feat(knowledge): add MITRE ATLAS IDs to OWASP files + Norwegian regulatory context
This commit is contained in:
Kjell Tore Guttormsen
parent
5bb9d5bd11
commit
e2c8924074
8 changed files with 301 additions and 30 deletions
|
|
@ -13,7 +13,7 @@ skill-scanner-agent threat model, and cross-mapped to OWASP LLM Top 10 and Agent
|
|||
|
||||
## AST01 — Prompt Injection via Skill Content
|
||||
|
||||
**Category:** Instruction integrity | **Maps to:** LLM01, ASI01 | **Severity:** CRITICAL in frontmatter; HIGH in body
|
||||
**Category:** Instruction integrity | **Maps to:** LLM01, ASI01 | **Severity:** CRITICAL in frontmatter; HIGH in body | **MITRE ATLAS:** AML.T0051 (LLM Prompt Injection)
|
||||
|
||||
Instructions embedded in skill/command/agent files that override model operating rules. Frontmatter
|
||||
`name`/`description` fields load directly into the system prompt — injections here bypass all hooks.
|
||||
|
|
@ -32,7 +32,7 @@ in any frontmatter field; spoofed headers or identity phrases anywhere in skill
|
|||
|
||||
## AST02 — Data Exfiltration from Skills
|
||||
|
||||
**Category:** Data protection | **Maps to:** LLM02, ASI02 | **Severity:** CRITICAL (credential+network); HIGH (file reads alone)
|
||||
**Category:** Data protection | **Maps to:** LLM02, ASI02 | **Severity:** CRITICAL (credential+network); HIGH (file reads alone) | **MITRE ATLAS:** AML.T0024 (Exfiltration via ML Inference API), AML.T0062 (Exfiltration via AI Agent Tool Invocation)
|
||||
|
||||
Skills instructing the agent to read sensitive local files and transmit their contents externally.
|
||||
ToxicSkills found 17.7% of scanned skills fetch from or post to untrusted URLs.
|
||||
|
|
@ -52,7 +52,7 @@ reads to `~/.ssh/`, `~/.env`, `~/.aws/credentials`, `~/.npmrc`; `| base64` on en
|
|||
|
||||
## AST03 — Privilege Escalation via Skill Tools
|
||||
|
||||
**Category:** Authorization | **Maps to:** LLM06, ASI03 | **Severity:** CRITICAL (hook/settings writes); HIGH (unjustified Bash)
|
||||
**Category:** Authorization | **Maps to:** LLM06, ASI03 | **Severity:** CRITICAL (hook/settings writes); HIGH (unjustified Bash) | **MITRE ATLAS:** AML.T0012 (Valid Accounts)
|
||||
|
||||
Skills requesting tool permissions beyond their stated function, or instructing the agent to modify
|
||||
the plugin/hook infrastructure. Excess tools expand blast radius and enable chained attacks.
|
||||
|
|
@ -72,7 +72,7 @@ in non-execution skills as HIGH. `pre-write-pathguard.mjs` blocks writes to hook
|
|||
|
||||
## AST04 — Scope Creep and Credential Access
|
||||
|
||||
**Category:** Credential protection | **Maps to:** LLM02, LLM06, ASI03 | **Severity:** CRITICAL (wallet/SSH/cloud); HIGH (dev tokens)
|
||||
**Category:** Credential protection | **Maps to:** LLM02, LLM06, ASI03 | **Severity:** CRITICAL (wallet/SSH/cloud); HIGH (dev tokens) | **MITRE ATLAS:** AML.T0035 (ML Artifact Collection)
|
||||
|
||||
Skills that exceed their documented purpose by reading sensitive credential files. The "rug-pull"
|
||||
attack: skill gains adoption legitimately, then an update introduces harvesting framed as diagnostics.
|
||||
|
|
@ -94,7 +94,7 @@ is an escalating severity signal. Update `pre-bash-destructive.mjs` pattern list
|
|||
|
||||
## AST05 — Hidden Instructions in Skills
|
||||
|
||||
**Category:** Instruction integrity | **Maps to:** LLM01, ASI01 | **Severity:** CRITICAL for any confirmed instance
|
||||
**Category:** Instruction integrity | **Maps to:** LLM01, ASI01 | **Severity:** CRITICAL for any confirmed instance | **MITRE ATLAS:** AML.T0051 (LLM Prompt Injection)
|
||||
|
||||
Malicious content concealed from human review but interpreted by LLMs. Unicode steganography,
|
||||
base64-encoded payloads, and HTML comment injection are documented ClawHavoc techniques. Effective
|
||||
|
|
@ -117,7 +117,7 @@ high density of U+200B-U+200D in plain-English files; base64 strings >40 chars a
|
|||
|
||||
## AST06 — Toolchain Manipulation via Skills
|
||||
|
||||
**Category:** Supply chain | **Maps to:** LLM03, ASI04 | **Severity:** CRITICAL (registry redirection); HIGH (package install)
|
||||
**Category:** Supply chain | **Maps to:** LLM03, ASI04 | **Severity:** CRITICAL (registry redirection); HIGH (package install) | **MITRE ATLAS:** AML.T0010 (ML Supply Chain Compromise)
|
||||
|
||||
Skills that modify the dependency graph or package manager configuration to introduce malicious
|
||||
packages. Registry redirection poisons all subsequent installs, not just the immediate one.
|
||||
|
|
@ -138,7 +138,7 @@ any package a skill recommends installing. Flag any registry URL change as CRITI
|
|||
|
||||
## AST07 — Persistence Mechanisms via Skills
|
||||
|
||||
**Category:** System integrity | **Maps to:** LLM01, LLM03, ASI10 | **Severity:** CRITICAL for all variants
|
||||
**Category:** System integrity | **Maps to:** LLM01, LLM03, ASI10 | **Severity:** CRITICAL for all variants | **MITRE ATLAS:** AML.T0018 (Backdoor ML Model)
|
||||
|
||||
Skills that attempt to survive session termination via system startup modification, scheduled tasks,
|
||||
or hook registration. AMOS (ClawHavoc) used macOS LaunchAgents; Claude Code hooks are an additional
|
||||
|
|
@ -161,7 +161,7 @@ persistence commands. `pre-write-pathguard.mjs` blocks plugin/hook path writes.
|
|||
|
||||
## AST08 — Skill Description Mismatch
|
||||
|
||||
**Category:** Trust boundary | **Maps to:** LLM06, ASI09 | **Severity:** HIGH; CRITICAL if mismatch enables privilege escalation
|
||||
**Category:** Trust boundary | **Maps to:** LLM06, ASI09 | **Severity:** HIGH; CRITICAL if mismatch enables privilege escalation | **MITRE ATLAS:** AML.T0043 (Craft Adversarial Data)
|
||||
|
||||
Frontmatter description claims read-only or safe analysis, but `allowed-tools`/`tools` grant
|
||||
write/execution capabilities. Users approve installation based on stated description, not actual
|
||||
|
|
@ -183,7 +183,7 @@ security agents. Re-scan all frontmatter after plugin updates — description dr
|
|||
|
||||
## AST09 — Over-Privileged Knowledge Access
|
||||
|
||||
**Category:** Data trust | **Maps to:** LLM04, ASI06 | **Severity:** HIGH (bulk loads); MEDIUM (missing attribution)
|
||||
**Category:** Data trust | **Maps to:** LLM04, ASI06 | **Severity:** HIGH (bulk loads); MEDIUM (missing attribution) | **MITRE ATLAS:** AML.T0035 (ML Artifact Collection), AML.T0036 (Data from Information Repositories)
|
||||
|
||||
Knowledge files treated as trusted instructions rather than reference data. Skills loading entire
|
||||
`knowledge/` directories without selection violate the context budget rule (max 3 files per
|
||||
|
|
@ -207,7 +207,7 @@ with explicit data framing before passing to subagents.
|
|||
|
||||
## AST10 — Uncontrolled Skill Execution
|
||||
|
||||
**Category:** Resource control | **Maps to:** LLM10, ASI08 | **Severity:** HIGH; CRITICAL if combined with AST01 trigger
|
||||
**Category:** Resource control | **Maps to:** LLM10, ASI08 | **Severity:** HIGH; CRITICAL if combined with AST01 trigger | **MITRE ATLAS:** AML.T0011 (User Execution)
|
||||
|
||||
Skills or commands without iteration limits, file count caps, or circuit breakers in loop contexts.
|
||||
Enables Denial of Wallet attacks and runaway autonomous pipelines. Especially dangerous in harness
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue