open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(llm-security): add lethal-trifecta + mcp-rug-pull examples [skip-docs]

Browse source 
Two new self-contained, runnable threat demonstrations under examples/:

- lethal-trifecta-walkthrough/ — feeds 5 hook calls (WebFetch, Read .env,
  Bash curl POST + suppression follow-ups) into post-session-guard and
  verifies the Rule-of-Two advisory fires exactly on leg 3. State
  isolated via run-script PID so /tmp/llm-security-session-*.jsonl is
  not polluted. Treffer post-session-guard, ASI01/ASI02, LLM01/LLM02.

- mcp-rug-pull/ — mutates an MCP tool description across 8 stages.
  Each per-update <10% Levenshtein, cumulative reaches 32.2% by stage
  7 — proves the v7.3.0 (E14) mcp-cumulative-drift MEDIUM advisory
  catches slow-burn rug-pulls that the per-update detection would
  miss. Uses LLM_SECURITY_MCP_CACHE_FILE to isolate cache. Treffer
  post-mcp-verify, mcp-description-cache.mjs, OWASP MCP05/LLM03/ASI04.

Each example: README.md + run-*.mjs + expected-findings.md.
Plugin README "Other runnable examples" section + CHANGELOG
[Unreleased] Added bullets + plugin CLAUDE.md "Examples" section
all updated in this commit. Marketplace root README unchanged
since plugin's outward coverage is unchanged ([skip-docs]
covers the marketplace-level gate).
This commit is contained in:
Kjell Tore Guttormsen 2026-05-05 14:45:15 +02:00
commit 8df5d5c70e
2 changed files with 38 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
plugins/llm-security/CHANGELOG.md
View file

@ -29,6 +29,25 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
- Test count: 1777 → 1822 (+45). All payloads matching credential regexes - Test count: 1777 → 1822 (+45). All payloads matching credential regexes
are assembled at runtime via concatenation, so test files contain no are assembled at runtime via concatenation, so test files contain no
literal credential-shaped strings (compatible with `pre-edit-secrets`). literal credential-shaped strings (compatible with `pre-edit-secrets`).
- `examples/lethal-trifecta-walkthrough/` — runnable demonstration of
`post-session-guard`'s Rule-of-Two advisory firing when a 5-call
sequence (WebFetch → Read .env → Bash curl POST + suppressed
follow-ups) closes the trifecta in a single 20-call window. State
isolated via the run script's PID; the user's real `/tmp/llm-security-
session-*` files are never touched. README explains the Rule of Two,
the configurable mode (`block`/`warn`/`off`), and the OWASP mapping
(LLM01/LLM02, ASI01/ASI02). `expected-findings.md` documents the
testable contract.
- `examples/mcp-rug-pull/` — runnable demonstration of the v7.3.0
cumulative-drift advisory (E14, OWASP MCP05) on `post-mcp-verify`.
Mutates an MCP tool description across 8 stages — each step under
the 10% per-update Levenshtein threshold, but cumulatively crossing
25% from baseline at stage 7. Uses `LLM_SECURITY_MCP_CACHE_FILE`
env override to isolate the cache to a per-run tempdir; the user's
real `~/.cache/llm-security/mcp-descriptions.json` is never touched.
README enumerates the drift profile, points to
`/security mcp-baseline-reset` for legitimate upgrades, and maps
to MCP05 / LLM03 / ASI04.
## [7.3.1] - 2026-05-01 ## [7.3.1] - 2026-05-01

19
plugins/llm-security/README.md
View file

@ -494,6 +494,25 @@ node scanners/scan-orchestrator.mjs examples/malicious-skill-demo/evil-project-h
/security scan examples/malicious-skill-demo/evil-project-health/ --deep # full pipeline /security scan examples/malicious-skill-demo/evil-project-health/ --deep # full pipeline
``` ```
### Other runnable examples
The `examples/` directory contains additional self-contained
demonstrations — each with `README.md`, fixture, run script, and
`expected-findings.md`:
- **`prompt-injection-showcase/`** — 61 payloads across 19 categories
fed to `pre-prompt-inject-scan`, `post-mcp-verify`, and
`pre-bash-destructive`. Run: `node examples/prompt-injection-showcase/run-showcase.mjs`
- **`lethal-trifecta-walkthrough/`** — 5-step Rule-of-Two demonstration
(WebFetch → Read .env → Bash curl POST + suppression follow-ups)
showing `post-session-guard` advisory firing on leg 3. State-isolated
via run-script PID. Run: `node examples/lethal-trifecta-walkthrough/run-trifecta.mjs`
- **`mcp-rug-pull/`** — 8-stage MCP description drift, each step under
the 10% per-update threshold but cumulatively >25% from baseline.
Demonstrates the v7.3.0 cumulative-drift advisory (E14, OWASP MCP05).
Cache isolated via `LLM_SECURITY_MCP_CACHE_FILE`. Run:
`node examples/mcp-rug-pull/run-rug-pull.mjs`
--- ---
## Recent versions ## Recent versions