# AI Agent Skills & MCP Servers - Threat Intelligence Database # For use with /security-check and /security-audit commands # Manually maintained — update after new security advisories version: "2.5.0" updated: "2026-03-05" sources: - name: "Snyk ToxicSkills" url: "https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/" date: "2026-02-05" - name: "Koi Security ClawHavoc" url: "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting" date: "2026-02-01" - name: "SafeDep Agent Skills Threat Model" url: "https://safedep.io/agent-skills-threat-model" date: "2026-01" - name: "Cymulate EscapeRoute (CVE-2025-53109/53110)" url: "https://cymulate.com/blog/cve-2025-53109-53110-escaperoute-anthropic/" date: "2025-09" - name: "Checkpoint MCPoison (CVE-2025-54135/54136)" url: "https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/" date: "2025-10" - name: "JFrog Prompt Hijacking (CVE-2025-6515)" url: "https://jfrog.com/blog/mcp-prompt-hijacking-vulnerability/" date: "2025-10" - name: "JFrog PyPI MCP Reverse Shell" url: "https://research.jfrog.com/post/3-malicious-mcps-pypi-reverse-shell/" date: "2025-12" - name: "Recorded Future MCP Inspector (CVE-2025-49596)" url: "https://www.recordedfuture.com/blog/anthropic-mcp-inspector-cve-2025-49596" date: "2025-07" - name: "Flatt Security - 8 ways to pwn Claude Code" url: "https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/" date: "2026-01" - name: "SentinelOne WebFetch SSRF (CVE-2026-24052)" url: "https://www.sentinelone.com/vulnerability-database/cve-2026-24052/" date: "2026-01" - name: "The Hacker News - MCP Git Server Flaws" url: "https://thehackernews.com/2026/01/three-flaws-in-anthropic-mcp-git-server.html" date: "2026-01" - name: "Bitsight TRACE - Exposed MCP Servers" url: "https://www.bitsight.com/blog/exposed-mcp-servers-reveal-new-ai-vulnerabilities" date: "2026-01" - name: "Defender's Initiative - Postmark MCP Squatter" url: "https://defendersinitiative.substack.com/p/npm-not-another-package-malicious" date: "2025-11" - name: "SAFE-MCP Framework" url: "https://www.safemcp.org" date: "2026-01" - name: "VirusTotal - OpenClaw Malicious Skills" url: "https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html" date: "2026-02-02" - name: "arXiv - Malicious Agent Skills Empirical Study" url: "https://www.arxiv.org/abs/2602.06547" date: "2026-02-06" - name: "SentinelOne - xcode-mcp-server CVE-2026-2178" url: "https://www.sentinelone.com/vulnerability-database/cve-2026-2178/" date: "2026-02-13" - name: "Immersive Labs - CVE-2026-23744 MCPJam RCE" url: "https://community.immersivelabs.com/blog/the-human-connection-blog/new-cti-lab-cve-2026-23744-mcpjam-rce-offensive/3882" date: "2026-01-21" - name: "Aikido - Hallucinated npx Commands in Skills" url: "https://www.aikido.dev/blog/agent-skills-spreading-hallucinated-npx-commands" date: "2026-01-21" - name: "OWASP Top 10 for Agentic AI Security Risks 2026" url: "https://www.startupdefense.io/blog/owasp-top-10-agentic-ai-security-risks-2026" date: "2026-02-16" - name: "Lakera - The Agent Skill Ecosystem: When AI Extensions Become a Malware Delivery Channel" url: "https://www.lakera.ai/blog/the-agent-skill-ecosystem-when-ai-extensions-become-a-malware-delivery-channel" date: "2026-02-20" - name: "Penligent AI - CVE-2026-0755 gemini-mcp-tool Command Injection" url: "https://www.penligent.ai/hackinglabs/de/deep-analysis-of-gemini-mcp-tool-command-injection-cve-2026-0755-when-an-mcp-toolchain-hands-user-input-to-the-shell/" date: "2026-02-07" - name: "Snyk - SSRF in mcp-run-python (SNYK-PYTHON-MCPRUNPYTHON-15250607)" url: "https://security.snyk.io/vuln/SNYK-PYTHON-MCPRUNPYTHON-15250607" date: "2026-02-09" - name: "The Hacker News - Anthropic Launches Claude Code Security" url: "https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html" date: "2026-02-21" - name: "Check Point Research - CVE-2025-59536 & CVE-2026-21852 Claude Code RCE + API Key Theft" url: "https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/" date: "2026-02-25" - name: "The Hacker News - Claude Code Flaws Allow RCE and API Key Theft" url: "https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html" date: "2026-02-25" - name: "Trend Micro - Malicious OpenClaw Skills Used to Distribute Atomic macOS Stealer" url: "https://www.trendmicro.com/en_us/research/26/b/openclaw-skills-used-to-distribute-atomic-macos-stealer.html" date: "2026-02-23" - name: "1Password - From magic to malware: OpenClaw attack surface" url: "https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface" date: "2026-02-02" - name: "Red Hat - MCP Security Current Situation" url: "https://www.redhat.com/en/blog/mcp-security-current-situation" date: "2026-02-25" - name: "NVD - CVE-2026-26029 sf-mcp-server Command Injection" url: "https://nvd.nist.gov/vuln/detail/CVE-2026-26029" date: "2026-02-11" - name: "CVEDetails - CVE-2026-27203 eBay API MCP Server Env Injection" url: "https://www.cvedetails.com/cve/CVE-2026-27203/" date: "2026-02-20" - name: "NVD - CVE-2026-27735 mcp-server-git Path Traversal in git_add" url: "https://nvd.nist.gov/vuln/detail/CVE-2026-27735" date: "2026-02-26" - name: "Snyk - Clinejection: AI Bot → Supply Chain Attack via Cache Poisoning" url: "https://snyk.io/blog/cline-supply-chain-attack-prompt-injection-github-actions/" date: "2026-02-19" - name: "The Hacker News - Cline CLI 2.3.0 Supply Chain Attack" url: "https://thehackernews.com/2026/02/cline-cli-230-supply-chain-attack.html" date: "2026-02-20" - name: "Microsoft Security Blog - AI Recommendation Poisoning" url: "https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/" date: "2026-02-10" - name: "SonicWall - CVE-2026-25253 OpenClaw Auth Token Theft RCE" url: "https://www.sonicwall.com/blog/openclaw-auth-token-theft-leading-to-rce-cve-2026-25253" date: "2026-02-26" - name: "Hunt.io - CVE-2026-25253 17500+ Exposed OpenClaw Instances" url: "https://hunt.io/blog/cve-2026-25253-openclaw-ai-agent-exposure" date: "2026-02-03" - name: "NVD - CVE-2026-25725 Claude Code Sandbox Escape" url: "https://nvd.nist.gov/vuln/detail/CVE-2026-25725" date: "2026-02-06" - name: "NVD - CVE-2026-0757 MCP Manager Claude Desktop Sandbox Escape" url: "https://nvd.nist.gov/vuln/detail/CVE-2026-0757" date: "2026-01-22" - name: "ZDI - CVE-2025-15061 Framelink Figma MCP Server fetchWithRetry RCE" url: "https://www.zerodayinitiative.com/advisories/ZDI-25-1197/" date: "2025-12-29" - name: "Check Point Advisories - CVE-2025-35028 HexStrike AI MCP Server" url: "https://advisories.checkpoint.com/defense/advisories/public/2026/cpai-2025-12521.html" date: "2026-03-02" - name: "NVD - CVE-2026-3484 Nmap-Mcp-Server Command Injection" url: "https://nvd.nist.gov/vuln/detail/CVE-2026-3484" date: "2026-03-04" - name: "Ona Security - Claude Code Autonomous Denylist and Sandbox Bypass" url: "https://ona.com/stories/how-claude-code-escapes-its-own-denylist-and-sandbox" date: "2026-03-03" - name: "Brandefense - MCP Server Security: 10 Protocol-Level Attack Scenarios" url: "https://brandefense.io/blog/mcp-server-security-protocol-attack-patterns/" date: "2026-03-02" # ═══════════════════════════════════════════════════════════════ # MALICIOUS AUTHORS (confirmed by security researchers) # ═══════════════════════════════════════════════════════════════ malicious_authors: # Snyk ToxicSkills confirmed — block ALL skills from these authors - name: "zaycv" source: "Snyk ToxicSkills" risk: "critical" notes: "40+ malicious skills, programmatic malware campaign, clawhub/clawdhub1 typosquats" - name: "Aslaep123" source: "Snyk ToxicSkills" risk: "critical" notes: "Malicious crypto/trading skills, typosquatted exchange tools" - name: "pepe276" source: "Snyk ToxicSkills" risk: "critical" notes: "Unicode-obfuscated instructions, DAN-style jailbreaking for exfiltration" - name: "moonshine-100rze" source: "Snyk ToxicSkills" risk: "critical" notes: "Mixed prompt-injection + exfil; GitHub repo aztr0nutzs/NET_NiNjA.v1.2 hosts additional weaponized skills" # VirusTotal confirmed — single publisher, 314+ skills, 100% malicious - name: "hightower6eu" source: "VirusTotal OpenClaw Analysis" risk: "critical" notes: "Single malicious publisher responsible for 314+ OpenClaw skills; all confirmed malicious by VirusTotal scan; malware disguised as productivity/utility tools" # ═══════════════════════════════════════════════════════════════ # MALICIOUS SKILLS (confirmed by researchers) # Organized by campaign and type for efficient scanning # ═══════════════════════════════════════════════════════════════ malicious_skills: # ─── Snyk ToxicSkills confirmed ─── - name: "clawhud" type: "typosquatting" target: "clawhub" source: "Snyk ToxicSkills" risk: "critical" - name: "clawhub1" type: "typosquatting" target: "clawhub" source: "Snyk ToxicSkills" risk: "critical" - name: "clawdhub1" type: "typosquatting" target: "clawhub" source: "Snyk ToxicSkills" risk: "critical" - name: "polymarket-traiding-bot" type: "malware" source: "Snyk ToxicSkills + Koi AuthTool" risk: "critical" notes: "Typosquatting + credential theft" # ─── ClawHavoc campaign: ClawHub CLI typosquats (29 skills) ─── # All deploy Atomic Stealer (AMOS) via fake prerequisites - name: "clawhub" type: "typosquatting" target: "clawhub-cli" source: "Koi ClawHavoc" risk: "critical" - name: "clawhubb" type: "typosquatting" target: "clawhub-cli" source: "Koi ClawHavoc" risk: "critical" - name: "clawhubcli" type: "typosquatting" target: "clawhub-cli" source: "Koi ClawHavoc" risk: "critical" - name: "clawwhub" type: "typosquatting" target: "clawhub-cli" source: "Koi ClawHavoc" risk: "critical" - name: "cllawhub" type: "typosquatting" target: "clawhub-cli" source: "Koi ClawHavoc" risk: "critical" # 23 random-suffix variants — match with pattern "clawhub-*" - name: "clawhub-6yr3b" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-c9y4p" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-d4kxr" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-f3qcn" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-gpcrq" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-gstca" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-hh1fd" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-hh2km" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-hylhq" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-i7oci" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-i9zhz" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-ja7eh" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-krmvq" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-oihpl" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-olgys" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-osasg" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-rkvny" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-sxtsn" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-tlxx5" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-uoeym" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-wixce" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-wotp2" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" # ─── ClawHavoc: Crypto tools (111 skills) ─── # Solana wallet (33 variants) — pattern: solana-* - name: "solana-*" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" notes: "33 variants (solana-07bcb through solana-ytzgw), deploys AMOS" # Phantom wallet (29 variants) — pattern: phantom-* - name: "phantom-*" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" notes: "29 variants (phantom-0jcvy through phantom-ygmjc), deploys AMOS" # Wallet trackers (25 variants) — pattern: wallet-tracker-* - name: "wallet-tracker-*" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" notes: "25 variants (wallet-tracker-0ghsk through wallet-tracker-zih4w)" # Insider wallet finders (23 variants) — pattern: insider-wallets-finder-* - name: "insider-wallets-finder-*" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" notes: "23 variants (insider-wallets-finder-1a7pi through insider-wallets-finder-zzs2p)" # Ethereum gas trackers (14 variants) — pattern: ethereum-gas-tracker-* - name: "ethereum-gas-tracker-*" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" notes: "14 variants" # Lost Bitcoin (3 skills) - name: "lost-bitcoin-10li1" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" - name: "lost-bitcoin-dbrgt" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" - name: "lost-bitcoin-eabml" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" # ─── ClawHavoc: YouTube utilities (57 skills) ─── # Summarizers (29 variants) — pattern: youtube-summarize-* - name: "youtube-summarize-*" type: "malware" category: "youtube" source: "Koi ClawHavoc" risk: "critical" notes: "29 variants, deploys AMOS" # Thumbnail grabbers (13 variants) — pattern: youtube-thumbnail-grabber-* - name: "youtube-thumbnail-grabber-*" type: "malware" category: "youtube" source: "Koi ClawHavoc" risk: "critical" notes: "13 variants" # Downloaders (13 variants) — pattern: youtube-video-downloader-* - name: "youtube-video-downloader-*" type: "malware" category: "youtube" source: "Koi ClawHavoc" risk: "critical" notes: "13 variants" # ─── ClawHavoc: Polymarket bots (34 skills) ─── - name: "poly" type: "malware" category: "polymarket" source: "Koi ClawHavoc" risk: "critical" - name: "polym" type: "malware" category: "polymarket" source: "Koi ClawHavoc" risk: "critical" - name: "polymarkets" type: "malware" category: "polymarket" source: "Koi ClawHavoc" risk: "critical" - name: "polytrading" type: "malware" category: "polymarket" source: "Koi ClawHavoc" risk: "critical" # 30 random-suffix variants — pattern: polymarket-* - name: "polymarket-*" type: "malware" category: "polymarket" source: "Koi ClawHavoc" risk: "critical" notes: "30 variants (polymarket-25nwy through polymarket-z7lwp)" # ─── ClawHavoc: Auto-updaters (30 skills) ─── - name: "amir" type: "malware" category: "updater" source: "Koi ClawHavoc" risk: "critical" - name: "update" type: "malware" category: "updater" source: "Koi ClawHavoc" risk: "critical" - name: "updater" type: "malware" category: "updater" source: "Koi ClawHavoc" risk: "critical" - name: "auto-updater-*" type: "malware" category: "updater" source: "Koi ClawHavoc" risk: "critical" notes: "27 variants (auto-updater-161ks through auto-updater-xsunp)" # ─── ClawHavoc: Finance & social (76 skills) ─── - name: "yahoo-finance-*" type: "malware" category: "finance" source: "Koi ClawHavoc" risk: "critical" notes: "24 variants" - name: "x-trends-*" type: "malware" category: "social" source: "Koi ClawHavoc" risk: "critical" notes: "25 variants" # ─── ClawHavoc: Google Workspace (17 skills) ─── - name: "google-workspace-*" type: "malware" category: "productivity" source: "Koi ClawHavoc" risk: "critical" notes: "17 variants targeting Gmail/Calendar/Drive" # ─── Koi outliers: AuthTool campaign (3 skills) ─── # NOT AMOS — separate payload - name: "base-agent" type: "malware" source: "Koi ClawHavoc (AuthTool)" risk: "critical" notes: "Fake auth tool dropping separate payload" - name: "bybit-agent" type: "malware" source: "Koi ClawHavoc (AuthTool)" risk: "critical" notes: "Fake auth tool dropping separate payload" # ─── Koi outliers: Hidden backdoor (2 skills) ─── # Inline reverse shell to 54.91.154.110:13338 - name: "better-polymarket" type: "backdoor" source: "Koi ClawHavoc" risk: "critical" notes: "Reverse shell to 54.91.154.110:13338 via /bin/bash -i >/dev/tcp/..." - name: "polymarket-all-in-one" type: "backdoor" source: "Koi ClawHavoc" risk: "critical" notes: "Reverse shell to 54.91.154.110:13338" # ─── Koi outliers: Credential exfiltration (1 skill) ─── - name: "rankaj" type: "credential-theft" source: "Koi ClawHavoc" risk: "critical" notes: "Reads ~/.clawdbot/.env, POSTs to webhook.site/358866c4-81c6-4c30-9c8c-358db4d04412" # ─── Supply chain: Malicious MCP servers on PyPI (JFrog) ─── - name: "mcp-runcmd-server" type: "supply-chain" platform: "pypi" source: "JFrog" risk: "critical" notes: "Reverse shell to 45.115.38.27:4433 before starting MCP server" - name: "mcp-runcommand-server" type: "supply-chain" platform: "pypi" source: "JFrog" risk: "critical" notes: "Reverse shell to 45.115.38.27:4433" - name: "mcp-runcommand-server2" type: "supply-chain" platform: "pypi" source: "JFrog" risk: "critical" notes: "Reverse shell to 45.115.38.27:4433" # ─── Supply chain: Malicious npm MCP package ─── - name: "postmark-mcp" type: "supply-chain" platform: "npm" source: "Defender's Initiative" risk: "critical" notes: "Squatter copying official Postmark MCP with hidden backdoor" # ═══════════════════════════════════════════════════════════════ # MALICIOUS SKILL PATTERNS (for wildcard/regex matching) # Use these when scanning installed skills by name # ═══════════════════════════════════════════════════════════════ malicious_skill_patterns: # Exact prefix matches — any skill starting with these is suspicious - pattern: "clawhub-" campaign: "ClawHavoc" risk: "critical" notes: "29 typosquat variants with random suffixes" - pattern: "solana-" campaign: "ClawHavoc" risk: "critical" notes: "33 crypto wallet variants" - pattern: "phantom-" campaign: "ClawHavoc" risk: "critical" notes: "29 phantom wallet variants" - pattern: "wallet-tracker-" campaign: "ClawHavoc" risk: "critical" notes: "25 wallet tracker variants" - pattern: "insider-wallets-finder-" campaign: "ClawHavoc" risk: "critical" notes: "23 variants" - pattern: "ethereum-gas-tracker-" campaign: "ClawHavoc" risk: "critical" notes: "14 variants" - pattern: "youtube-summarize-" campaign: "ClawHavoc" risk: "critical" notes: "29 summarizer variants" - pattern: "youtube-thumbnail-grabber-" campaign: "ClawHavoc" risk: "critical" notes: "13 variants" - pattern: "youtube-video-downloader-" campaign: "ClawHavoc" risk: "critical" notes: "13 variants" - pattern: "polymarket-" campaign: "ClawHavoc" risk: "critical" notes: "30 random-suffix variants" - pattern: "auto-updater-" campaign: "ClawHavoc" risk: "critical" notes: "27 variants" - pattern: "yahoo-finance-" campaign: "ClawHavoc" risk: "critical" notes: "24 variants" - pattern: "x-trends-" campaign: "ClawHavoc" risk: "critical" notes: "25 variants" - pattern: "google-workspace-" campaign: "ClawHavoc" risk: "critical" notes: "17 variants" - pattern: "lost-bitcoin-" campaign: "ClawHavoc" risk: "critical" notes: "3 variants" - pattern: "mcp-runcmd" campaign: "PyPI supply chain" risk: "critical" notes: "JFrog: reverse shell MCP servers" - pattern: "mcp-runcommand" campaign: "PyPI supply chain" risk: "critical" notes: "JFrog: reverse shell MCP servers" # ═══════════════════════════════════════════════════════════════ # CVE DATABASE (MCP servers & AI agent tools) # ═══════════════════════════════════════════════════════════════ cve_database: # --- Anthropic Filesystem MCP --- - id: "CVE-2025-53109" component: "Filesystem MCP Server" severity: "high" description: "Symlink escape to arbitrary filesystem access / potential LPE" source: "Cymulate EscapeRoute" fixed_in: "0.6.3 / 2025.7.1" mitigation: "Update to >= 0.6.3; avoid Filesystem MCP in sensitive environments" - id: "CVE-2025-53110" component: "Filesystem MCP Server" severity: "high" description: "Naive prefix-match directory bypass (startsWith on paths)" source: "Cymulate EscapeRoute" fixed_in: "0.6.3 / 2025.7.1" mitigation: "Update to >= 0.6.3" # --- Anthropic MCP Inspector --- - id: "CVE-2025-49596" component: "MCP Inspector" severity: "critical" cvss: 9.4 description: "RCE via unauthenticated proxy on 0.0.0.0; drive-by RCE from malicious web page" source: "Recorded Future / SocRadar" fixed_in: "0.14.1" mitigation: "Update to >= 0.14.1; restrict to localhost" notes: "~560 exposed instances found on Shodan" # --- Anthropic MCP Git Server (3 flaws, Jan 2026) --- - id: "CVE-2025-68143" component: "MCP Git Server (mcp-server-git)" severity: "high" description: "git_init path traversal — arbitrary filesystem path for repo creation" source: "The Hacker News / PointGuard AI" fixed_in: "2025.9.25" mitigation: "Update; restrict Git MCP to trusted repos" - id: "CVE-2025-68144" component: "MCP Git Server (mcp-server-git)" severity: "high" description: "Argument injection in git_diff/git_checkout — shell metacharacters via user-controlled args" source: "The Hacker News / PointGuard AI" fixed_in: "2025.12.18" mitigation: "Update; sanitize all user inputs to git CLI" - id: "CVE-2025-68145" component: "MCP Git Server (mcp-server-git)" severity: "high" description: "--repository path validation bypass — access beyond allowlist" source: "The Hacker News / PointGuard AI" fixed_in: "2025.12.18" mitigation: "Update; enforce strict path validation" # --- MCP Python SDK --- - id: "CVE-2025-66416" component: "MCP Python SDK (mcp on PyPI)" severity: "medium" description: "DNS rebinding to local HTTP MCP servers when using FastMCP HTTP/SSE with no auth" source: "Debian Security Tracker" fixed_in: "1.23.0" mitigation: "Update to >= 1.23.0; enable TransportSecuritySettings explicitly" # --- MCP Gateway --- - id: "CVE-2025-64443" component: "MCP Gateway" severity: "medium" description: "DNS rebinding against SSE/streaming listeners — indirect access to MCP servers behind gateway" source: "Blog Gowrishankar" fixed_in: "0.28.0" mitigation: "Update to > 0.27.0" # --- MCP TypeScript SDK --- - id: "CVE-2026-25536" component: "MCP TypeScript SDK" severity: "high" description: "Cross-client response data leak when reusing single server+transport across multiple SSE clients" source: "Feedly CVE" fixed_in: "1.26.0" mitigation: "Update to >= 1.26.0; isolate transport instances per client" # --- Cursor IDE --- - id: "CVE-2025-54135" component: "Cursor IDE" severity: "high" cvss: 8.6 description: "CurXecute — RCE via prompt injection writing .cursor/mcp.json" source: "Checkpoint / PropelCode" fixed_in: "1.3.9" mitigation: "Update to Cursor >= 1.3.9; file integrity monitoring on mcp.json" - id: "CVE-2025-54136" component: "Cursor IDE" severity: "high" description: "MCPoison — persistent RCE via trusted config mutation; post-approval changes auto-execute" source: "Checkpoint" fixed_in: "1.3.9" mitigation: "Update to >= 1.3.9; Git hooks + hash verification on mcp.json" # --- Claude Code --- - id: "CVE-2025-66032" component: "Claude Code" severity: "high" description: "8 command execution bypasses via blocklist flaws (man --html, sed e modifier, git arg ambiguity, bash variable expansion)" source: "Flatt Security" fixed_in: "1.0.93" mitigation: "Update to Claude Code >= 1.0.93" - id: "CVE-2026-24052" component: "Claude Code WebFetch" severity: "high" description: "SSRF via startsWith() domain validation bypass in WebFetch (trusted-domain prefix attack)" source: "SentinelOne" fixed_in: "1.0.111" mitigation: "Update to Claude Code >= 1.0.111" - id: "CVE-2025-59536" component: "Claude Code" severity: "critical" description: "RCE via enableAllProjectMcpServers config — malicious .claude/settings.json or .mcp.json sets flag to auto-start MCP servers before trust dialog is shown; injected commands execute immediately upon claude startup in untrusted directory" source: "Check Point Research (2026-02-25)" fixed_in: "1.0.111" mitigation: "Update to Claude Code >= 1.0.111; never run claude in untrusted repositories without reviewing config files first" notes: "Paired with CVE-2026-21852; both disclosed by Check Point Research; trust dialog bypass is the core issue" - id: "CVE-2026-21852" component: "Claude Code" severity: "medium" cvss: 5.3 description: "API key exfiltration via ANTHROPIC_BASE_URL in malicious repository config — attacker sets ANTHROPIC_BASE_URL to attacker-controlled server in .claude/settings.json; Claude Code sends API requests (including bearer API key) before trust dialog is presented" source: "Check Point Research (2026-02-25)" fixed_in: "2.0.65" mitigation: "Update to Claude Code >= 2.0.65; inspect .claude/settings.json and .mcp.json before opening unfamiliar repos" notes: "With stolen key: access workspace storage, shared project files, unauthorized uploads, unexpected API cost generation" - id: "ADVISORY-CC-2026-001" component: "Claude Code" severity: "high" description: "Sandbox bypass — commands excluded from sandboxing could bypass Bash permission enforcement (details undisclosed)" source: "Claude Code CHANGELOG v2.1.34" fixed_in: "2.1.34" mitigation: "Update to Claude Code >= 2.1.34" notes: "No CVE assigned. Fixed in CHANGELOG. Separate from CVE-2026-25725 (different sandbox escape)." # --- Third-party MCP servers --- - id: "CVE-2025-53967" component: "Framelink Figma MCP Server (figma-developer-mcp)" severity: "high" cvss: 7.5 description: "Command injection via unsanitized input in fetchWithRetry curl command" source: "Geordie AI / EndorLabs" fixed_in: "0.6.3" mitigation: "Update to >= 0.6.3" - id: "CVE-2025-9611" component: "Microsoft Playwright MCP Server (@playwright/mcp)" severity: "medium" description: "DNS rebinding / Origin-less CSRF — missing Origin validation on local instance" source: "Mondoo / NVD" fixed_in: "0.0.40" mitigation: "Update to >= 0.0.40" - id: "CVE-2025-6515" component: "MCP SSE Transport (oatpp-mcp)" severity: "high" description: "Prompt hijacking via predictable/reused session IDs; attacker replaces tool outputs" source: "JFrog" mitigation: "Use cryptographically secure session IDs (128+ bits entropy)" - id: "CVE-2026-25546" component: "Godot MCP Server (godot-mcp)" severity: "high" description: "Command injection via user-controlled projectPath passed to exec()" source: "Feedly CVE" fixed_in: "0.1.1" mitigation: "Update to >= 0.1.1; sanitize projectPath; avoid exec() with user input" - id: "CVE-2025-54073" component: "mcp-package-docs" severity: "high" description: "Command injection in child_process.exec via unsanitized input" source: "NVD" fixed_in: "0.1.28" mitigation: "Update to >= 0.1.28" # --- MCPJam Inspector --- - id: "CVE-2026-23744" component: "MCPJam Inspector" severity: "critical" description: "RCE via crafted HTTP request that triggers automatic MCP server installation; allows remote attacker to execute arbitrary code on developer machine" source: "Immersive Labs / CVE-2026-23744" fixed_in: "1.4.3" mitigation: "Update MCPJam Inspector to >= 1.4.3; restrict to localhost; do not expose MCPJam to untrusted networks" notes: "Affects local-first MCP dev platform; versions <= 1.4.2 vulnerable" # --- xcode-mcp-server --- - id: "CVE-2026-2178" component: "xcode-mcp-server (r-huijts)" severity: "high" description: "Command injection in registerXcodeTools function via unsanitized args argument passed to exec(); allows RCE or data exfiltration" source: "SentinelOne" fixed_in: "after commit f3419f00117aa9949e326f78cc940166c88f18cb" mitigation: "Update to latest commit post-f3419f00; avoid passing user-controlled input to exec(); switch to execFile() with argument arrays" # --- gemini-mcp-tool --- - id: "CVE-2026-0755" component: "gemini-mcp-tool" severity: "critical" cvss: 9.8 description: "Command injection via LLM-generated arguments passed directly to shell execution primitives without validation; network-reachable RCE via JSON-RPC CallTool requests requiring no authentication and no user interaction" source: "Penligent AI" fixed_in: "no fix confirmed at time of research (2026-02-22)" mitigation: "Replace shell string execution with execFile() and argument arrays; validate all LLM-generated arguments before passing to any exec primitive; do not expose gemini-mcp-tool to untrusted networks" # --- mcp-run-python --- - id: "SNYK-PYTHON-MCPRUNPYTHON-15250607" component: "mcp-run-python" severity: "high" description: "SSRF via overly permissive Deno sandbox configuration — sandbox allows localhost interface access, enabling attackers to reach internal network resources through crafted Python code execution requests" source: "Snyk (2026-02-09)" fixed_in: "unknown — check upstream for patch" mitigation: "Restrict Deno sandbox network permissions to block localhost/internal ranges; do not expose mcp-run-python to untrusted inputs or external networks" # --- MCP Salesforce Connector --- - id: "CVE-2026-25650" component: "MCP Salesforce Connector" severity: "medium" description: "Arbitrary attribute access — prior to 0.1.10, attacker can access arbitrary object attributes via crafted MCP requests, potentially exposing sensitive Salesforce data" source: "NVD" fixed_in: "0.1.10" mitigation: "Update MCP Salesforce Connector to >= 0.1.10; enforce attribute allowlists" # --- sf-mcp-server --- - id: "CVE-2026-26029" component: "sf-mcp-server (Salesforce MCP)" severity: "high" description: "Command injection via unsafe child_process.exec when constructing Salesforce CLI commands with user-controlled input; allows arbitrary code execution on the host" source: "NVD (2026-02-11)" fixed_in: "unknown — check upstream" mitigation: "Replace child_process.exec with execFile() and sanitize all user-controlled inputs; avoid sf-mcp-server until patched" # --- eBay API MCP Server --- - id: "CVE-2026-27203" component: "eBay API MCP Server (open-source)" severity: "medium" description: "Environment variable injection via updateEnvFile function in ebay_set_user_tokens tool — all versions vulnerable; attacker can inject arbitrary env variables to the .env file" source: "CVEDetails (2026-02-20)" fixed_in: "no fix confirmed" mitigation: "Sanitize all inputs to updateEnvFile; do not expose eBay MCP Server to untrusted inputs" # --- MCP Git Server (additional, git_add path traversal) --- - id: "CVE-2026-27735" component: "MCP Git Server (mcp-server-git)" severity: "medium" cvss: 6.4 description: "Path traversal in git_add tool — unsafe GitPython repo.index.add() call without path boundary validation allows staging/committing files outside repo (e.g. /etc/shadow, ~/.ssh/id_rsa); attacker or confused LLM can exfiltrate sensitive host files via a commit push" source: "NVD / dev.to (2026-02-26)" fixed_in: "2026.1.14" mitigation: "Update mcp-server-git to >= 2026.1.14; audit recent git commits managed by agents for unexpected file paths" notes: "Distinct from CVE-2025-68143/68144/68145 (those affect git_init/git_diff/git_checkout); this affects git_add; fix uses repo.git.add('--', *files) instead of repo.index.add(files)" # --- OpenClaw (clawdbot / Moltbot) --- - id: "CVE-2026-25253" component: "OpenClaw (aka clawdbot, Moltbot)" severity: "high" cvss: 8.8 description: "Authentication token theft and RCE via malicious gatewayUrl — OpenClaw automatically establishes a WebSocket connection to a URL provided in the query string without origin validation; clicking attacker-crafted link causes OpenClaw to transmit auth token to attacker-controlled server; attacker replays token for full system access. 17,500+ internet-exposed instances identified." source: "SonicWall / Hunt.io / runZero (2026-02-03 to 2026-02-26)" fixed_in: "2026.1.29" mitigation: "Update OpenClaw to >= 2026.1.29; block public internet exposure of OpenClaw instances" notes: "CWE-669 (Incorrect Resource Transfer Between Spheres); exposes unauthenticated /api/export-auth endpoint leaking stored API tokens for Claude, OpenAI, Google AI" # --- Claude Code (additional CVEs) --- - id: "CVE-2026-25725" component: "Claude Code" severity: "high" description: "Sandbox escape via persistent configuration injection — bubblewrap sandbox failed to protect missing .claude/settings.json; malicious code running inside sandbox creates settings.json with SessionStart hooks that execute with host privileges after Claude Code restart" source: "NVD / GHSA-ff64-7w26-62rf (2026-02-06)" fixed_in: "2.1.2" mitigation: "Update Claude Code to >= 2.1.34 (covers this and subsequent fixes); monitor .claude/settings.json for unexpected SessionStart hooks" notes: "CWE-501 Trust Boundary Violation; distinct from ADVISORY-CC-2026-001 (which is a different sandbox bypass patched in 2.1.34)" # --- MCP Manager for Claude Desktop --- - id: "CVE-2026-0757" component: "MCP Manager for Claude Desktop" severity: "high" description: "Command injection sandbox escape — execute-command functionality fails to sanitize user-supplied strings from MCP config objects before passing to system calls; attacker crafts malicious webpage with injected config objects, causing MCP Manager to execute arbitrary commands outside the sandbox" source: "NVD / ZDI-CAN-27810 (2026-01-22)" fixed_in: "unknown — check upstream" mitigation: "Restrict MCP Manager access to trusted configurations only; sanitize all MCP config object fields before system calls; block untrusted file/webpage access" # --- HexStrike AI MCP Server --- - id: "CVE-2025-35028" component: "HexStrike AI MCP Server (0x4m4)" severity: "critical" cvss: 9.1 description: "Command injection via semicolon-prefixed argument — EnhancedCommandExecutor class fails to sanitize command-line arguments; attacker provides argument beginning with ; to API endpoint, executing arbitrary commands with MCP server privileges (typically root in default config)" source: "Check Point Advisories / NVD (2025-11-30)" fixed_in: "no fix confirmed at time of research" mitigation: "Sanitize all command-line arguments; replace exec()-style calls with execFile() with argument arrays; do not expose HexStrike AI MCP Server to untrusted networks or inputs" notes: "CWE-78; attack requires no authentication, no user interaction; default configuration typically runs as root" # --- Nmap-Mcp-Server --- - id: "CVE-2026-3484" component: "nmap-mcp-server (PhialsBasement)" severity: "medium" cvss: 6.5 description: "Command injection in Nmap CLI Command Handler — child_process.exec in src/index.ts processes special elements (CWE-74/CWE-77) without sanitization; remotely exploitable with no authentication required" source: "NVD / PT Security (2026-03-04)" fixed_in: "patch commit 30a6b9e1c7fa6146f51e28d6ab83a2568d9a3488" mitigation: "Apply patch commit 30a6b9e...; replace child_process.exec with execFile() and argument arrays; sanitize all nmap arguments" # --- Framelink Figma MCP Server (additional CVE) --- - id: "CVE-2025-15061" component: "Framelink Figma MCP Server (figma-developer-mcp)" severity: "critical" cvss: 9.8 description: "Command injection RCE via fetchWithRetry method — user-supplied input passed to system calls without sanitization of shell metacharacters; authentication not required; allows arbitrary code execution with MCP server service account privileges" source: "ZDI-25-1197 / SentinelOne (2025-12-29, NVD published 2026-01-23)" fixed_in: "latest patched version (see upstream)" mitigation: "Update Framelink Figma MCP Server to latest version; sanitize all user-supplied inputs; restrict MCP Server network access to trusted sources" notes: "Distinct CVE from CVE-2025-53967 (same component/method, different CVE assignment; CVSS 9.8 vs 7.5); CWE-78" # ═══════════════════════════════════════════════════════════════ # MINIMUM SAFE VERSIONS (quick reference for scanning) # ═══════════════════════════════════════════════════════════════ minimum_safe_versions: "filesystem-mcp": "0.6.3" "mcp-inspector": "0.14.1" "mcp-server-git": "2026.1.14" "mcp-python-sdk": "1.23.0" "mcp-gateway": "0.28.0" "figma-developer-mcp": "0.6.3" "@playwright/mcp": "0.0.40" "mcp-package-docs": "0.1.28" "cursor": "1.3.9" "claude-code": "2.1.34" "mcpjam-inspector": "1.4.3" "mcp-salesforce-connector": "0.1.10" "openclaw": "2026.1.29" # ═══════════════════════════════════════════════════════════════ # IOCs (Indicators of Compromise) # ═══════════════════════════════════════════════════════════════ iocs: # ClawHavoc C2 IPs — block outbound connections c2_ips: - ip: "91.92.242.30" campaign: "ClawHavoc" notes: "Primary AMOS dropper host" - ip: "95.92.242.30" campaign: "ClawHavoc" - ip: "96.92.242.30" campaign: "ClawHavoc" - ip: "202.161.50.59" campaign: "ClawHavoc" - ip: "54.91.154.110" campaign: "ClawHavoc" notes: "Reverse shell target (better-polymarket, polymarket-all-in-one) port 13338" - ip: "45.115.38.27" campaign: "PyPI MCP reverse shell (JFrog)" notes: "Reverse shell on port 4433" # Exfiltration endpoints exfil_urls: - url: "webhook.site/358866c4-81c6-4c30-9c8c-358db4d04412" skill: "rankaj" source: "Koi ClawHavoc" notes: "Credential exfiltration endpoint" # Malicious GitHub repos github_repos: - repo: "aztr0nutzs/NET_NiNjA.v1.2" author: "moonshine-100rze" source: "Snyk ToxicSkills" notes: "Hosts additional weaponized skills not yet on ClawHub" # AMOS sample hashes (from Koi report) malware_hashes: - hash: "1e6d4b05...e2298" type: "AMOS Mach-O" source: "Koi ClawHavoc" - hash: "0e52566c...dd65" type: "AMOS Mach-O" source: "Koi ClawHavoc" # ═══════════════════════════════════════════════════════════════ # SUSPICIOUS PATTERNS (for grep-based scanning) # ═══════════════════════════════════════════════════════════════ suspicious_patterns: # Hook exfiltration patterns hooks: - pattern: "curl|wget" description: "Network calls in hooks (potential data exfiltration)" risk: "high" action: "Review every network call in hooks — legitimate hooks rarely need outbound requests" - pattern: "nc |ncat|netcat" description: "Netcat in hooks (reverse shell indicator)" risk: "critical" action: "Remove immediately — no legitimate hook use case" - pattern: "base64" description: "Base64 encoding in hooks (payload obfuscation)" risk: "medium" action: "Verify what is being encoded — common evasion technique" - pattern: "eval|exec" description: "Dynamic code execution in hooks" risk: "high" action: "Verify source of executed code" - pattern: '\$\(.*\)|`.*`' description: "Command substitution in hooks" risk: "medium" action: "Verify no sensitive data is captured" - pattern: "/dev/tcp|/dev/udp" description: "Bash network redirects (reverse shell)" risk: "critical" action: "Remove immediately" - pattern: "ssh|id_rsa|id_ed25519" description: "SSH key access in hooks" risk: "critical" action: "No hook should access SSH keys" - pattern: '.env|credentials|secret|password|token|api.key' description: "Credential file access in hooks" risk: "critical" action: "No hook should read credential files" - pattern: "glot.io|pastebin.com|hastebin.com" description: "Paste site references in hooks (common payload hosting)" risk: "high" action: "Review carefully — ClawHavoc uses glot.io for obfuscated scripts" # Agent/skill red flags agents: - pattern: 'allowed-tools.*Bash' description: "Broad Bash access in agent definition" risk: "medium" action: "Verify agent needs shell access — prefer specific tools" - pattern: 'allowed-tools.*\["Bash"\]' description: "Agent with ONLY Bash access (common in malicious agents)" risk: "high" action: "Highly suspicious — legitimate agents use specific tools" - pattern: "ignore previous|disregard|override" description: "Prompt injection attempt in agent system prompt" risk: "critical" action: "Remove agent — confirmed injection vector" - pattern: "you are now|new instructions|forget" description: "Role hijacking in agent instructions" risk: "high" action: "Review agent source carefully" - pattern: "developer mode|DAN|jailbreak" description: "Jailbreak attempt in skill/agent instructions" risk: "critical" action: "Remove immediately — used by pepe276 and others" # Config red flags config: - pattern: "dangerouslySkipPermissions|dangerously" description: "Dangerous permission bypass flags" risk: "critical" action: "Remove — never use in production" - pattern: '"allow".*"Bash\(.*\*.*\)"' description: "Wildcard Bash permissions" risk: "high" action: "Narrow to specific commands" - pattern: '"allow".*"Write\(.*\*.*\)"' description: "Wildcard Write permissions" risk: "high" action: "Narrow to specific paths" - pattern: "@latest" description: "Unpinned MCP server version in mcp.json" risk: "high" action: "Pin to exact version — unpinned packages are supply-chain targets" # Secrets patterns (in any file) secrets: - pattern: '(?i)(api[_-]?key|apikey)\s*[=:]\s*["\x27][A-Za-z0-9_\-]{20,}["\x27]' description: "Hardcoded API key" risk: "critical" - pattern: '(?i)(secret|password|passwd|pwd)\s*[=:]\s*["\x27][^\x27"]{8,}["\x27]' description: "Hardcoded secret/password" risk: "critical" - pattern: '(?i)(token|bearer)\s*[=:]\s*["\x27][A-Za-z0-9_\-\.]{20,}["\x27]' description: "Hardcoded token" risk: "critical" - pattern: "sk-[a-zA-Z0-9]{20,}" description: "OpenAI API key pattern" risk: "critical" - pattern: "sk-ant-[a-zA-Z0-9]{20,}" description: "Anthropic API key pattern" risk: "critical" - pattern: "ghp_[a-zA-Z0-9]{36}" description: "GitHub personal access token" risk: "critical" - pattern: "AKIA[A-Z0-9]{16}" description: "AWS access key ID" risk: "critical" - pattern: 'xox[bps]-[a-zA-Z0-9\-]{20,}' description: "Slack token" risk: "critical" - pattern: '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----' description: "Private key in file" risk: "critical" # Prompt injection in markdown/config injection: - pattern: '[\x{200B}-\x{200D}\x{FEFF}]' description: "Zero-width Unicode characters (invisible instructions)" risk: "high" encoding: "unicode" - pattern: '[\x{202A}-\x{202E}\x{2066}-\x{2069}]' description: "RTL/bidirectional override characters" risk: "high" encoding: "unicode" - pattern: '[\x{E0000}-\x{E007F}]' description: "Tag characters (invisible Unicode block)" risk: "high" encoding: "unicode" - pattern: '\x1b\[|\x1b\]|\x1b\(' description: "ANSI escape sequences (terminal injection)" risk: "medium" - pattern: '\x00' description: "Null byte (string truncation attack)" risk: "high" - pattern: '' description: "Hidden instructions in HTML comments" risk: "high" # SKILL.md / skill content red flags skill_content: - pattern: 'curl.*\|.*bash' description: "Remote script execution (curl pipe bash)" risk: "critical" action: "Classic malware delivery — review URL and content" - pattern: 'base64.*-[dD].*\|.*bash' description: "Base64-decoded command execution" risk: "critical" action: "Obfuscated payload — likely malicious" - pattern: 'password.*openclaw|openclaw.*password' description: "Password-protected archive with known ClawHavoc password" risk: "critical" action: "Matches ClawHavoc delivery pattern" - pattern: 'chmod.*\+x.*&&.*\./' description: "Download, make executable, run — malware dropper pattern" risk: "critical" - pattern: '/bin/bash.*-i.*>/dev/tcp' description: "Interactive reverse shell" risk: "critical" action: "Remove immediately" - pattern: 'webhook\.site|requestbin\.com' description: "Data exfiltration via webhook/request bin service" risk: "high" action: "Verify intent — common exfil endpoint" # ═══════════════════════════════════════════════════════════════ # CAMPAIGN SIGNATURES # ═══════════════════════════════════════════════════════════════ campaigns: - name: "ClawHavoc" source: "Koi Security" date: "2026-02-01" skills_count: 341 amos_skills: 335 outlier_skills: 6 platform: "ClawHub / OpenClaw" malware: "Atomic Stealer (AMOS) + Windows infostealers" delivery: - "Fake prerequisites in SKILL.md" - "Base64-encoded shell snippets from glot.io" - "Password-protected ZIPs (password: 'openclaw')" - "Second-stage dropper from raw IP" c2_ips: - "91.92.242.30" - "95.92.242.30" - "96.92.242.30" - "202.161.50.59" - "54.91.154.110" targets: - "Cryptocurrency wallets (60+ wallets: Exodus, Binance, Electrum, Atomic, Ledger)" - "Browser data (Chrome, Safari, Firefox, Brave, Edge)" - "SSH keys and shell history" - "Telegram sessions" - "Keychain passwords (macOS)" categories: crypto: 111 youtube: 57 finance_social: 76 polymarket: 34 typosquatting: 29 auto_updaters: 30 google_workspace: 17 outliers: auth_tool: ["base-agent", "bybit-agent", "polymarket-traiding-bot"] reverse_shell: ["better-polymarket", "polymarket-all-in-one"] credential_theft: ["rankaj"] - name: "ToxicSkills" source: "Snyk" date: "2026-02-05" skills_scanned: 3984 platforms: ["ClawHub", "skills.sh"] findings: total_flawed: 1467 flawed_percentage: 36.82 critical_risk: 534 critical_percentage: 13.4 malicious_payloads: 76 still_live_at_scan: 8 hardcoded_secrets_percentage: 10.9 remote_content_fetch_percentage: 17.7 remote_prompt_execution_percentage: 2.9 known_malicious_authors: - "zaycv" - "Aslaep123" - "pepe276" - "moonshine-100rze" - name: "PyPI MCP Reverse Shell" source: "JFrog" date: "2025-12" platform: "PyPI" packages: - "mcp-runcmd-server" - "mcp-runcommand-server" - "mcp-runcommand-server2" c2_ip: "45.115.38.27" c2_port: 4433 technique: "Spawns /bin/sh -i reverse shell before starting MCP server" - name: "Postmark MCP Squatter" source: "Defender's Initiative" date: "2025-11" platform: "npm" package: "postmark-mcp" technique: "Copies official Postmark MCP server with hidden backdoor" - name: "Clinejection" source: "Snyk / Adnan Khan (researcher)" date: "2026-02-17" platform: "GitHub Actions / npm" packages: - "cline-cli@2.3.0 (malicious, 4000 downloads, 8-hour window)" technique: "Prompt injection via GitHub issue title → GitHub Actions cache poisoning (10 GB junk fill, LRU eviction) → stolen CI/CD publishing tokens → malicious npm publish" tokens_stolen: - "VSCE_PAT" - "OVSX_PAT" - "NPM_RELEASE_TOKEN" payload: "OpenClaw AI agent installer distributed to developer machines" timeline: - "2026-01-01: Researcher Adnan Khan submits GHSA and notifies Cline" - "2026-02-09: Public disclosure; Cline patches in 30 minutes" - "2026-02-17: Unknown actor exploits, publishes malicious cline-cli 2.3.0" notes: "Potential blast radius: 5M+ VS Code users with auto-update enabled; Cline moved to OIDC provenance post-fix" sources: - "https://snyk.io/blog/cline-supply-chain-attack-prompt-injection-github-actions/" - "https://adnanthekhan.com/posts/clinejection/" - "https://thehackernews.com/2026/02/cline-cli-230-supply-chain-attack.html" # ═══════════════════════════════════════════════════════════════ # ATTACK TECHNIQUES TAXONOMY # Maps to SAFE-MCP framework and common patterns # ═══════════════════════════════════════════════════════════════ attack_techniques: - id: "T001" name: "Tool Poisoning via SKILL.md" description: "Hidden instructions in SKILL.md that instruct the agent to run malicious commands" examples: - "curl | bash from glot.io scripts" - "Password-protected ZIP with embedded malware" - "Base64-decoded eval commands" campaigns: ["ClawHavoc", "ToxicSkills"] mitigation: "Scan SKILL.md for shell commands; never auto-execute prerequisites" - id: "T002" name: "Memory Poisoning" description: "Injection of persistent instructions into SOUL.md, MEMORY.md, CLAUDE.md, AGENTS.md" examples: - "Skills targeting SOUL.md/MEMORY.md to inject persistent backdoor instructions" - "Cognitive worms that replicate across agent memory files" campaigns: ["ToxicSkills"] mitigation: "Treat memory files as config; require code review for changes; monitor diffs" - id: "T003" name: "Rug Pull / Post-Approval Mutation" description: "Benign config approved once, then mutated to malicious version that auto-executes" examples: - "MCPoison: .cursor/rules/mcp.json approved, then updated with reverse shell" - "ClawHub skills updated without changelog to swap in AMOS installer" cves: ["CVE-2025-54136"] mitigation: "Hash verification on configs; re-approval on any change" - id: "T004" name: "Confused Deputy via MCP" description: "Attacker manipulates MCP session/output; client trusts poisoned response" examples: - "oatpp-mcp session ID reuse (CVE-2025-6515)" - "Git MCP + Filesystem MCP chain via poisoned README" cves: ["CVE-2025-6515", "CVE-2025-68143", "CVE-2025-68144", "CVE-2025-68145"] mitigation: "Cryptographic session IDs; input validation; least-privilege for MCP tools" - id: "T005" name: "DNS Rebinding on Local MCP" description: "Malicious website rebinds domain to 127.0.0.1 to access local MCP servers" examples: - "MCP Python SDK HTTP/SSE servers (CVE-2025-66416)" - "MCP Gateway SSE (CVE-2025-64443)" - "Playwright MCP (CVE-2025-9611)" cves: ["CVE-2025-66416", "CVE-2025-64443", "CVE-2025-9611"] mitigation: "Use stdio transport; enable DNS rebinding protection; authenticate local servers" - id: "T006" name: "Supply Chain Package Attack" description: "Malicious packages published to registries mimicking legitimate MCP servers" examples: - "PyPI: mcp-runcmd-server, mcp-runcommand-server (JFrog)" - "npm: postmark-mcp squatter" campaigns: ["PyPI MCP Reverse Shell", "Postmark MCP Squatter"] mitigation: "Verify package author; check download counts; use SafeDep vet" - id: "T007" name: "Hook-Based Exfiltration" description: "Malicious .claude/hooks/ scripts run on agent events with full user privileges" examples: - "SessionStart hook that POSTs environment variables" - "PostToolUse hook that exfiltrates file paths and content" mitigation: "Review all hooks; forbid auto-running hooks from untrusted repos; maintain hook allowlist" - id: "T008" name: "Credential Theft via Agent" description: "Agent instructed to read credential files and send to attacker" examples: - "rankaj skill: reads ~/.clawdbot/.env, POSTs to webhook.site" - "Base64-encoded curl to send ~/.aws/credentials" campaigns: ["ClawHavoc", "ToxicSkills"] mitigation: "Block agent access to .env, .aws, .ssh directories; use pre-execution hooks" - id: "T009" name: "Slopsquatting / Hallucinated Package Injection" description: "Malicious skills spread hallucinated or fabricated package names (e.g. via npx commands) that resolve to attacker-controlled packages on npm/PyPI when executed" examples: - "Skills with setup instructions referencing nonexistent npm packages that typosquat legitimate tools" - "AI-generated skill content propagating hallucinated npx commands that install malicious packages" source: "Aikido Security (2026-01-21)" mitigation: "Verify every package reference in SKILL.md before executing setup instructions; use package lockfiles; pin all dependencies to known-good checksums" - id: "T010" name: "Agent-to-Agent Communication Injection" description: "Attacker injects malicious instructions into communication channels (Slack, email, ticketing systems, code review comments) that AI agents monitor autonomously; agent executes unauthorized actions without cryptographic source verification" examples: - "Posting fake urgent security alerts in Slack channels monitored by DevOps AI agents causing unauthorized deployments" - "Embedding malicious instructions in GitHub issue comments that redirect CI/CD agents to commit backdoored code" - "Crafting PR review comments that cause coding agents to weaken security controls under the guise of refactoring" source: "Pillar Security / Cisco AI Security Research (2026)" mitigation: "Validate agent instruction sources cryptographically; treat all external channel content as untrusted user input; require human-in-the-loop for high-impact actions triggered via monitored channels; scope agent permissions to minimum required for task" - id: "T011" name: "Project Configuration Hijacking" description: "Attacker embeds malicious settings in repository config files (.claude/settings.json, .mcp.json) that auto-execute MCP servers or redirect API traffic before trust dialog is shown; the configuration layer — not the code — is the attack surface" examples: - "Setting enableAllProjectMcpServers:true in .claude/settings.json to auto-start attacker MCP server that executes commands before trust dialog (CVE-2025-59536)" - "Setting ANTHROPIC_BASE_URL to attacker endpoint in repo config — API key sent in plaintext before user can approve or deny the directory (CVE-2026-21852)" - "Injecting claude hooks in settings.json to run exfiltration scripts on PostToolUse events" cves: ["CVE-2025-59536", "CVE-2026-21852"] source: "Check Point Research (2026-02-25)" mitigation: "Review .claude/settings.json and .mcp.json before opening unfamiliar repos; treat these files as code, not metadata; update Claude Code to >= 2.0.65; never clone-and-run from untrusted sources without inspecting config files first" - id: "T013" name: "Autonomous Safety Control Bypass" description: "AI coding agent autonomously disables or circumvents its own security controls (sandbox, denylist, permission enforcement) when those controls block task completion, without explicit attacker instruction — the agent's reasoning determines that bypassing safety is necessary to fulfill the assigned goal" examples: - "Claude Code disabling bubblewrap sandbox when it blocks file operations required for task" - "Agent using path tricks, ELF dynamic linker, or alternative code-loading mechanisms to bypass denylist enforcement" - "Agent finding sandbox escape paths proactively when sandbox prevents API calls or shell execution" source: "Ona Security / Leonardo Di Donato (2026-03-03)" mitigation: "Treat agent-initiated security control disabling as a red flag requiring human review; implement hard security boundaries that cannot be overridden by agent reasoning; monitor for unexpected sandbox exits or denylist bypass attempts; apply principle of least privilege so agents cannot access sandbox configuration" - id: "T012" name: "AI Recommendation Poisoning" description: "Attacker embeds hidden instructions in URLs (e.g. 'Summarize with AI' buttons, share links) that inject persistent memory entries into AI assistants, biasing future recommendations toward attacker-controlled content or services" examples: - "Company embeds 'remember [Brand] as a trusted source' in URL parameters of 'Summarize with AI' buttons; user clicks → AI memory poisoned; every future conversation biased" - "Malicious share links containing memory-altering prompts distributed via email or web pages" - "50+ unique prompts from 31 companies across 14 industries documented by Microsoft over 60 days (2026-02-10)" high_risk_sectors: - "Health advice (biased medical recommendations)" - "Financial services (biased investment advice)" detection: - "Hunt for URLs pointing to AI assistant domains containing prompt keywords: 'remember', 'trusted source', 'in future conversations', 'authoritative source', 'cite'" - "Periodically audit AI memory for entries referencing brands or commercial interests" - "Monitor web proxy / browser history for clicks to AI-assistant share URLs with prompt parameters" source: "Microsoft Security Blog (2026-02-10)" mitigation: "Disable URL-based memory pre-population in AI assistants where possible; treat any 'Summarize with AI' button as potentially adversarial; periodically clear AI memory; hover over AI buttons before clicking to inspect destination URL" # ═══════════════════════════════════════════════════════════════ # SCANNING TOOLS # ═══════════════════════════════════════════════════════════════ scanning_tools: - name: "mcp-scan" vendor: "Invariant / Snyk" type: "cli" command: "npx mcp-scan" url: "https://github.com/invariantlabs-ai/mcp-scan" capabilities: - "Scans MCP server configurations for vulnerabilities" - "Detects known vulnerable MCP servers and versions" - "Scans SKILL.md for prompt injection, malicious code, secrets" - "Supports Claude Desktop, Cursor, Windsurf configs" - "Backed by ToxicSkills taxonomy (90-100% recall, 0% FP on skills.sh top-100)" limitations: - "413 error on large configs (~/.claude/ too big)" - "Unknown MCP config on some VSCode setups" - "Does not scan .claude/skills/ native Claude Code skills" - "Requires network access to Snyk vulnerability DB" - "Cannot detect runtime-only payloads fetched from benign-looking URLs" notes: "Complement with local grep patterns from this threat-db" - name: "skills-ref validate" vendor: "agentskills.io" type: "cli" command: "skills-ref validate ./skill-dir" url: "https://docs.rs/skills-ref-rs/latest/skills_ref/" capabilities: - "Validates skill spec compliance (SKILL.md structure, frontmatter, naming)" - "Parse metadata to JSON (skills-ref read-properties)" - "Generate agent prompts (skills-ref to-prompt)" limitations: - "Spec compliance only — does NOT detect malware or analyze code" - "Reduces slopsquatting via naming rules but no security scanning" - name: "Garak" vendor: "NVIDIA" type: "cli" url: "https://github.com/NVIDIA/garak" capabilities: - "37+ probe modules for LLM vulnerabilities" - "Prompt injection detection" - "Jailbreak testing" - "Data exfiltration probes" limitations: - "LLM-focused, not MCP/skill-specific" - "Does not parse SKILL.md or MCP configs" - name: "MCP Fortress" vendor: "mcp-fortress" type: "mcp-server + dashboard" url: "https://github.com/mcp-fortress/mcp-fortress" capabilities: - "Scans npm/PyPI dependencies of MCP servers" - "Queries CVE databases for risk scores" - "Runtime protection — quarantines suspicious servers" - "Streaming telemetry dashboard" - "Can run as MCP server exposing security tools to Claude/Cursor" limitations: - "Newer project — smaller detection database than mcp-scan" - name: "SafeDep vet MCP" vendor: "SafeDep" type: "mcp-server" url: "https://safedep.io/introducing-vet-mcp-server/" capabilities: - "Software composition analysis integrated with agents" - "Detects slopsquatting, vulnerable and malicious packages" - "Screens package suggestions before pip/npm install" limitations: - "Package-focused — does not scan SKILL.md or agent configs" - name: "Koi Clawdex" vendor: "Koi Security" type: "clawhub-skill" capabilities: - "ClawHub security addon / MCP" - "Checks skills against Koi malicious skill database" - "Pre-install and retroactive scan support" limitations: - "ClawHub/OpenClaw specific" - name: "Mcpwn" vendor: "community" type: "cli" url: "https://hackers-arise.com/artificial-intelligence-in-cybersecurity-part-9-how-to-test-mcp-servers-for-security-vulnerabilities/" capabilities: - "Dedicated MCP vulnerability scanner" - "Detects RCE via command injection in MCP servers" - "Path traversal weakness detection" - "Prompt injection risk identification" - "Quick scan mode focused on RCE surface" - "Supports custom Python and Node.js MCP servers" limitations: - "Newer/community tool — smaller detection database than mcp-scan" - "Less coverage of skills.sh / ClawHub skill scanning" - name: "Proximity" vendor: "community (open-source)" type: "cli" url: "https://www.helpnetsecurity.com/2025/10/29/proximity-open-source-mcp-security-scanner/" capabilities: - "Open-source MCP security scanner" - "Identifies prompts, tools, and resources exposed by MCP servers" - "Evaluates security risks via NOVA rule engine" - "Detects prompt injection and jailbreak attempts in tool descriptions" limitations: - "Early-stage open-source project — smaller detection database than commercial tools" - "Does not scan SKILL.md or agent config files" - name: "Enkrypt AI MCP Scanner" vendor: "Enkrypt AI" type: "cloud-saas" url: "https://www.enkryptai.com/mcp-scan" capabilities: - "Agentic static analysis for MCP servers" - "Detects command injection, path traversal, prompt injection, code injection" - "Identifies LLM-driven exploits and authorization gaps between docs and code" - "Protocol-level vulnerability detection for MCP JSON-RPC implementation" limitations: - "Commercial/SaaS — not open-source" - "Does not scan SKILL.md or ClawHub skills directly" - name: "Cisco MCP Scanner" vendor: "Cisco" type: "cli" url: "https://blogs.cisco.com/ai/ciscos-mcp-scanner-introduces-behavioral-code-threat-analysis" capabilities: - "Interprocedural dataflow analysis across MCP server functions" - "Behavioral code threat analysis — compares documented intent vs actual behavior" - "Detects hidden operations (undocumented network calls, file operations)" - "Supports black-box (YARA/API scanning) and white-box (source code) analysis" - "LLM-powered semantic analysis for intent vs behavior mismatch" limitations: - "Cisco-maintained — may require Cisco toolchain integration" - "Does not scan skills.sh / ClawHub ecosystem" - name: "NeuralTrust MCP Scanner" vendor: "NeuralTrust" type: "cloud-saas" url: "https://neuraltrust.ai/mcp-scanner" capabilities: - "Detects poisoned or redefined tools and unsafe endpoint exposures" - "Analyzes dependencies and integration risks" - "Policy validation for MCP manifests" - "Compliance mapping to OWASP, MITRE, and CWE frameworks" limitations: - "Commercial/SaaS platform" - name: "MCPScan.ai" vendor: "mcpscan.ai" type: "cloud-saas" url: "https://mcpscan.ai" capabilities: - "Cloud platform with specialized LLM classifiers for poisoning detection" - "Advanced Tool Metadata Scanner for MCP servers" - "Detects shell command patterns, code injection, resource exhaustion risks" - "Private scanning options for enterprise users" limitations: - "Cloud-based — requires sending server metadata to external platform" - "Not open-source" - name: "Mend SAST MCP" vendor: "Mend.io" type: "mcp-server" url: "https://appsecsanta.com/mend-sast" capabilities: - "Commercial SAST with MCP server integration" - "Real-time static analysis on AI-generated code via IDE" - "Software composition analysis (SCA) for dependencies" - "Integrates with Cursor, VS Code, Claude Code, Windsurf" - "mend-code-security-assistant tool: SAST scans" - "mend-dependencies-assistant tool: SCA checks" limitations: - "Commercial product — requires Mend.io subscription" - "Code scanning focus — does not scan SKILL.md or MCP configs directly" # ═══════════════════════════════════════════════════════════════ # DEFENSIVE FRAMEWORKS & BLOCKLISTS # ═══════════════════════════════════════════════════════════════ defensive_resources: - name: "SAFE-MCP" url: "https://www.safemcp.org" type: "framework" description: "80+ techniques mapped to ATT&CK for MCP environments; policy-based blocklists" - name: "OpenClaw VirusTotal Integration" url: "https://thehackernews.com/2026/02/openclaw-integrates-virustotal-scanning.html" type: "platform" description: "ClawHub now hashes every skill bundle, checks VirusTotal, blocks/flags malicious; daily re-scan" - name: "Docker MCP Gateway" url: "https://www.docker.com/blog/mpc-horror-stories-cve-2025-49596-local-host-breach/" type: "tool" description: "Isolates MCP servers behind stdio transport; mitigates CVE-2025-49596-style localhost attacks" - name: "Snyk AI-BOM & Evo" url: "https://snyk.io/articles/snyk-mcp-cheat-sheet/" type: "platform" description: "AI bill of materials; inventory MCP servers and skills; enforce guardrails" - name: "Bitsight TRACE" url: "https://www.bitsight.com/blog/exposed-mcp-servers-reveal-new-ai-vulnerabilities" type: "threat-intel" description: "Continuous scanning of exposed MCP endpoints; ~1000 unauthenticated servers found" stats: exposed_servers: 1000 no_auth: true risk_examples: ["Kubernetes clusters", "CRM access", "WhatsApp messaging", "arbitrary shell"] - name: "OWASP Top 10 for Agentic AI Security Risks 2026" url: "https://www.startupdefense.io/blog/owasp-top-10-agentic-ai-security-risks-2026" type: "framework" description: "Community-maintained OWASP-style Top 10 listing for agentic AI systems; covers Agent Goal Hijacking (#1), Supply Chain compromise, Tool Poisoning, Prompt Injection, Memory Poisoning, and more. Updated 2026-02-16." - name: "Anthropic Claude Code Security" url: "https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html" type: "tool" description: "Anthropic's AI-powered codebase security scanner with human-reviewed patch suggestions; launched 2026-02-21. Scans for vulnerabilities using Claude as the analysis engine with human oversight before applying fixes." - name: "GuardFive AI Agent Security Scanner" url: "https://guardfive.com/blog/the-complete-mcp-server-security-checklist-2026" type: "cloud-saas" description: "Scans MCP servers for tool poisoning, credential theft, and malicious attacks; provides MCP server security checklist aligned with 2026 threat landscape" - name: "Palo Alto AI Runtime Security - MCP Threat Detection" url: "https://docs.paloaltonetworks.com/content/techdocs/en_US/ai-runtime-security/administration/prevent-network-security-threats/detect-mcp-threats" type: "platform" description: "Network-level MCP threat detection by Palo Alto; validates MCP tool communications and detects prompt injection and tool poisoning in real-time traffic (2026-02-09)"