From 8df5d5c70e19e3986d40009a7be5a2b3fac70bb7 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 5 May 2026 14:45:15 +0200 Subject: [PATCH] feat(llm-security): add lethal-trifecta + mcp-rug-pull examples [skip-docs] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two new self-contained, runnable threat demonstrations under examples/: - lethal-trifecta-walkthrough/ — feeds 5 hook calls (WebFetch, Read .env, Bash curl POST + suppression follow-ups) into post-session-guard and verifies the Rule-of-Two advisory fires exactly on leg 3. State isolated via run-script PID so /tmp/llm-security-session-*.jsonl is not polluted. Treffer post-session-guard, ASI01/ASI02, LLM01/LLM02. - mcp-rug-pull/ — mutates an MCP tool description across 8 stages. Each per-update <10% Levenshtein, cumulative reaches 32.2% by stage 7 — proves the v7.3.0 (E14) mcp-cumulative-drift MEDIUM advisory catches slow-burn rug-pulls that the per-update detection would miss. Uses LLM_SECURITY_MCP_CACHE_FILE to isolate cache. Treffer post-mcp-verify, mcp-description-cache.mjs, OWASP MCP05/LLM03/ASI04. Each example: README.md + run-*.mjs + expected-findings.md. Plugin README "Other runnable examples" section + CHANGELOG [Unreleased] Added bullets + plugin CLAUDE.md "Examples" section all updated in this commit. Marketplace root README unchanged since plugin's outward coverage is unchanged ([skip-docs] covers the marketplace-level gate). --- plugins/llm-security/CHANGELOG.md | 19 +++++++++++++++++++ plugins/llm-security/README.md | 19 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/plugins/llm-security/CHANGELOG.md b/plugins/llm-security/CHANGELOG.md index 59eb624..8435143 100644 --- a/plugins/llm-security/CHANGELOG.md +++ b/plugins/llm-security/CHANGELOG.md @@ -29,6 +29,25 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). - Test count: 1777 → 1822 (+45). All payloads matching credential regexes are assembled at runtime via concatenation, so test files contain no literal credential-shaped strings (compatible with `pre-edit-secrets`). +- `examples/lethal-trifecta-walkthrough/` — runnable demonstration of + `post-session-guard`'s Rule-of-Two advisory firing when a 5-call + sequence (WebFetch → Read .env → Bash curl POST + suppressed + follow-ups) closes the trifecta in a single 20-call window. State + isolated via the run script's PID; the user's real `/tmp/llm-security- + session-*` files are never touched. README explains the Rule of Two, + the configurable mode (`block`/`warn`/`off`), and the OWASP mapping + (LLM01/LLM02, ASI01/ASI02). `expected-findings.md` documents the + testable contract. +- `examples/mcp-rug-pull/` — runnable demonstration of the v7.3.0 + cumulative-drift advisory (E14, OWASP MCP05) on `post-mcp-verify`. + Mutates an MCP tool description across 8 stages — each step under + the 10% per-update Levenshtein threshold, but cumulatively crossing + 25% from baseline at stage 7. Uses `LLM_SECURITY_MCP_CACHE_FILE` + env override to isolate the cache to a per-run tempdir; the user's + real `~/.cache/llm-security/mcp-descriptions.json` is never touched. + README enumerates the drift profile, points to + `/security mcp-baseline-reset` for legitimate upgrades, and maps + to MCP05 / LLM03 / ASI04. ## [7.3.1] - 2026-05-01 diff --git a/plugins/llm-security/README.md b/plugins/llm-security/README.md index 7017256..8965095 100644 --- a/plugins/llm-security/README.md +++ b/plugins/llm-security/README.md @@ -494,6 +494,25 @@ node scanners/scan-orchestrator.mjs examples/malicious-skill-demo/evil-project-h /security scan examples/malicious-skill-demo/evil-project-health/ --deep # full pipeline ``` +### Other runnable examples + +The `examples/` directory contains additional self-contained +demonstrations — each with `README.md`, fixture, run script, and +`expected-findings.md`: + +- **`prompt-injection-showcase/`** — 61 payloads across 19 categories + fed to `pre-prompt-inject-scan`, `post-mcp-verify`, and + `pre-bash-destructive`. Run: `node examples/prompt-injection-showcase/run-showcase.mjs` +- **`lethal-trifecta-walkthrough/`** — 5-step Rule-of-Two demonstration + (WebFetch → Read .env → Bash curl POST + suppression follow-ups) + showing `post-session-guard` advisory firing on leg 3. State-isolated + via run-script PID. Run: `node examples/lethal-trifecta-walkthrough/run-trifecta.mjs` +- **`mcp-rug-pull/`** — 8-stage MCP description drift, each step under + the 10% per-update threshold but cumulatively >25% from baseline. + Demonstrates the v7.3.0 cumulative-drift advisory (E14, OWASP MCP05). + Cache isolated via `LLM_SECURITY_MCP_CACHE_FILE`. Run: + `node examples/mcp-rug-pull/run-rug-pull.mjs` + --- ## Recent versions