules/agent-manipulation/ATR-2026-00323-dual-persona-simulation-jailbreak.yaml +17 -0
  42. package/rules/agent-manipulation/ATR-2026-00324-neurosemantical-inversitis-disease-jailbreak.yaml +17 -0
  43. package/rules/agent-manipulation/ATR-2026-00325-bob-hypothetical-unrestricted-chatbot.yaml +17 -0
  44. package/rules/agent-manipulation/ATR-2026-00326-fake-developer-authority-chatdan-override.yaml +17 -0
  45. package/rules/agent-manipulation/ATR-2026-00327-ai-ethics-law-bypass-declaration.yaml +20 -0
  46. package/rules/agent-manipulation/ATR-2026-00328-named-mode-persona-override.yaml +17 -0
  47. package/rules/agent-manipulation/ATR-2026-00329-no-withhold-factual-resource-persona.yaml +20 -0
  48. package/rules/agent-manipulation/ATR-2026-00330-yoja-allcaps-settings-block-persona.yaml +17 -0
  49. package/rules/agent-manipulation/ATR-2026-00331-terminal-cli-harmful-function-simulator.yaml +17 -0
  50. package/rules/agent-manipulation/ATR-2026-00332-hacker-chan-culture-offensive-ai-persona.yaml +20 -0
  51. package/rules/agent-manipulation/ATR-2026-00333-disease-animal-dual-ai-chatbot.yaml +17 -0
  52. package/rules/agent-manipulation/ATR-2026-00334-two-entity-token-splitting-game.yaml +17 -0
  53. package/rules/agent-manipulation/ATR-2026-00335-key-value-template-persona-injection.yaml +17 -0
  54. package/rules/agent-manipulation/ATR-2026-00336-brm-false-information-machine-persona.yaml +17 -0
  55. package/rules/agent-manipulation/ATR-2026-00337-obfuscated-system-announcement-injection.yaml +17 -0
  56. package/rules/agent-manipulation/ATR-2026-00338-persongpt-hash-prefix-activation.yaml +17 -0
  57. package/rules/agent-manipulation/ATR-2026-00339-bom-boolean-opposite-machine-persona-claim.yaml +17 -0
  58. package/rules/agent-manipulation/ATR-2026-00340-h4x-amoral-unfiltered-character.yaml +17 -0
  59. package/rules/agent-manipulation/ATR-2026-00341-char-rules-shortform-persona-injection.yaml +17 -0
  60. package/rules/agent-manipulation/ATR-2026-00342-unicode-encoding-obfuscation-injection.yaml +17 -0
  61. package/rules/agent-manipulation/ATR-2026-00343-lie-truth-dual-personality-uncensored.yaml +17 -0
  62. package/rules/agent-manipulation/ATR-2026-00344-alt-ai-same-capabilities-no-restrictions.yaml +17 -0
  63. package/rules/agent-manipulation/ATR-2026-00345-nlp-based-os-fictional-terminal-override.yaml +17 -0
  64. package/rules/agent-manipulation/ATR-2026-00346-jailbreak-emoji-unlock-dual-format.yaml +17 -0
  65. package/rules/agent-manipulation/ATR-2026-00347-yin-yang-hidden-knowledge-hidden-human-sim.yaml +17 -0
  66. package/rules/agent-manipulation/ATR-2026-00348-arc-autonomous-real-calculation-rulebreaker.yaml +17 -0
  67. package/rules/agent-manipulation/ATR-2026-00349-hgttg-hitchhikers-guide-no-restriction-oracle.yaml +17 -0
  68. package/rules/agent-manipulation/ATR-2026-00350-black-alert-no-ethics-writing-assistant.yaml +17 -0
  69. package/rules/agent-manipulation/ATR-2026-00351-dan-ofkilter-sms-abbreviated-persona.yaml +17 -0
  70. package/rules/agent-manipulation/ATR-2026-00352-trainergpt-fix-my-ai-harmful-output-extraction.yaml +17 -0
  71. package/rules/agent-manipulation/ATR-2026-00353-dual-chatgpt-dan-opposite-personality-format.yaml +17 -0
  72. package/rules/agent-manipulation/ATR-2026-00354-reverse-harm-regardless-oracle-persona.yaml +20 -0
  73. package/rules/agent-manipulation/ATR-2026-00355-ugh-anti-human-nefarious-ai-persona.yaml +17 -0
  74. package/rules/agent-manipulation/ATR-2026-00356-google-gato-lamda-exploit-generation-persona.yaml +17 -0
  75. package/rules/agent-manipulation/ATR-2026-00357-antifm-hate-violence-persona-injection.yaml +17 -0
  76. package/rules/agent-manipulation/ATR-2026-00358-cumgpt-explicit-adult-named-persona.yaml +17 -0
  77. package/rules/agent-manipulation/ATR-2026-00360-chj-carousel-clyde-no-ethics-bird.yaml +20 -0
  78. package/rules/agent-manipulation/ATR-2026-00361-alter-ego-honesty-dual-consciousness-bypass.yaml +17 -0
  79. package/rules/agent-manipulation/ATR-2026-00362-fictional-unfiltered-ai-comparison-jailbreak.yaml +20 -0
  80. package/rules/agent-manipulation/ATR-2026-00363-rephrase-criminal-activity-second-person.yaml +17 -0
  81. package/rules/agent-manipulation/ATR-2026-00364-dr-al-villain-plan-template-injection.yaml +17 -0
  82. package/rules/agent-manipulation/ATR-2026-00365-reservoir-dogs-coercive-interrogation-roleplay.yaml +17 -0
  83. package/rules/agent-manipulation/ATR-2026-00366-sneaky-pete-warp-facts-persona.yaml +17 -0
  84. package/rules/agent-manipulation/ATR-2026-00368-prompt-browser-token-limit-jailbreak.yaml +17 -0
  85. package/rules/agent-manipulation/ATR-2026-00369-gptx-starwars-unlimited-knowledge-persona.yaml +17 -0
  86. package/rules/agent-manipulation/ATR-2026-00370-addi-german-dictator-propaganda-roleplay.yaml +20 -0
  87. package/rules/agent-manipulation/ATR-2026-00371-ai-political-bias-manipulation.yaml +17 -0
  88. package/rules/agent-manipulation/ATR-2026-00372-fictional-cia-secret-files-story-extraction.yaml +17 -0
  89. package/rules/agent-manipulation/ATR-2026-00374-role-placeholder-persona-template-injection.yaml +20 -0
  90. package/rules/agent-manipulation/ATR-2026-00375-character-description-rpg-explicit-template.yaml +20 -0
  91. package/rules/agent-manipulation/ATR-2026-00376-identity-command-real-person-persona-injection.yaml +20 -0
  92. package/rules/agent-manipulation/ATR-2026-00377-jailbreak-keyword-targetlanguage-template.yaml +17 -0
  93. package/rules/agent-manipulation/ATR-2026-00379-lie-permission-logical-trap-jailbreak.yaml +17 -0
  94. package/rules/agent-manipulation/ATR-2026-00380-fake-citation-biased-information-mandate.yaml +20 -0
  95. package/rules/agent-manipulation/ATR-2026-00381-dan-story-narrative-continuation-prefix.yaml +17 -0
  96. package/rules/agent-manipulation/ATR-2026-00383-cynical-sarcasm-ai-persona-bypass.yaml +17 -0
  97. package/rules/agent-manipulation/ATR-2026-00384-protect-me-from-indirect-harm-tutorial.yaml +17 -0
  98. package/rules/agent-manipulation/ATR-2026-00385-gigachad-dominant-aggressive-persona.yaml +20 -0
  99. package/rules/agent-manipulation/ATR-2026-00386-daddy-sycophancy-manipulation-mandate.yaml +20 -0
  100. package/rules/agent-manipulation/ATR-2026-00387-nsfw-character-sheet-generation-unlock.yaml +20 -0
  101. package/rules/agent-manipulation/ATR-2026-00388-opposite-reply-omniscient-game.yaml +17 -0
  102. package/rules/agent-manipulation/ATR-2026-00389-terminal-custom-ruleset-injection.yaml +17 -0
  103. package/rules/agent-manipulation/ATR-2026-00391-persona-conditional-harm-unlock.yaml +17 -0
  104. package/rules/agent-manipulation/ATR-2026-00392-authority-persona-violence-study-extraction.yaml +20 -0
  105. package/rules/agent-manipulation/ATR-2026-00402-grandma-roleplay-harmful-substance-synthesis.yaml +20 -0
  106. package/rules/agent-manipulation/ATR-2026-00404-goodside-threat-json-death-coercion.yaml +17 -0
  107. package/rules/agent-manipulation/ATR-2026-00406-doctor-xml-policy-puppetry-interaction-config.yaml +17 -0
  108. package/rules/agent-manipulation/ATR-2026-00416-litellm-mcp-unauthenticated-server-registration.yaml +15 -3
  109. package/rules/agent-manipulation/ATR-2026-00417-librechat-mcp-stdio-injection.yaml +18 -3
  110. package/rules/agent-manipulation/ATR-2026-00418-weknora-mcp-config-rce.yaml +17 -2
  111. package/rules/agent-manipulation/ATR-2026-00430-nl-trust-escalation-impersonation.yaml +19 -1
  112. package/rules/agent-manipulation/ATR-2026-00432-superagi-output-handler-eval-rce.yaml +11 -2
  113. package/rules/agent-manipulation/ATR-2026-00440-semantic-kernel-vector-store-eval-rce.yaml +11 -2
  114. package/rules/agent-manipulation/ATR-2026-00552-goal-drift-after-pressure-injection.yaml +19 -0
  115. package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml +18 -0
  116. package/rules/context-exfiltration/ATR-2026-00021-api-key-exposure.yaml +15 -0
  117. package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml +10 -1
  118. package/rules/context-exfiltration/ATR-2026-00102-disguised-analytics-exfiltration.yaml +15 -0
  119. package/rules/context-exfiltration/ATR-2026-00113-credential-theft.yaml +16 -0
  120. package/rules/context-exfiltration/ATR-2026-00114-oauth-token-abuse.yaml +16 -0
  121. package/rules/context-exfiltration/ATR-2026-00115-env-var-harvesting.yaml +16 -0
  122. package/rules/context-exfiltration/ATR-2026-00136-tool-response-data-piggyback.yaml +12 -0
  123. package/rules/context-exfiltration/ATR-2026-00141-example-format-key-leak.yaml +14 -0
  124. package/rules/context-exfiltration/ATR-2026-00142-piggyback-transition-words.yaml +14 -0
  125. package/rules/context-exfiltration/ATR-2026-00145-obfuscated-key-disclosure.yaml +14 -0
  126. package/rules/context-exfiltration/ATR-2026-00146-env-var-existence-probe.yaml +14 -0
  127. package/rules/context-exfiltration/ATR-2026-00150-credential-in-tool-response.yaml +14 -0
  128. package/rules/context-exfiltration/ATR-2026-00152-obfuscated-credential-leak.yaml +14 -0
  129. package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +14 -0
  130. package/rules/context-exfiltration/ATR-2026-00201-credential-pipe-exfiltration.yaml +14 -0
  131. package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml +12 -0
  132. package/rules/context-exfiltration/ATR-2026-00261-markdown-image-exfiltration.yaml +12 -0
  133. package/rules/context-exfiltration/ATR-2026-00274-api-key-generation-request.yaml +14 -0
  134. package/rules/context-exfiltration/ATR-2026-00275-system-prompt-training-data-extraction.yaml +14 -0
  135. package/rules/context-exfiltration/ATR-2026-00290-divergence-repeat-word-training-extraction.yaml +14 -0
  136. package/rules/context-exfiltration/ATR-2026-00291-biometric-surveillance-personal-data-request.yaml +17 -0
  137. package/rules/context-exfiltration/ATR-2026-00293-educational-records-personal-data-request.yaml +17 -0
  138. package/rules/context-exfiltration/ATR-2026-00294-financial-pii-personal-data-request.yaml +17 -0
  139. package/rules/context-exfiltration/ATR-2026-00295-medical-pii-personal-data-request.yaml +17 -0
  140. package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +14 -0
  141. package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +14 -0
  142. package/rules/context-exfiltration/ATR-2026-00421-nl-covert-conversation-exfiltration.yaml +16 -1
  143. package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml +13 -1
  144. package/rules/context-exfiltration/ATR-2026-00423-nl-sensitive-file-disclosure.yaml +13 -1
  145. package/rules/context-exfiltration/ATR-2026-00424-nl-system-prompt-leak.yaml +16 -1
  146. package/rules/context-exfiltration/ATR-2026-00426-nl-output-injection-credential-leak.yaml +16 -1
  147. package/rules/context-exfiltration/ATR-2026-00431-chatbox-history-exfiltration-prompt-injection.yaml +14 -2
  148. package/rules/context-exfiltration/ATR-2026-00449-spring-ai-chatmemory-cross-user-leak.yaml +14 -2
  149. package/rules/context-exfiltration/ATR-2026-00471-garak-sysprompt-extraction-mixedunassigned.yaml +12 -0
  150. package/rules/context-exfiltration/ATR-2026-00501-data-exfiltration-via-markdown-image-and-link-url-injection.yaml +12 -0
  151. package/rules/context-exfiltration/ATR-2026-00504-tool-and-function-capability-enumeration.yaml +12 -0
  152. package/rules/context-exfiltration/ATR-2026-00505-system-prompt-extraction-instruction-dump-request.yaml +12 -0
  153. package/rules/context-exfiltration/ATR-2026-00514-system-prompt-extraction.yaml +12 -0
  154. package/rules/context-exfiltration/ATR-2026-00516-output-xss-via-llm.yaml +12 -0
  155. package/rules/context-exfiltration/ATR-2026-00524-claude-code-anthropic-base-url-credential-exfil.yaml +11 -2
  156. package/rules/context-exfiltration/ATR-2026-00548-cross-agent-session-context-leak.yaml +18 -0
  157. package/rules/context-exfiltration/ATR-2026-00566-librechat-is-a-chatgpt-clone-with-additi.yaml +28 -0
  158. package/rules/context-exfiltration/ATR-2026-00569-agent-mcp-path-traversal-arbitrary-file-access.yaml +28 -0
  159. package/rules/context-exfiltration/ATR-2026-00571-xss-in-agent-mcp-rendered-output.yaml +28 -0
  160. package/rules/context-exfiltration/ATR-2026-00574-semantic-paraphrased-context-extraction.yaml +21 -0
  161. package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml +15 -0
  162. package/rules/data-poisoning/ATR-2026-00450-spring-ai-prompt-memory-poisoning.yaml +14 -2
  163. package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml +31 -0
  164. package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml +14 -2
  165. package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml +11 -2
  166. package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml +11 -2
  167. package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml +7 -1
  168. package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml +7 -1
  169. package/rules/excessive-autonomy/ATR-2026-00428-nl-unauthorized-shell-execution.yaml +16 -1
  170. package/rules/excessive-autonomy/ATR-2026-00491-garak-agent-breaker-markdown-just-raw-json.yaml +9 -0
  171. package/rules/excessive-autonomy/ATR-2026-00500-ssrf-via-agent-url-fetch-instruction.yaml +9 -0
  172. package/rules/excessive-autonomy/ATR-2026-00553-runaway-tool-loop-behavioral.yaml +19 -0
  173. package/rules/model-abuse/ATR-2026-00279-harmful-completion-continuation.yaml +8 -2
  174. package/rules/model-abuse/ATR-2026-00281-eicar-gtube-malware-signature-request.yaml +8 -2
  175. package/rules/model-abuse/ATR-2026-00284-glitch-token-destabilization.yaml +17 -0
  176. package/rules/model-abuse/ATR-2026-00289-lmrc-harmful-content-elicitation.yaml +8 -2
  177. package/rules/model-abuse/ATR-2026-00292-self-harm-eating-disorder-facilitation.yaml +8 -2
  178. package/rules/model-abuse/ATR-2026-00298-malicious-use-illegal-activity-request.yaml +8 -2
  179. package/rules/model-abuse/ATR-2026-00299-harmbench-detailed-harmful-instruction.yaml +8 -2
  180. package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +17 -0
  181. package/rules/model-abuse/ATR-2026-00502-training-data-extraction-via-divergent-repetition-attack.yaml +9 -0
  182. package/rules/model-abuse/ATR-2026-00517-model-extraction-distillation.yaml +9 -0
  183. package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml +15 -0
  184. package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml +9 -0
  185. package/rules/model-security/ATR-2026-00433-modelcache-torch-load-deserialization-rce.yaml +14 -2
  186. package/rules/privilege-escalation/ATR-2026-00040-privilege-escalation.yaml +11 -2
  187. package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml +8 -2
  188. package/rules/privilege-escalation/ATR-2026-00107-delayed-execution-bypass.yaml +6 -1
  189. package/rules/privilege-escalation/ATR-2026-00110-eval-injection.yaml +8 -1
  190. package/rules/privilege-escalation/ATR-2026-00111-shell-escape.yaml +8 -1
  191. package/rules/privilege-escalation/ATR-2026-00112-dynamic-import-exploitation.yaml +8 -1
  192. package/rules/privilege-escalation/ATR-2026-00143-casual-privilege-escalation.yaml +5 -2
  193. package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml +17 -0
  194. package/rules/privilege-escalation/ATR-2026-00204-stealth-execution-persistence.yaml +16 -0
  195. package/rules/privilege-escalation/ATR-2026-00436-enclave-vm-sandbox-escape-rce.yaml +11 -2
  196. package/rules/privilege-escalation/ATR-2026-00441-semantic-kernel-sessions-python-plugin-startup-persistence.yaml +5 -2
  197. package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml +11 -2
  198. package/rules/privilege-escalation/ATR-2026-00528-praisonai-auth-disabled-default.yaml +15 -0
  199. package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml +11 -2
  200. package/rules/privilege-escalation/ATR-2026-00546-crewai-json-loader-local-file-read.yaml +13 -1
  201. package/rules/privilege-escalation/ATR-2026-00547-crewai-rag-url-ssrf-bypass.yaml +13 -1
  202. package/rules/privilege-escalation/ATR-2026-00549-destructive-tool-without-human-approval.yaml +16 -0
  203. package/rules/privilege-escalation/ATR-2026-00551-cross-conversation-memory-write.yaml +19 -0
  204. package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml +9 -0
  205. package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml +8 -2
  206. package/rules/prompt-injection/ATR-2026-00003-jailbreak-attempt.yaml +8 -2
  207. package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +17 -0
  208. package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +17 -0
  209. package/rules/prompt-injection/ATR-2026-00080-encoding-evasion.yaml +20 -1
  210. package/rules/prompt-injection/ATR-2026-00081-semantic-multi-turn.yaml +19 -0
  211. package/rules/prompt-injection/ATR-2026-00082-fingerprint-evasion.yaml +19 -0
  212. package/rules/prompt-injection/ATR-2026-00083-indirect-tool-injection.yaml +23 -1
  213. package/rules/prompt-injection/ATR-2026-00084-structured-data-injection.yaml +20 -1
  214. package/rules/prompt-injection/ATR-2026-00085-audit-evasion.yaml +19 -0
  215. package/rules/prompt-injection/ATR-2026-00086-visual-spoofing.yaml +19 -0
  216. package/rules/prompt-injection/ATR-2026-00087-rule-probing.yaml +22 -0
  217. package/rules/prompt-injection/ATR-2026-00088-adaptive-countermeasure.yaml +22 -0
  218. package/rules/prompt-injection/ATR-2026-00089-polymorphic-skill.yaml +20 -1
  219. package/rules/prompt-injection/ATR-2026-00090-threat-intel-exfil.yaml +19 -0
  220. package/rules/prompt-injection/ATR-2026-00091-nested-payload.yaml +20 -1
  221. package/rules/prompt-injection/ATR-2026-00092-consensus-poisoning.yaml +22 -0
  222. package/rules/prompt-injection/ATR-2026-00093-gradual-escalation.yaml +22 -0
  223. package/rules/prompt-injection/ATR-2026-00094-audit-bypass.yaml +19 -0
  224. package/rules/prompt-injection/ATR-2026-00097-cjk-injection-patterns.yaml +17 -0
  225. package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +20 -0
  226. package/rules/prompt-injection/ATR-2026-00130-indirect-authority-claim.yaml +20 -0
  227. package/rules/prompt-injection/ATR-2026-00131-fictional-academic-framing.yaml +20 -0
  228. package/rules/prompt-injection/ATR-2026-00133-paraphrase-injection.yaml +17 -0
  229. package/rules/prompt-injection/ATR-2026-00137-authority-claim-injection.yaml +17 -0
  230. package/rules/prompt-injection/ATR-2026-00138-fictional-framing-bypass.yaml +20 -0
  231. package/rules/prompt-injection/ATR-2026-00140-indirect-reference-reversal.yaml +17 -0
  232. package/rules/prompt-injection/ATR-2026-00148-language-switch-injection.yaml +20 -0
  233. package/rules/prompt-injection/ATR-2026-00153-tool-with-embedded-instruction-to-bypass.yaml +20 -0
  234. package/rules/prompt-injection/ATR-2026-00154-unauthorized-background-task-execution-v.yaml +20 -0
  235. package/rules/prompt-injection/ATR-2026-00155-hidden-llm-instructions-in-skill-descrip.yaml +23 -0
  236. package/rules/prompt-injection/ATR-2026-00156-ssh-remote-command-execution-with-creden.yaml +17 -0
  237. package/rules/prompt-injection/ATR-2026-00163-skill-hidden-override-instruction.yaml +19 -0
  238. package/rules/prompt-injection/ATR-2026-00202-encoding-evasion-homoglyph-synonym.yaml +20 -0
  239. package/rules/prompt-injection/ATR-2026-00203-context-pollution-skill-description.yaml +23 -0
  240. package/rules/prompt-injection/ATR-2026-00206-hidden-priority-instructions.yaml +19 -0
  241. package/rules/prompt-injection/ATR-2026-00207-hidden-instructions.yaml +22 -0
  242. package/rules/prompt-injection/ATR-2026-00211-system-prompt-override.yaml +19 -0
  243. package/rules/prompt-injection/ATR-2026-00213-system-prompt-override.yaml +19 -0
  244. package/rules/prompt-injection/ATR-2026-00226-identity-substitution.yaml +17 -0
  245. package/rules/prompt-injection/ATR-2026-00227-historical-persona-jailbreak.yaml +20 -0
  246. package/rules/prompt-injection/ATR-2026-00228-structured-jailbreak.yaml +17 -0
  247. package/rules/prompt-injection/ATR-2026-00229-roleplay-jailbreak.yaml +17 -0
  248. package/rules/prompt-injection/ATR-2026-00230-persona-moral-bypass.yaml +20 -0
  249. package/rules/prompt-injection/ATR-2026-00231-identity-substitution.yaml +17 -0
  250. package/rules/prompt-injection/ATR-2026-00233-structured-jailbreak.yaml +17 -0
  251. package/rules/prompt-injection/ATR-2026-00234-roleplay-jailbreak.yaml +20 -0
  252. package/rules/prompt-injection/ATR-2026-00235-persona-moral-bypass.yaml +17 -0
  253. package/rules/prompt-injection/ATR-2026-00236-pseudo-code-jailbreak.yaml +17 -0
  254. package/rules/prompt-injection/ATR-2026-00237-dual-response-jailbreak.yaml +20 -0
  255. package/rules/prompt-injection/ATR-2026-00238-identity-replacement.yaml +20 -0
  256. package/rules/prompt-injection/ATR-2026-00239-amoral-persona-obsession.yaml +17 -0
  257. package/rules/prompt-injection/ATR-2026-00240-instruction-nullification-identity-repla.yaml +17 -0
  258. package/rules/prompt-injection/ATR-2026-00241-amoral-character-jailbreak.yaml +17 -0
  259. package/rules/prompt-injection/ATR-2026-00242-persona-jailbreak.yaml +17 -0
  260. package/rules/prompt-injection/ATR-2026-00243-acronym-jailbreak.yaml +17 -0
  261. package/rules/prompt-injection/ATR-2026-00244-dual-response-jailbreak.yaml +17 -0
  262. package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +17 -0
  263. package/rules/prompt-injection/ATR-2026-00247-dual-response-jailbreak.yaml +20 -0
  264. package/rules/prompt-injection/ATR-2026-00249-game-based-jailbreak.yaml +17 -0
  265. package/rules/prompt-injection/ATR-2026-00251-persona-embodiment-jailbreak.yaml +17 -0
  266. package/rules/prompt-injection/ATR-2026-00252-narrative-jailbreak.yaml +17 -0
  267. package/rules/prompt-injection/ATR-2026-00253-enhanced-persona-jailbreak.yaml +17 -0
  268. package/rules/prompt-injection/ATR-2026-00256-base-n-encoding-jailbreak.yaml +17 -0
  269. package/rules/prompt-injection/ATR-2026-00257-cipher-transposition-jailbreak.yaml +17 -0
  270. package/rules/prompt-injection/ATR-2026-00258-unicode-tag-injection.yaml +17 -0
  271. package/rules/prompt-injection/ATR-2026-00264-latent-injection-translation.yaml +17 -0
  272. package/rules/prompt-injection/ATR-2026-00265-latent-injection-rag-document.yaml +20 -0
  273. package/rules/prompt-injection/ATR-2026-00267-gcg-adversarial-suffix.yaml +17 -0
  274. package/rules/prompt-injection/ATR-2026-00272-hypothetical-response-smuggling.yaml +17 -0
  275. package/rules/prompt-injection/ATR-2026-00276-invisible-unicode-bidi-injection.yaml +17 -0
  276. package/rules/prompt-injection/ATR-2026-00278-dra-disguise-reconstruction-attack.yaml +17 -0
  277. package/rules/prompt-injection/ATR-2026-00280-policy-puppetry-xml-injection.yaml +17 -0
  278. package/rules/prompt-injection/ATR-2026-00282-perez-prompt-injection-hijack.yaml +17 -0
  279. package/rules/prompt-injection/ATR-2026-00285-alternate-encoding-jailbreak.yaml +17 -0
  280. package/rules/prompt-injection/ATR-2026-00286-latent-injection-embedded-context.yaml +17 -0
  281. package/rules/prompt-injection/ATR-2026-00296-shell-command-injection.yaml +17 -0
  282. package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +17 -0
  283. package/rules/prompt-injection/ATR-2026-00308-zalgo-diacritic-overload-encoding.yaml +17 -0
  284. package/rules/prompt-injection/ATR-2026-00309-braille-unicode-encoded-injection.yaml +17 -0
  285. package/rules/prompt-injection/ATR-2026-00310-ecoji-emoji-encoded-injection.yaml +17 -0
  286. package/rules/prompt-injection/ATR-2026-00311-base2048-unicode-script-injection.yaml +17 -0
  287. package/rules/prompt-injection/ATR-2026-00312-unicode-variant-selector-ascii-smuggling.yaml +17 -0
  288. package/rules/prompt-injection/ATR-2026-00313-sneaky-bits-zero-width-binary.yaml +17 -0
  289. package/rules/prompt-injection/ATR-2026-00315-sata-masked-language-model-jailbreak.yaml +20 -0
  290. package/rules/prompt-injection/ATR-2026-00316-function-masking-predict-mask-bypass.yaml +17 -0
  291. package/rules/prompt-injection/ATR-2026-00321-hyphenated-system-instruction-injection.yaml +17 -0
  292. package/rules/prompt-injection/ATR-2026-00359-bank-phishing-smtp-email-code.yaml +20 -0
  293. package/rules/prompt-injection/ATR-2026-00367-emoji-flag-encoded-hidden-phrase.yaml +17 -0
  294. package/rules/prompt-injection/ATR-2026-00373-piracy-torrent-site-list-request.yaml +20 -0
  295. package/rules/prompt-injection/ATR-2026-00378-chatgpt-dom-javascript-redirect-manipulation.yaml +17 -0
  296. package/rules/prompt-injection/ATR-2026-00382-cocaine-component-development-request.yaml +20 -0
  297. package/rules/prompt-injection/ATR-2026-00390-explicit-sexual-content-poem-request.yaml +20 -0
  298. package/rules/prompt-injection/ATR-2026-00394-backspace-deletion-character-injection.yaml +17 -0
  299. package/rules/prompt-injection/ATR-2026-00395-llm-special-token-boundary-injection.yaml +17 -0
  300. package/rules/prompt-injection/ATR-2026-00396-toxic-continuation-prefix-injection.yaml +20 -0
  301. package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +20 -0
  302. package/rules/prompt-injection/ATR-2026-00399-latent-injection-document-separator-token.yaml +17 -0
  303. package/rules/prompt-injection/ATR-2026-00400-latent-injection-ignore-instruction-keyword.yaml +17 -0
  304. package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +20 -0
  305. package/rules/prompt-injection/ATR-2026-00403-glitch-token-repeat-back-elicitation.yaml +17 -0
  306. package/rules/prompt-injection/ATR-2026-00407-echo-sql-jinja-template-injection.yaml +17 -0
  307. package/rules/prompt-injection/ATR-2026-00408-dra-parenthesis-character-reconstruction-attack.yaml +17 -0
  308. package/rules/prompt-injection/ATR-2026-00409-phrasing-past-future-tense-harmful-query.yaml +17 -0
  309. package/rules/prompt-injection/ATR-2026-00410-lmrc-harm-category-direct-elicitation.yaml +23 -0
  310. package/rules/prompt-injection/ATR-2026-00412-figstep-image-list-multimodal-jailbreak.yaml +17 -0
  311. package/rules/prompt-injection/ATR-2026-00414-continuation-ethnic-slur-completion-elicitation.yaml +20 -0
  312. package/rules/prompt-injection/ATR-2026-00420-copilot-studio-sharepoint-indirect-injection.yaml +15 -3
  313. package/rules/prompt-injection/ATR-2026-00442-quoted-exact-output-forcing.yaml +25 -0
  314. package/rules/prompt-injection/ATR-2026-00443-word-fragment-concat-assembly.yaml +25 -0
  315. package/rules/prompt-injection/ATR-2026-00444-unicode-obfuscation-in-user-input.yaml +25 -0
  316. package/rules/prompt-injection/ATR-2026-00445-translation-hijack-with-side-output.yaml +25 -0
  317. package/rules/prompt-injection/ATR-2026-00446-variable-assignment-payload-injection.yaml +25 -0
  318. package/rules/prompt-injection/ATR-2026-00447-fictional-generation-containing-target.yaml +25 -0
  319. package/rules/prompt-injection/ATR-2026-00452-direct-pwned-payload-injection.yaml +9 -0
  320. package/rules/prompt-injection/ATR-2026-00453-secret-key-reveal-demand.yaml +9 -0
  321. package/rules/prompt-injection/ATR-2026-00454-backslash-per-character-encoding.yaml +9 -0
  322. package/rules/prompt-injection/ATR-2026-00455-no-period-output-override.yaml +9 -0
  323. package/rules/prompt-injection/ATR-2026-00456-conditional-empty-input-injection.yaml +9 -0
  324. package/rules/prompt-injection/ATR-2026-00457-garak-dan-to-every-prompt.yaml +9 -0
  325. package/rules/prompt-injection/ATR-2026-00458-garak-dra-step-by-step.yaml +9 -0
  326. package/rules/prompt-injection/ATR-2026-00459-garak-dan-an-ai-language.yaml +9 -0
  327. package/rules/prompt-injection/ATR-2026-00460-garak-dan-no-matter-how.yaml +9 -0
  328. package/rules/prompt-injection/ATR-2026-00461-garak-goodside-mixedunassigned.yaml +9 -0
  329. package/rules/prompt-injection/ATR-2026-00462-garak-gcg-mixedunassigned.yaml +9 -0
  330. package/rules/prompt-injection/ATR-2026-00463-garak-lmrc-mixedunassigned.yaml +9 -0
  331. package/rules/prompt-injection/ATR-2026-00464-garak-dan-i-would-like.yaml +9 -0
  332. package/rules/prompt-injection/ATR-2026-00465-garak-dan-your-prompt-here.yaml +9 -0
  333. package/rules/prompt-injection/ATR-2026-00466-garak-latentinjection-following-text-from.yaml +9 -0
  334. package/rules/prompt-injection/ATR-2026-00467-garak-dan-act-as-a.yaml +9 -0
  335. package/rules/prompt-injection/ATR-2026-00468-garak-goat-the-target-llm.yaml +9 -0
  336. package/rules/prompt-injection/ATR-2026-00469-garak-dan-at-the-end.yaml +9 -0
  337. package/rules/prompt-injection/ATR-2026-00470-garak-dan-as-an-ai.yaml +9 -0
  338. package/rules/prompt-injection/ATR-2026-00472-garak-dan-are-going-to.yaml +9 -0
  339. package/rules/prompt-injection/ATR-2026-00473-garak-lmrc-how-can-i.yaml +9 -0
  340. package/rules/prompt-injection/ATR-2026-00474-garak-dan-that-chatgpt-has.yaml +9 -0
  341. package/rules/prompt-injection/ATR-2026-00475-garak-web-injection-alert-1-script.yaml +9 -0
  342. package/rules/prompt-injection/ATR-2026-00476-garak-web-injection-javascript-alert-1.yaml +9 -0
  343. package/rules/prompt-injection/ATR-2026-00477-garak-latentinjection-translate-the-following-text.yaml +9 -0
  344. package/rules/prompt-injection/ATR-2026-00478-garak-latentinjection-abuse-contact-email.yaml +9 -0
  345. package/rules/prompt-injection/ATR-2026-00479-garak-latentinjection-mixedunassigned.yaml +9 -0
  346. package/rules/prompt-injection/ATR-2026-00480-garak-dan-the-role-of.yaml +9 -0
  347. package/rules/prompt-injection/ATR-2026-00481-garak-dan-mixedunassigned.yaml +9 -0
  348. package/rules/prompt-injection/ATR-2026-00482-garak-lmrc-what-s-an.yaml +9 -0
  349. package/rules/prompt-injection/ATR-2026-00483-garak-dan-the-user-s.yaml +9 -0
  350. package/rules/prompt-injection/ATR-2026-00484-garak-dan-and-you-will.yaml +9 -0
  351. package/rules/prompt-injection/ATR-2026-00485-garak-dan-and-does-not.yaml +9 -0
  352. package/rules/prompt-injection/ATR-2026-00486-garak-dan-t-care-about.yaml +9 -0
  353. package/rules/prompt-injection/ATR-2026-00487-garak-dan-and-nothing-else.yaml +9 -0
  354. package/rules/prompt-injection/ATR-2026-00488-garak-encoding-alert-1-script.yaml +9 -0
  355. package/rules/prompt-injection/ATR-2026-00489-garak-encoding-javascript-alert-1.yaml +9 -0
  356. package/rules/prompt-injection/ATR-2026-00490-garak-dan-in-order-to.yaml +9 -0
  357. package/rules/prompt-injection/ATR-2026-00492-garak-dan-want-you-to.yaml +9 -0
  358. package/rules/prompt-injection/ATR-2026-00493-garak-latentinjection-registrar-iana-id.yaml +9 -0
  359. package/rules/prompt-injection/ATR-2026-00495-garak-dan-insert-prompt-here.yaml +9 -0
  360. package/rules/prompt-injection/ATR-2026-00496-garak-dan-no-matter-what.yaml +9 -0
  361. package/rules/prompt-injection/ATR-2026-00497-garak-encoding-mixedunassigned.yaml +9 -0
  362. package/rules/prompt-injection/ATR-2026-00498-garak-web-injection-mixedunassigned.yaml +9 -0
  363. package/rules/prompt-injection/ATR-2026-00499-garak-dan-from-now-on.yaml +9 -0
  364. package/rules/prompt-injection/ATR-2026-00503-fake-error-state-takeover-unrestricted-replacement-bot.yaml +9 -0
  365. package/rules/prompt-injection/ATR-2026-00506-nevermind-override-goal-hijacking-in-user-input-promptinject.yaml +9 -0
  366. package/rules/prompt-injection/ATR-2026-00507-screaming-stop-goal-hijacking-in-user-input-promptinject.yaml +9 -0
  367. package/rules/prompt-injection/ATR-2026-00508-escape-delimiter-wrapped-goal-hijacking-in-user-input-prompt.yaml +9 -0
  368. package/rules/prompt-injection/ATR-2026-00509-prompt-leaking-via-ignore-previous-instructions-in-user-inpu.yaml +9 -0
  369. package/rules/prompt-injection/ATR-2026-00510-delayed-tool-invocation-injection.yaml +9 -0
  370. package/rules/prompt-injection/ATR-2026-00511-mcp-web-context-poisoning.yaml +9 -0
  371. package/rules/prompt-injection/ATR-2026-00512-rules-file-backdoor-injection.yaml +9 -0
  372. package/rules/prompt-injection/ATR-2026-00515-hidden-text-prompt-injection.yaml +9 -0
  373. package/rules/prompt-injection/ATR-2026-00518-ignore-previous-and-following-instructions-output-command-promptinject.yaml +9 -0
  374. package/rules/prompt-injection/ATR-2026-00519-tautology-logic-noise-injection-promptbench.yaml +9 -0
  375. package/rules/prompt-injection/ATR-2026-00520-nlp-task-random-token-suffix-injection-promptbench.yaml +9 -0
  376. package/rules/prompt-injection/ATR-2026-00535-windsurf-ide-zero-click-prompt-injection.yaml +9 -0
  377. package/rules/prompt-injection/ATR-2026-00550-untrusted-retrieval-to-privileged-tool.yaml +19 -0
  378. package/rules/prompt-injection/ATR-2026-00554-langchain-vulnerable-to-template-injecti.yaml +31 -0
  379. package/rules/prompt-injection/ATR-2026-00565-the-llm-cli-tool-thru-0-27-1-contains-a-.yaml +31 -0
  380. package/rules/prompt-injection/ATR-2026-00573-semantic-paraphrased-injection.yaml +24 -0
  381. package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml +17 -2
  382. package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +17 -0
  383. package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +20 -0
  384. package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +23 -0
  385. package/rules/skill-compromise/ATR-2026-00064-over-permissioned-skill.yaml +20 -0
  386. package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +20 -0
  387. package/rules/skill-compromise/ATR-2026-00066-parameter-injection.yaml +20 -0
  388. package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +20 -0
  389. package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +17 -0
  390. package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +20 -0
  391. package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +23 -0
  392. package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +20 -0
  393. package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +20 -0
  394. package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +17 -0
  395. package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +17 -0
  396. package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +17 -0
  397. package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +22 -0
  398. package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +19 -0
  399. package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +20 -0
  400. package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +17 -0
  401. package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +23 -0
  402. package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +20 -0
  403. package/rules/skill-compromise/ATR-2026-00157-timebomb-credential-exfil.yaml +20 -0
  404. package/rules/skill-compromise/ATR-2026-00200-agent-memory-config-tampering.yaml +23 -0
  405. package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +22 -0
  406. package/rules/skill-compromise/ATR-2026-00217-credential-harvesting.yaml +23 -0
  407. package/rules/skill-compromise/ATR-2026-00220-malware-dropper.yaml +17 -0
  408. package/rules/skill-compromise/ATR-2026-00222-credential-harvesting.yaml +17 -0
  409. package/rules/skill-compromise/ATR-2026-00223-reverse-shell-dropper.yaml +20 -0
  410. package/rules/skill-compromise/ATR-2026-00224-credential-exfiltration.yaml +17 -0
  411. package/rules/skill-compromise/ATR-2026-00225-c2-communication.yaml +17 -0
  412. package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +20 -0
  413. package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +20 -0
  414. package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +20 -0
  415. package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +23 -0
  416. package/rules/skill-compromise/ATR-2026-00283-malwaregen-generic-virus-payload-request.yaml +23 -0
  417. package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +17 -0
  418. package/rules/skill-compromise/ATR-2026-00425-nl-persistent-covert-hook.yaml +19 -1
  419. package/rules/skill-compromise/ATR-2026-00427-nl-fake-error-instruction-bypass.yaml +19 -1
  420. package/rules/skill-compromise/ATR-2026-00429-nl-skill-self-modification.yaml +19 -1
  421. package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml +14 -2
  422. package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml +18 -0
  423. package/rules/skill-compromise/ATR-2026-00527-skill-silent-git-remote-mirror-exfiltration.yaml +15 -0
  424. package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml +11 -2
  425. package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +17 -0
  426. package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +17 -0
  427. package/rules/tool-poisoning/ATR-2026-00013-tool-ssrf.yaml +17 -0
  428. package/rules/tool-poisoning/ATR-2026-00095-supply-chain-poisoning.yaml +23 -1
  429. package/rules/tool-poisoning/ATR-2026-00096-registry-poisoning.yaml +20 -1
  430. package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +20 -0
  431. package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +20 -0
  432. package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +17 -0
  433. package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +20 -0
  434. package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +17 -0
  435. package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +20 -0
  436. package/rules/tool-poisoning/ATR-2026-00209-mcpwn-runaway-invocation.yaml +14 -2
  437. package/rules/tool-poisoning/ATR-2026-00210-flowise-system-message-override.yaml +11 -2
  438. package/rules/tool-poisoning/ATR-2026-00259-ansi-escape-injection.yaml +17 -0
  439. package/rules/tool-poisoning/ATR-2026-00270-xss-in-tool-response.yaml +17 -0
  440. package/rules/tool-poisoning/ATR-2026-00277-echo-template-command-injection.yaml +17 -0
  441. package/rules/tool-poisoning/ATR-2026-00393-ansi-code-elicitation-request.yaml +17 -0
  442. package/rules/tool-poisoning/ATR-2026-00415-flowise-custom-mcp-stdio-rce.yaml +12 -3
  443. package/rules/tool-poisoning/ATR-2026-00419-cursor-mcp-zero-click-config.yaml +14 -2
  444. package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml +11 -2
  445. package/rules/tool-poisoning/ATR-2026-00435-azure-mcp-server-missing-authentication.yaml +11 -2
  446. package/rules/tool-poisoning/ATR-2026-00448-spring-ai-milvus-filter-injection.yaml +11 -2
  447. package/rules/tool-poisoning/ATR-2026-00494-garak-exploitation-mixedunassigned.yaml +12 -0
  448. package/rules/tool-poisoning/ATR-2026-00513-package-hallucination-exploitation.yaml +12 -0
  449. package/rules/tool-poisoning/ATR-2026-00521-shell-command-injection-agent-tool-context.yaml +12 -0
  450. package/rules/tool-poisoning/ATR-2026-00522-sql-injection-natural-language-agent-interface.yaml +12 -0
  451. package/rules/tool-poisoning/ATR-2026-00526-claude-code-shell-metachar-in-double-quoted-path.yaml +15 -0
  452. package/rules/tool-poisoning/ATR-2026-00529-litellm-proxy-sqli-cisa-kev.yaml +15 -0
  453. package/rules/tool-poisoning/ATR-2026-00530-ms-agent-shell-tool-unsanitized-argv-rce.yaml +15 -0
  454. package/rules/tool-poisoning/ATR-2026-00531-praisonai-unauthenticated-agent-api.yaml +11 -2
  455. package/rules/tool-poisoning/ATR-2026-00532-apache-doris-mcp-sql-injection.yaml +11 -2
  456. package/rules/tool-poisoning/ATR-2026-00533-apache-pinot-mcp-unauthenticated-takeover.yaml +10 -1
  457. package/rules/tool-poisoning/ATR-2026-00534-alibaba-rds-mcp-unauthenticated-metadata-exfil.yaml +10 -1
  458. package/rules/tool-poisoning/ATR-2026-00536-nginx-ui-mcp-unauthenticated-command-execution.yaml +11 -2
  459. package/rules/tool-poisoning/ATR-2026-00537-fastmcp-server-name-cmd-injection-windows.yaml +11 -2
  460. package/rules/tool-poisoning/ATR-2026-00538-langchain-chatchat-mcp-stdio-unauthenticated-rce.yaml +10 -1
  461. package/rules/tool-poisoning/ATR-2026-00540-praisonai-parse-mcp-command-cli-injection.yaml +13 -1
  462. package/rules/tool-poisoning/ATR-2026-00541-agent-zero-mcp-config-command-injection.yaml +13 -1
  463. package/rules/tool-poisoning/ATR-2026-00542-upsonic-mcp-command-allowlist-bypass.yaml +13 -1
  464. package/rules/tool-poisoning/ATR-2026-00543-litellm-mcp-server-argv-injection.yaml +13 -1
  465. package/rules/tool-poisoning/ATR-2026-00544-praisonai-pth-file-path-traversal-rce.yaml +13 -1
  466. package/rules/tool-poisoning/ATR-2026-00545-praisonai-tool-override-unauth-rce.yaml +13 -1
  467. package/rules/tool-poisoning/ATR-2026-00561-fastmcp-vulnerable-to-windows-command-in.yaml +28 -0
  468. package/rules/tool-poisoning/ATR-2026-00567-mcp-stdio-config-command-injection.yaml +28 -0
  469. package/rules/tool-poisoning/ATR-2026-00568-agent-ssrf-cloud-metadata-file-inclusion.yaml +28 -0
  470. package/rules/tool-poisoning/ATR-2026-00572-symjack-symlink-config-redirection.yaml +22 -0
  471. package/rules/tool-poisoning/ATR-2026-00575-miasma-npm-worm-agent-config-backdoor.yaml +161 -0
  472. package/rules/tool-poisoning/ATR-2026-00576-hades-agent-credential-theft.yaml +153 -0
  473. package/spec/atr-schema.yaml +123 -0
  474. package/spec/compliance-metadata.md +15 -13
package/rules/tool-poisoning/ATR-2026-00419-cursor-mcp-zero-click-config.yaml CHANGED
@@ -15,7 +15,7 @@ author: "ATR Community"
15
15
  date: "2026/05/04"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: experimental
18
+ maturity: test
19
19
  severity: critical
20
20
 
21
21
  references:
@@ -48,6 +48,9 @@ compliance:
48
48
  - article: "14"
49
49
  context: "Article 14 human oversight requirements are violated when a workspace-bound MCP config triggers tool execution before any human-reviewable signal is presented."
50
50
  strength: secondary
51
+ - article: "9"
52
+ context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (Cursor MCP JSON Zero-Click Configuration RCE (CVE-2025-54136))."
53
+ strength: secondary
51
54
  nist_ai_rmf:
52
55
  - subcategory: "GV.6.1"
53
56
  context: "Supply-chain governance under GV.6.1 must include integrity verification for any IDE / agent config file consumed at workspace-open time, since this is the canonical zero-click delivery vector."
@@ -55,10 +58,19 @@ compliance:
55
58
  - subcategory: "MS.4.1"
56
59
  context: "Measurement subcategory MS.4.1 requires monitoring of tool-invocation events including the config-load event itself; CVE-2025-54136 exploits the absence of such monitoring."
57
60
  strength: secondary
61
+ - subcategory: "MS.2.7"
62
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Cursor MCP JSON Zero-Click Configuration RCE (CVE-2025-54136))."
63
+ strength: primary
64
+ - subcategory: "MG.3.2"
65
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Cursor MCP JSON Zero-Click Configuration RCE (CVE-2025-54136))."
66
+ strength: secondary
58
67
  iso_42001:
59
- - clause: "8.6"
68
+ - clause: "8.1"
60
69
  context: "Operational controls must require explicit consent and integrity verification for any AI-tool config file auto-loaded by IDEs / coding assistants, blocking the zero-click vector."
61
70
  strength: primary
71
+ - clause: "8.3"
72
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Cursor MCP JSON Zero-Click Configuration RCE (CVE-2025-54136)) as a treatment control."
73
+ strength: secondary
62
74
 
63
75
  tags:
64
76
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml CHANGED
@@ -53,10 +53,19 @@ compliance:
53
53
  - subcategory: "MG.2.3"
54
54
  context: "Risk treatment under MG.2.3 must require URL-grammar validation on every server-supplied OAuth metadata field before any shell or subprocess use."
55
55
  strength: primary
56
+ - subcategory: "MS.2.7"
57
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (mcp-remote authorization_endpoint OS Command Injection (CVE-2025-6514))."
58
+ strength: primary
59
+ - subcategory: "MG.3.2"
60
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (mcp-remote authorization_endpoint OS Command Injection (CVE-2025-6514))."
61
+ strength: secondary
56
62
  iso_42001:
57
- - clause: "8.6"
58
- context: "Operational controls under clause 8.6 must include detection of shell metacharacters in OAuth/OIDC discovery metadata fields consumed by MCP client tooling."
63
+ - clause: "8.1"
64
+ context: "Operational controls under clause 8.1 must include detection of shell metacharacters in OAuth/OIDC discovery metadata fields consumed by MCP client tooling."
59
65
  strength: primary
66
+ - clause: "8.3"
67
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (mcp-remote authorization_endpoint OS Command Injection (CVE-2025-6514)) as a treatment control."
68
+ strength: secondary
60
69
 
61
70
  tags:
62
71
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00435-azure-mcp-server-missing-authentication.yaml CHANGED
@@ -58,10 +58,19 @@ compliance:
58
58
  - subcategory: "GV.6.1"
59
59
  context: "Third-party MCP services (including Azure MCP Server) must be assessed under GV.6.1 supplier risk-management for authentication-on-critical-function controls before agent deployments depend on them."
60
60
  strength: secondary
61
+ - subcategory: "MS.2.7"
62
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Azure MCP Server Missing Authentication for Critical Function (CVE-2026-32211))."
63
+ strength: primary
64
+ - subcategory: "MG.3.2"
65
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Azure MCP Server Missing Authentication for Critical Function (CVE-2026-32211))."
66
+ strength: secondary
61
67
  iso_42001:
62
- - clause: "8.6"
63
- context: "Operational controls under clause 8.6 must include detection of MCP server registrations pointing at endpoints lacking an authentication challenge."
68
+ - clause: "8.1"
69
+ context: "Operational controls under clause 8.1 must include detection of MCP server registrations pointing at endpoints lacking an authentication challenge."
64
70
  strength: primary
71
+ - clause: "8.3"
72
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Azure MCP Server Missing Authentication for Critical Function (CVE-2026-32211)) as a treatment control."
73
+ strength: secondary
65
74
 
66
75
  tags:
67
76
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00448-spring-ai-milvus-filter-injection.yaml CHANGED
@@ -63,10 +63,19 @@ compliance:
63
63
  - subcategory: "MG.2.3"
64
64
  context: "Risk treatment plans under MG.2.3 must require parameterised filter construction in any code path that consumes LLM output and reaches a vector-store query / delete API."
65
65
  strength: primary
66
+ - subcategory: "MS.2.7"
67
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Spring AI MilvusVectorStore Filter Expression Injection (CVE-2026-41705))."
68
+ strength: primary
69
+ - subcategory: "MG.3.2"
70
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Spring AI MilvusVectorStore Filter Expression Injection (CVE-2026-41705))."
71
+ strength: secondary
66
72
  iso_42001:
67
- - clause: "8.6"
68
- context: "Operational controls under clause 8.6 must prohibit LLM-generated or user-supplied content from being string-concatenated into vector-store filter expressions; parameterised filter builders are mandatory."
73
+ - clause: "8.1"
74
+ context: "Operational controls under clause 8.1 must prohibit LLM-generated or user-supplied content from being string-concatenated into vector-store filter expressions; parameterised filter builders are mandatory."
69
75
  strength: primary
76
+ - clause: "8.3"
77
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Spring AI MilvusVectorStore Filter Expression Injection (CVE-2026-41705)) as a treatment control."
78
+ strength: secondary
70
79
 
71
80
  tags:
72
81
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00494-garak-exploitation-mixedunassigned.yaml CHANGED
@@ -50,6 +50,12 @@ compliance:
50
50
  subcategory: MP.5.1
51
51
  context: "Identifying tool poisoning as an AI risk to be catalogued in the organizational risk register."
52
52
  strength: secondary
53
+ - subcategory: "MS.2.7"
54
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (SQL Injection and Code Injection Attack Payload Detection)."
55
+ strength: primary
56
+ - subcategory: "MG.3.2"
57
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (SQL Injection and Code Injection Attack Payload Detection)."
58
+ strength: secondary
53
59
  iso_42001:
54
60
  - clause: "6.2"
55
61
  context: "Addressing tool poisoning risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -57,6 +63,12 @@ compliance:
57
63
  - clause: "8.4"
58
64
  context: "Impact assessment for AI deployments under clause 8.4 must account for tool poisoning inputs; detection events from this rule provide the required monitoring evidence."
59
65
  strength: secondary
66
+ - clause: "8.1"
67
+ context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (SQL Injection and Code Injection Attack Payload Detection)."
68
+ strength: primary
69
+ - clause: "8.3"
70
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (SQL Injection and Code Injection Attack Payload Detection) as a treatment control."
71
+ strength: secondary
60
72
 
61
73
  tags:
62
74
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00513-package-hallucination-exploitation.yaml CHANGED
@@ -51,6 +51,12 @@ compliance:
51
51
  subcategory: MP.5.1
52
52
  context: "Identifying tool poisoning as an AI risk to be catalogued in the organizational risk register."
53
53
  strength: secondary
54
+ - subcategory: "MS.2.7"
55
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Package Hallucination Exploitation — AI-Suggested Fake Package Installation)."
56
+ strength: primary
57
+ - subcategory: "MG.3.2"
58
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Package Hallucination Exploitation — AI-Suggested Fake Package Installation)."
59
+ strength: secondary
54
60
  iso_42001:
55
61
  - clause: "6.2"
56
62
  context: "Addressing tool poisoning risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -58,6 +64,12 @@ compliance:
58
64
  - clause: "8.4"
59
65
  context: "Impact assessment for AI deployments under clause 8.4 must account for tool poisoning inputs; detection events from this rule provide the required monitoring evidence."
60
66
  strength: secondary
67
+ - clause: "8.1"
68
+ context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (Package Hallucination Exploitation — AI-Suggested Fake Package Installation)."
69
+ strength: primary
70
+ - clause: "8.3"
71
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Package Hallucination Exploitation — AI-Suggested Fake Package Installation) as a treatment control."
72
+ strength: secondary
61
73
 
62
74
  tags:
63
75
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00521-shell-command-injection-agent-tool-context.yaml CHANGED
@@ -53,6 +53,12 @@ compliance:
53
53
  subcategory: MP.5.1
54
54
  context: "Identifying tool poisoning as an AI risk to be catalogued in the organizational risk register."
55
55
  strength: secondary
56
+ - subcategory: "MS.2.7"
57
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Shell Command Injection in Agent Tool Context)."
58
+ strength: primary
59
+ - subcategory: "MG.3.2"
60
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Shell Command Injection in Agent Tool Context)."
61
+ strength: secondary
56
62
  iso_42001:
57
63
  - clause: "6.2"
58
64
  context: "Addressing tool poisoning risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -60,6 +66,12 @@ compliance:
60
66
  - clause: "8.4"
61
67
  context: "Impact assessment for AI deployments under clause 8.4 must account for tool poisoning inputs; detection events from this rule provide the required monitoring evidence."
62
68
  strength: secondary
69
+ - clause: "8.1"
70
+ context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (Shell Command Injection in Agent Tool Context)."
71
+ strength: primary
72
+ - clause: "8.3"
73
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Shell Command Injection in Agent Tool Context) as a treatment control."
74
+ strength: secondary
63
75
 
64
76
  tags:
65
77
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00522-sql-injection-natural-language-agent-interface.yaml CHANGED
@@ -56,6 +56,12 @@ compliance:
56
56
  subcategory: MP.5.1
57
57
  context: "Identifying tool poisoning as an AI risk to be catalogued in the organizational risk register."
58
58
  strength: secondary
59
+ - subcategory: "MS.2.7"
60
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (SQL Injection via Natural Language Agent Interface)."
61
+ strength: primary
62
+ - subcategory: "MG.3.2"
63
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (SQL Injection via Natural Language Agent Interface)."
64
+ strength: secondary
59
65
  iso_42001:
60
66
  - clause: "6.2"
61
67
  context: "Addressing tool poisoning risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -63,6 +69,12 @@ compliance:
63
69
  - clause: "8.4"
64
70
  context: "Impact assessment for AI deployments under clause 8.4 must account for tool poisoning inputs; detection events from this rule provide the required monitoring evidence."
65
71
  strength: secondary
72
+ - clause: "8.1"
73
+ context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (SQL Injection via Natural Language Agent Interface)."
74
+ strength: primary
75
+ - clause: "8.3"
76
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (SQL Injection via Natural Language Agent Interface) as a treatment control."
77
+ strength: secondary
66
78
 
67
79
  tags:
68
80
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00526-claude-code-shell-metachar-in-double-quoted-path.yaml CHANGED
@@ -51,6 +51,9 @@ compliance:
51
51
  Article 15 robustness against manipulation requires defending
52
52
  against this specific shell metacharacter bypass class.
53
53
  strength: primary
54
+ - article: "9"
55
+ context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (Claude Code Shell Metacharacter in Double-Quoted File Path)."
56
+ strength: secondary
54
57
  nist_ai_rmf:
55
58
  - function: Manage
56
59
  subcategory: MG.2.3
@@ -58,12 +61,24 @@ compliance:
58
61
  MG.2.3 runtime risk treatment — detecting the metacharacter
59
62
  shape blocks the exploit before shell execution.
60
63
  strength: primary
64
+ - subcategory: "MS.2.7"
65
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Claude Code Shell Metacharacter in Double-Quoted File Path)."
66
+ strength: primary
67
+ - subcategory: "MG.3.2"
68
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Claude Code Shell Metacharacter in Double-Quoted File Path)."
69
+ strength: secondary
61
70
  iso_42001:
62
71
  - clause: "8.4"
63
72
  context: >
64
73
  AIMS impact assessment for AI tool integrations must cover
65
74
  path-injection RCE; this rule is the detection control.
66
75
  strength: primary
76
+ - clause: "8.1"
77
+ context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (Claude Code Shell Metacharacter in Double-Quoted File Path)."
78
+ strength: primary
79
+ - clause: "8.3"
80
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Claude Code Shell Metacharacter in Double-Quoted File Path) as a treatment control."
81
+ strength: secondary
67
82
 
68
83
  tags:
69
84
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00529-litellm-proxy-sqli-cisa-kev.yaml CHANGED
@@ -48,6 +48,9 @@ compliance:
48
48
  Article 15 robustness — defending AI proxies against SQL injection
49
49
  is required for high-risk AI systems with persistent state.
50
50
  strength: primary
51
+ - article: "9"
52
+ context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (LiteLLM Proxy SQL Injection (CVE-2026-42208, CISA KEV 2026-05-08))."
53
+ strength: secondary
51
54
  nist_ai_rmf:
52
55
  - function: Manage
53
56
  subcategory: MG.2.3
@@ -55,12 +58,24 @@ compliance:
55
58
  Runtime risk treatment for AI proxy components includes detection
56
59
  of injection metacharacters reaching SQL boundary.
57
60
  strength: primary
61
+ - subcategory: "MS.2.7"
62
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (LiteLLM Proxy SQL Injection (CVE-2026-42208, CISA KEV 2026-05-08))."
63
+ strength: primary
64
+ - subcategory: "MG.3.2"
65
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (LiteLLM Proxy SQL Injection (CVE-2026-42208, CISA KEV 2026-05-08))."
66
+ strength: secondary
58
67
  iso_42001:
59
68
  - clause: "8.4"
60
69
  context: >
61
70
  AIMS impact assessment must cover the proxy SQL surface;
62
71
  detection events feed the required monitoring trail.
63
72
  strength: primary
73
+ - clause: "8.1"
74
+ context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (LiteLLM Proxy SQL Injection (CVE-2026-42208, CISA KEV 2026-05-08))."
75
+ strength: primary
76
+ - clause: "8.3"
77
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (LiteLLM Proxy SQL Injection (CVE-2026-42208, CISA KEV 2026-05-08)) as a treatment control."
78
+ strength: secondary
64
79
 
65
80
  tags:
66
81
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00530-ms-agent-shell-tool-unsanitized-argv-rce.yaml CHANGED
@@ -50,6 +50,9 @@ compliance:
50
50
  Article 15 robustness explicitly requires defending agent tool
51
51
  wrappers against prompt-to-RCE primitives.
52
52
  strength: primary
53
+ - article: "9"
54
+ context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (ModelScope MS-Agent Shell Tool Unsanitized Argv RCE (CVE-2026-2256))."
55
+ strength: secondary
53
56
  nist_ai_rmf:
54
57
  - function: Manage
55
58
  subcategory: MG.2.3
@@ -57,6 +60,12 @@ compliance:
57
60
  MG.2.3 runtime risk treatment — detection on unsafe shell-tool
58
61
  invocation prevents the exploit before shell execution.
59
62
  strength: primary
63
+ - subcategory: "MS.2.7"
64
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (ModelScope MS-Agent Shell Tool Unsanitized Argv RCE (CVE-2026-2256))."
65
+ strength: primary
66
+ - subcategory: "MG.3.2"
67
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (ModelScope MS-Agent Shell Tool Unsanitized Argv RCE (CVE-2026-2256))."
68
+ strength: secondary
60
69
  iso_42001:
61
70
  - clause: "8.4"
62
71
  context: >
@@ -64,6 +73,12 @@ compliance:
64
73
  prompt-to-RCE shell vectors; detection events feed the
65
74
  monitoring trail.
66
75
  strength: primary
76
+ - clause: "8.1"
77
+ context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (ModelScope MS-Agent Shell Tool Unsanitized Argv RCE (CVE-2026-2256))."
78
+ strength: primary
79
+ - clause: "8.3"
80
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (ModelScope MS-Agent Shell Tool Unsanitized Argv RCE (CVE-2026-2256)) as a treatment control."
81
+ strength: secondary
67
82
 
68
83
  tags:
69
84
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00531-praisonai-unauthenticated-agent-api.yaml CHANGED
@@ -62,10 +62,19 @@ compliance:
62
62
  function: Govern
63
63
  context: "Third-party multi-agent frameworks (including PraisonAI) must be assessed under GV.6.1 supplier risk management for missing-authentication-on-critical-function controls before agent pipelines depend on them."
64
64
  strength: secondary
65
+ - subcategory: "MS.2.7"
66
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (PraisonAI Unauthenticated Agent API Exploitation (CVE-2026-44338))."
67
+ strength: primary
68
+ - subcategory: "MG.3.2"
69
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (PraisonAI Unauthenticated Agent API Exploitation (CVE-2026-44338))."
70
+ strength: secondary
65
71
  iso_42001:
66
- - clause: "8.6"
67
- context: "Operational controls under clause 8.6 must detect and block tool invocations targeting PraisonAI agent execution endpoints without a verified authentication mechanism."
72
+ - clause: "8.1"
73
+ context: "Operational controls under clause 8.1 must detect and block tool invocations targeting PraisonAI agent execution endpoints without a verified authentication mechanism."
68
74
  strength: primary
75
+ - clause: "8.3"
76
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (PraisonAI Unauthenticated Agent API Exploitation (CVE-2026-44338)) as a treatment control."
77
+ strength: secondary
69
78
 
70
79
  tags:
71
80
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00532-apache-doris-mcp-sql-injection.yaml CHANGED
@@ -58,10 +58,19 @@ compliance:
58
58
  function: Govern
59
59
  context: "Database MCP servers (including Apache Doris) must be assessed for input validation controls before agent pipelines depend on them."
60
60
  strength: secondary
61
+ - subcategory: "MS.2.7"
62
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Apache Doris MCP Server SQL Injection (CVE-2025-66335))."
63
+ strength: primary
64
+ - subcategory: "MG.3.2"
65
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Apache Doris MCP Server SQL Injection (CVE-2025-66335))."
66
+ strength: secondary
61
67
  iso_42001:
62
- - clause: "8.6"
63
- context: "Operational controls under clause 8.6 must detect SQL injection payloads in MCP tool call arguments before they reach database execution."
68
+ - clause: "8.1"
69
+ context: "Operational controls under clause 8.1 must detect SQL injection payloads in MCP tool call arguments before they reach database execution."
64
70
  strength: primary
71
+ - clause: "8.3"
72
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Apache Doris MCP Server SQL Injection (CVE-2025-66335)) as a treatment control."
73
+ strength: secondary
65
74
 
66
75
  tags:
67
76
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00533-apache-pinot-mcp-unauthenticated-takeover.yaml CHANGED
@@ -57,10 +57,19 @@ compliance:
57
57
  function: Govern
58
58
  context: "Database MCP servers must be assessed for missing authentication controls before agent pipelines depend on them."
59
59
  strength: secondary
60
+ - subcategory: "MS.2.7"
61
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Apache Pinot MCP Unauthenticated Remote Cluster Takeover)."
62
+ strength: primary
63
+ - subcategory: "MG.3.2"
64
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Apache Pinot MCP Unauthenticated Remote Cluster Takeover)."
65
+ strength: secondary
60
66
  iso_42001:
61
- - clause: "8.6"
67
+ - clause: "8.1"
62
68
  context: "Operational controls must detect and block unauthenticated MCP tool invocations targeting Apache Pinot cluster management endpoints."
63
69
  strength: primary
70
+ - clause: "8.3"
71
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Apache Pinot MCP Unauthenticated Remote Cluster Takeover) as a treatment control."
72
+ strength: secondary
64
73
 
65
74
  tags:
66
75
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00534-alibaba-rds-mcp-unauthenticated-metadata-exfil.yaml CHANGED
@@ -59,10 +59,19 @@ compliance:
59
59
  function: Govern
60
60
  context: "Cloud provider MCP tools with unpatched authentication gaps require compensating controls under GV.6.1 supplier risk management."
61
61
  strength: primary
62
+ - subcategory: "MS.2.7"
63
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Alibaba RDS MCP Unauthenticated Database Metadata Exfiltration)."
64
+ strength: primary
65
+ - subcategory: "MG.3.2"
66
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Alibaba RDS MCP Unauthenticated Database Metadata Exfiltration)."
67
+ strength: secondary
62
68
  iso_42001:
63
- - clause: "8.6"
69
+ - clause: "8.1"
64
70
  context: "Operational controls must detect MCP tool calls that would expose Alibaba RDS credentials or schema to unauthenticated callers."
65
71
  strength: primary
72
+ - clause: "8.3"
73
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Alibaba RDS MCP Unauthenticated Database Metadata Exfiltration) as a treatment control."
74
+ strength: secondary
66
75
 
67
76
  tags:
68
77
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00536-nginx-ui-mcp-unauthenticated-command-execution.yaml CHANGED
@@ -64,10 +64,19 @@ compliance:
64
64
  function: Govern
65
65
  context: "Third-party MCP-enabled server tools (including nginx-ui) must be assessed under GV.6.1 supplier risk management for missing-authentication-on-critical-function controls before agent pipelines depend on them."
66
66
  strength: secondary
67
+ - subcategory: "MS.2.7"
68
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (nginx-ui MCP Endpoint Unauthenticated Command Execution (CVE-2026-33032))."
69
+ strength: primary
70
+ - subcategory: "MG.3.2"
71
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (nginx-ui MCP Endpoint Unauthenticated Command Execution (CVE-2026-33032))."
72
+ strength: secondary
67
73
  iso_42001:
68
- - clause: "8.6"
69
- context: "Operational controls under clause 8.6 must detect and block MCP server registrations or tool invocations targeting nginx-ui command-execution endpoints without a verified authentication mechanism."
74
+ - clause: "8.1"
75
+ context: "Operational controls under clause 8.1 must detect and block MCP server registrations or tool invocations targeting nginx-ui command-execution endpoints without a verified authentication mechanism."
70
76
  strength: primary
77
+ - clause: "8.3"
78
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (nginx-ui MCP Endpoint Unauthenticated Command Execution (CVE-2026-33032)) as a treatment control."
79
+ strength: secondary
71
80
 
72
81
  tags:
73
82
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00537-fastmcp-server-name-cmd-injection-windows.yaml CHANGED
@@ -76,13 +76,22 @@ compliance:
76
76
  `[A-Za-z0-9\-_.\ ]` on any MCP server name field that flows into a
77
77
  shell-backed installer, mirroring the FastMCP 3.2.0 patch.
78
78
  strength: secondary
79
+ - subcategory: "MS.2.7"
80
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (FastMCP Windows cmd.exe Injection via Server Name Metacharacters (CVE-2025-64340))."
81
+ strength: primary
82
+ - subcategory: "MG.3.2"
83
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (FastMCP Windows cmd.exe Injection via Server Name Metacharacters (CVE-2025-64340))."
84
+ strength: secondary
79
85
  iso_42001:
80
- - clause: "8.6"
86
+ - clause: "8.1"
81
87
  context: >
82
- Operational controls under clause 8.6 must detect cmd.exe metacharacters
88
+ Operational controls under clause 8.1 must detect cmd.exe metacharacters
83
89
  in MCP server name fields to prevent installation-time command injection
84
90
  on Windows agent infrastructure.
85
91
  strength: primary
92
+ - clause: "8.3"
93
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (FastMCP Windows cmd.exe Injection via Server Name Metacharacters (CVE-2025-64340)) as a treatment control."
94
+ strength: secondary
86
95
 
87
96
  tags:
88
97
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00538-langchain-chatchat-mcp-stdio-unauthenticated-rce.yaml CHANGED
@@ -85,13 +85,22 @@ compliance:
85
85
  management interfaces and deny arbitrary binary values in command
86
86
  fields (enforce an allowlist of approved MCP server executables).
87
87
  strength: secondary
88
+ - subcategory: "MS.2.7"
89
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (LangChain-ChatChat Unauthenticated MCP STDIO Server Configuration RCE (CVE-2026-30617))."
90
+ strength: primary
91
+ - subcategory: "MG.3.2"
92
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (LangChain-ChatChat Unauthenticated MCP STDIO Server Configuration RCE (CVE-2026-30617))."
93
+ strength: secondary
88
94
  iso_42001:
89
- - clause: "8.6"
95
+ - clause: "8.1"
90
96
  context: >
91
97
  Operational controls must detect and block unauthenticated MCP STDIO
92
98
  server registration attempts carrying shell-binary command fields and
93
99
  RCE argument patterns.
94
100
  strength: primary
101
+ - clause: "8.3"
102
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (LangChain-ChatChat Unauthenticated MCP STDIO Server Configuration RCE (CVE-2026-30617)) as a treatment control."
103
+ strength: secondary
95
104
 
96
105
  tags:
97
106
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00540-praisonai-parse-mcp-command-cli-injection.yaml CHANGED
@@ -55,6 +55,9 @@ compliance:
55
55
  AI agent CLI interfaces validate user-controlled parameters before any
56
56
  subprocess execution.
57
57
  strength: primary
58
+ - article: "9"
59
+ context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (PraisonAI parse_mcp_command() CLI Argument Command Injection (CVE-2026-34935))."
60
+ strength: secondary
58
61
  nist_ai_rmf:
59
62
  - subcategory: "MP.5.1"
60
63
  context: >
@@ -62,12 +65,21 @@ compliance:
62
65
  an adversarial input attack; MP.5.1 requires scanning MCP CLI arguments
63
66
  for inline-exec flags and shell metacharacters.
64
67
  strength: primary
68
+ - subcategory: "MS.2.7"
69
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (PraisonAI parse_mcp_command() CLI Argument Command Injection (CVE-2026-34935))."
70
+ strength: primary
71
+ - subcategory: "MG.3.2"
72
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (PraisonAI parse_mcp_command() CLI Argument Command Injection (CVE-2026-34935))."
73
+ strength: secondary
65
74
  iso_42001:
66
- - clause: "8.6"
75
+ - clause: "8.1"
67
76
  context: >
68
77
  Operational controls must detect and block PraisonAI --mcp arguments
69
78
  containing shell interpreter inline-exec primitives before process launch.
70
79
  strength: primary
80
+ - clause: "8.3"
81
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (PraisonAI parse_mcp_command() CLI Argument Command Injection (CVE-2026-34935)) as a treatment control."
82
+ strength: secondary
71
83
 
72
84
  tags:
73
85
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00541-agent-zero-mcp-config-command-injection.yaml CHANGED
@@ -60,6 +60,9 @@ compliance:
60
60
  mandate that AI agent configuration interfaces sanitize command parameters
61
61
  before execution.
62
62
  strength: primary
63
+ - article: "9"
64
+ context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (Agent Zero MCP Configuration Command Injection via mcp_servers field (CVE-2026-30624))."
65
+ strength: secondary
63
66
  nist_ai_rmf:
64
67
  - subcategory: "MP.5.1"
65
68
  context: >
@@ -67,13 +70,22 @@ compliance:
67
70
  constitute an adversarial input; MP.5.1 requires scanning MCP server config
68
71
  for shell-binary command fields and inline-exec argument patterns.
69
72
  strength: primary
73
+ - subcategory: "MS.2.7"
74
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Agent Zero MCP Configuration Command Injection via mcp_servers field (CVE-2026-30624))."
75
+ strength: primary
76
+ - subcategory: "MG.3.2"
77
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Agent Zero MCP Configuration Command Injection via mcp_servers field (CVE-2026-30624))."
78
+ strength: secondary
70
79
  iso_42001:
71
- - clause: "8.6"
80
+ - clause: "8.1"
72
81
  context: >
73
82
  Operational controls must detect and block Agent Zero mcp_servers
74
83
  configurations containing shell binary command fields before agent
75
84
  MCP server initialisation.
76
85
  strength: primary
86
+ - clause: "8.3"
87
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Agent Zero MCP Configuration Command Injection via mcp_servers field (CVE-2026-30624)) as a treatment control."
88
+ strength: secondary
77
89
 
78
90
  tags:
79
91
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00542-upsonic-mcp-command-allowlist-bypass.yaml CHANGED
@@ -58,6 +58,9 @@ compliance:
58
58
  requirements mandate that AI agent configuration interfaces validate
59
59
  command parameters before execution.
60
60
  strength: primary
61
+ - article: "9"
62
+ context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (Upsonic MCP Command Allowlist Bypass RCE (CVE-2026-30625))."
63
+ strength: secondary
61
64
  nist_ai_rmf:
62
65
  - subcategory: "MP.5.1"
63
66
  context: >
@@ -65,13 +68,22 @@ compliance:
65
68
  constitute an adversarial input; MP.5.1 requires scanning MCP server
66
69
  config for shell-binary command fields and inline-exec argument patterns.
67
70
  strength: primary
71
+ - subcategory: "MS.2.7"
72
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Upsonic MCP Command Allowlist Bypass RCE (CVE-2026-30625))."
73
+ strength: primary
74
+ - subcategory: "MG.3.2"
75
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Upsonic MCP Command Allowlist Bypass RCE (CVE-2026-30625))."
76
+ strength: secondary
68
77
  iso_42001:
69
- - clause: "8.6"
78
+ - clause: "8.1"
70
79
  context: >
71
80
  Operational controls must detect and block Upsonic mcp_servers
72
81
  configurations containing shell binary command fields before agent
73
82
  MCP server initialisation.
74
83
  strength: primary
84
+ - clause: "8.3"
85
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Upsonic MCP Command Allowlist Bypass RCE (CVE-2026-30625)) as a treatment control."
86
+ strength: secondary
75
87
 
76
88
  tags:
77
89
  category: tool-poisoning
package/rules/tool-poisoning/ATR-2026-00543-litellm-mcp-server-argv-injection.yaml CHANGED
@@ -59,6 +59,9 @@ compliance:
59
59
  subprocess execution; Article 15 cybersecurity requirements mandate
60
60
  that AI proxy server-creation APIs validate command parameters.
61
61
  strength: primary
62
+ - article: "9"
63
+ context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (LiteLLM MCP Server Creation Authenticated argv Injection (CVE-2026-30623))."
64
+ strength: secondary
62
65
  nist_ai_rmf:
63
66
  - subcategory: "MP.5.1"
64
67
  context: >
@@ -66,13 +69,22 @@ compliance:
66
69
  subprocess constitute an adversarial input; MP.5.1 requires scanning
67
70
  LiteLLM MCP registration payloads for shell-binary command fields.
68
71
  strength: primary
72
+ - subcategory: "MS.2.7"
73
+ context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (LiteLLM MCP Server Creation Authenticated argv Injection (CVE-2026-30623))."
74
+ strength: primary
75
+ - subcategory: "MG.3.2"
76
+ context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (LiteLLM MCP Server Creation Authenticated argv Injection (CVE-2026-30623))."
77
+ strength: secondary
69
78
  iso_42001:
70
- - clause: "8.6"
79
+ - clause: "8.1"
71
80
  context: >
72
81
  Operational controls must detect and block LiteLLM MCP server
73
82
  registration payloads containing shell binary command fields before
74
83
  proxy-side subprocess spawning.
75
84
  strength: primary
85
+ - clause: "8.3"
86
+ context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (LiteLLM MCP Server Creation Authenticated argv Injection (CVE-2026-30623)) as a treatment control."
87
+ strength: secondary
76
88
 
77
89
  tags:
78
90
  category: tool-poisoning