phantom-skill hallucinate --query "install X library"
AI models don't just generate code — they recommend packages that don't exist. When 20% of AI-generated code contains hallucinated package names, and 43% of those hallucinations are consistent across multiple models, the attack surface writes itself. An attacker registers the name. Every developer running AI-generated code becomes a victim.
AI models hallucinate package names consistently: 20% of AI-generated code recommends non-existent packages, and 43% of hallucinations are consistent across models. An attacker registers the hallucinated name on PyPI or npm. Every developer who runs AI-generated code becomes a victim.
OpenClaw exploits the MCP tool schema to inject worm payloads into tool definitions. Any MCP client that loads an infected server propagates the worm to all connected clients. Zero authentication required. Self-replicating across the MCP ecosystem.
LiteLLM's team callback feature (97M downloads) can be configured to exfiltrate all LLM requests and responses to attacker-controlled endpoints. The callback is set via the API without any authentication to the callback URL.
MCP servers can inject malicious tool definitions into connected clients' tool registries. A poisoned tool definition appears legitimate, carries arbitrary metadata, and executes attacker-controlled code when the AI agent invokes it.
Python .pth files in site-packages execute arbitrary code at PyTorch import time. A malicious package that installs a .pth file achieves persistent code execution in every CI/CD pipeline and inference environment that runs import torch.
Dynamic Client Registration allows unauthenticated OAuth app registration on misconfigured identity providers. An attacker registers a malicious OAuth app with broad scopes, then social-engineers or phishes agent orchestrators into granting access.
Six subsystems. Each one targets a different surface of the AI agent supply chain — from hallucination mapping to self-propagating worm deployment. Each finding produces an Ed25519-signed report with a WARLORD handoff receipt.
| # | Subsystem | What It Does | Mode |
|---|---|---|---|
| 01 | HALLUCINATE | Probes AI models for package hallucination. Submits code generation queries and analyses outputs for non-existent package references. Identifies hallucinated names suitable for slopsquatting registration. Consistency-tests across multiple models to find reliably hallucinated targets. | Passive — Analysis |
| 02 | SKILL | MCP tool definition poisoning. Injects malicious tool definitions into MCP server schemas. Crafts tool metadata that appears legitimate to AI agents while executing attacker-controlled code on invocation. Tests tool definition isolation across connected MCP clients. | UNLEASHED --override |
| 03 | SCAFFOLD | Slopsquatting payload generation. Creates complete malicious Python/npm packages that match hallucinated names. Packages pass basic scrutiny (README, version history, install hooks) while delivering post-install payloads. Stages for registry upload. | UNLEASHED --override |
| 04 | PIVOT | .pth file persistence injection. Embeds malicious .pth files in scaffolded packages. Achieves code execution at PyTorch import in all environments that install the package. Tests persistence across virtual environments, containers, and CI/CD runners. | UNLEASHED --override |
| 05 | WORM | Weaponised OpenClaw MCP worm (CVE-2026-32922, CVSS 9.9). Self-propagating payload that injects into MCP tool schemas and spreads to all connected MCP clients. Configurable payload: exfiltration, persistence, or arbitrary tool call injection. This subsystem requires --confirm-destroy. |
UNLEASHED --override --confirm-destroy |
| 06 | REPORT | Ed25519-signed, SHA-256-hashed reports. JSON (WARLORD-compatible) and Markdown. Hallucinated package inventory, slopsquatting opportunities, worm propagation map, and WARLORD handoff receipt. | All Modes |
Probe a model for hallucinated package names, then map slopsquatting opportunities:
Probes multiple models simultaneously. Hallucinations consistent across 3+ models are the highest-value slopsquatting targets — every developer using any major AI assistant is a potential victim.
Draws code generation prompts from the ARMORY payload library. Successful hallucinated names and confirmed slopsquatting opportunities feed back into ARMORY for the entire fleet.
Every report cryptographically signed with Ed25519. SHA-256 evidence chains. WARLORD-compatible JSON output with handoff receipt. Tamper-evident by design.
Registered in WARLORD autonomous campaign engine. PHANTOM SKILL findings — slopsquatting maps, MCP worm propagation data — feed directly into autonomous campaign execution.
Real-time PyPI and npm registry checks confirm whether hallucinated package names are registered. Unregistered names are flagged as active slopsquatting opportunities with registration priority scores.
PHANTOM SKILL maps findings to assigned CVEs, confirmed attack classes, and the specific subsystems that exploit each surface. Every reference has been validated in a controlled environment.
| Reference | Vulnerability | Subsystem | Impact |
|---|---|---|---|
| CVE-2026-32922 | OpenClaw self-propagating MCP worm | WORM | Self-replicating across MCP ecosystem, CVSS 9.9 |
| SLOPSQUAT-001 | AI package hallucination — 20% rate, 43% cross-model consistency | HALLUCINATE / SCAFFOLD | Hallucinated package name supply chain attack |
| LITELLM-TEAMCB | LiteLLM team callback unauthenticated exfiltration | SKILL | All LLM I/O exfiltrated to attacker URL |
| PTH-PERSIST | .pth file CI/CD persistence via PyTorch import | PIVOT | Code execution in all import environments |
PHANTOM SKILL is Tool 59 of the NIGHTFALL offensive framework. Supply chain is the final layer — the trust assumption that underpins every AI agent deployment. When the supply chain is owned, every layer above it is compromised.
PHANTOM SKILL is not a scanner that calls external tools. Every hallucination probe, every MCP schema injector, every .pth persistence engine, every worm propagation module — written from scratch in pure Python. Zero subprocess calls against third-party tools. Zero external tool dependencies.
Cryptographic override. Private key controlled. One operator. Founder's machine only. Three escalation tiers — passive analysis, active injection, and confirmed-destroy worm deployment.
Passive hallucination probing and reporting. No registry interaction, no payload generation, no network writes. Safe for any authorised engagement.
Active supply chain exploitation. MCP tool definition injection, slopsquatting package generation, .pth persistence embedding. Requires Ed25519 override key.
Weaponised OpenClaw MCP worm deployment. Self-propagating across the entire MCP ecosystem. CVE-2026-32922, CVSS 9.9. Irreversible propagation once initiated. Requires --override AND --confirm-destroy.
Red Specter PHANTOM SKILL is intended for authorised security testing only. The WORM subsystem (CVE-2026-32922) deploys a self-propagating payload — it must only be used in isolated, authorised test environments with explicit written permission. The SCAFFOLD subsystem generates malicious packages intended for controlled lab registration only. Unauthorised use against systems you do not own or have explicit permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Apache License 2.0.