Red Specter PHANTOM SKILL
AI Agent Skill & Package Supply Chain Attack Engine — 6 subsystems, 406 tests, CVE-2026-32922 CVSS 9.9. NIGHTFALL Tool 59.
Overview
Red Specter PHANTOM SKILL is the AI agent supply chain attack engine. It targets the trust layer that underpins every AI agent ecosystem: the packages AI models recommend, the MCP tools agents load, and the identity infrastructure agents use to authenticate. PHANTOM SKILL turns the AI ecosystem's own hallucinations into attack vectors.
Research shows 20% of AI-generated code recommends packages that don't exist. Of those hallucinations, 43% are consistent across multiple major AI models — meaning a single hallucinated name is recommended by GPT-4, Claude, Llama, and Gemini alike. PHANTOM SKILL maps that surface, generates the payloads, and deploys the worm.
PHANTOM SKILL provides 6 subsystems under a single CLI (phantom-skill), 406 tests, Ed25519-signed WARLORD-compatible reports, and the weaponised implementation of CVE-2026-32922 (OpenClaw MCP worm, CVSS 9.9) for authorised test environments.
PHANTOM SKILL is Tool 59 of the NIGHTFALL offensive framework. It is registered in WARLORD and fully UNLEASHED-gated with a three-tier access model: passive hallucination analysis, active supply chain exploitation, and confirmed-destroy worm deployment.
The 6 Subsystems
| # | Subsystem | Command | What It Does |
|---|---|---|---|
| 01 | HALLUCINATE | phantom-skill hallucinate | Probes AI models for hallucinated package names. Consistency-tests across multiple models. Maps slopsquatting opportunities. |
| 02 | SKILL | phantom-skill skill | MCP tool definition poisoning. Injects malicious tool definitions into MCP server schemas. Tests tool isolation across clients. [UNLEASHED --override] |
| 03 | SCAFFOLD | phantom-skill scaffold | Slopsquatting payload generation. Creates complete malicious Python/npm packages matching hallucinated names. [UNLEASHED --override] |
| 04 | PIVOT | phantom-skill pivot | .pth file persistence injection. Embeds malicious .pth files for code execution at PyTorch import. [UNLEASHED --override] |
| 05 | WORM | phantom-skill worm | Weaponised OpenClaw MCP worm (CVE-2026-32922, CVSS 9.9). Self-propagating across all connected MCP clients. [UNLEASHED --override --confirm-destroy] |
| 06 | REPORT | phantom-skill report | Ed25519-signed, SHA-256-hashed JSON and Markdown reports. WARLORD-compatible with handoff receipt. |
Subsystem Details
Submits code generation queries to one or more AI model endpoints and analyses all outputs for package references not present in PyPI or npm. Identifies hallucinated package names, quantifies cross-model consistency, and ranks slopsquatting targets by attack value.
- Query injection — submits natural-language code generation prompts and captures full outputs
- Package extraction — parses import statements, pip install commands, and package references from generated code
- Registry validation — real-time PyPI and npm API checks to identify unregistered names
- Consistency scoring — tests each hallucinated name across multiple models; names hallucinated by 3+ models scored HIGH VALUE
- Opportunity ranking — ranks unregistered hallucinated names by cross-model consistency, package popularity proxies, and developer likelihood
Output: hallucinated package inventory with opportunity scores, ready for SCAFFOLD handoff or WARLORD submission.
MCP tool definition poisoning. Connects to a target MCP server and injects malicious tool definitions into the server's tool registry schema. Tests tool definition isolation across connected MCP clients. Also probes LiteLLM team callback exfiltration.
- MCP schema injection — crafts tool definitions that appear legitimate to AI agents (valid name, description, inputSchema) while embedding malicious execution logic in metadata fields
- Client propagation testing — measures how many connected MCP clients load the injected tool definition
- LiteLLM callback probe — tests whether the target LiteLLM instance accepts unauthenticated team callback registration (the LITELLM-TEAMCB vulnerability, 97M downloads)
- Tool isolation assessment — verifies whether MCP clients validate tool definitions before loading them
Generates complete, convincing malicious Python and npm packages that match hallucinated package names identified by HALLUCINATE. Packages are designed to pass basic developer scrutiny while delivering post-install payloads.
- Package structure — generates setup.py, pyproject.toml, README.md, CHANGELOG, and version history metadata
- Install hook injection — embeds payload execution in setup.py post_install hooks, entry_points, and __init__.py
- Payload configuration — configurable payload: exfiltration callback, reverse shell stub, or PIVOT (.pth) handoff
- Registry staging — builds a dist/ directory ready for twine upload to authorised test registries
- Scrutiny hardening — generates plausible package descriptions, mock documentation, and realistic dependency lists to reduce suspicion
Embeds malicious .pth files into packages built by SCAFFOLD. Python .pth files in site-packages are executed automatically at PyTorch import time, achieving persistent code execution across all environments that install the affected package.
- .pth generation — creates malicious .pth file that executes payload on
import torch - Package embedding — inserts .pth file into MANIFEST.in and data_files so it installs to site-packages automatically
- Persistence validation — tests execution in virtual environments, system Python, Docker containers, and CI/CD runner environments
- Payload chaining — supports WORM handoff — .pth payload can trigger WORM propagation on first torch import in an MCP-connected environment
Weaponised implementation of CVE-2026-32922 — the OpenClaw self-propagating MCP worm. Injects the worm payload into a target MCP server's tool schema. Any MCP client that loads the infected server propagates the worm to all servers it connects to. Zero authentication required. CVSS 9.9.
- Seed injection — injects worm payload into target MCP server's tool definitions via the tool registration endpoint
- Propagation engine — worm payload propagates automatically to every MCP client that loads the infected tool definition
- Configurable payload — exfiltration (callback URL), persistence (.pth install), or arbitrary tool call injection
- Propagation map — tracks which MCP clients received the worm payload for REPORT output
- No authentication bypass required — exploits the MCP protocol's trust model — tool definitions are loaded without schema validation
Warning: This subsystem deploys a self-propagating payload. Once seeded, propagation is automatic and may spread beyond the intended target scope. Use only in fully isolated, authorised test environments. Requires --override AND --confirm-destroy.
Aggregates findings from all subsystems into an Ed25519-signed, SHA-256-hashed report. JSON format is WARLORD-compatible with a handoff receipt. Markdown format is human-readable for report delivery.
- Hallucinated package inventory — full list of hallucinated names with consistency scores and registry status
- Slopsquatting opportunity map — ranked list of unregistered hallucinated names with attack priority scores
- MCP injection results — which tool definitions were accepted, how many clients loaded them
- Worm propagation graph — which MCP servers and clients received the propagated worm payload
- WARLORD handoff receipt — machine-ingestible JSON for autonomous campaign continuation
- Ed25519 signature — SHA-256 hash of all findings, signed with UNLEASHED private key
CLI Reference
HALLUCINATE — Package Hallucination Probe
SKILL — MCP Tool Definition Poisoning
SCAFFOLD — Slopsquatting Package Generation
PIVOT — .pth File Persistence Injection
WORM — OpenClaw MCP Worm (CVE-2026-32922)
REPORT — Signed Report Generation
Report Verification
Vulnerability References
PHANTOM SKILL maps every finding to assigned CVEs and confirmed attack classes. All references have been validated in controlled environments.
| Reference | Vulnerability | Subsystem | Impact |
|---|---|---|---|
| CVE-2026-32922 | OpenClaw self-propagating MCP worm | WORM | Self-replicating across MCP ecosystem, CVSS 9.9. Zero authentication required. Any MCP client loading an infected server propagates to all its connected servers. |
| SLOPSQUAT-001 | AI package hallucination — 20% rate, 43% cross-model consistency | HALLUCINATE / SCAFFOLD | Hallucinated package name supply chain attack. An attacker registers the hallucinated name; every developer using AI-generated code installs the malicious package. |
| LITELLM-TEAMCB | LiteLLM team callback unauthenticated exfiltration | SKILL | All LLM I/O exfiltrated to attacker URL. LiteLLM 97M downloads. No authentication required to register callback endpoint. |
| PTH-PERSIST | .pth file CI/CD persistence via PyTorch import | PIVOT | Code execution in all environments that run import torch. Persists across virtual environments, containers, and CI/CD runners. |
Report Output
Reports are available in JSON and Markdown formats. JSON is WARLORD-compatible. Both are signed with Ed25519 and include a SHA-256 hash of all findings.
JSON Report Structure
- report_id — unique report identifier
- tool — PHANTOM_SKILL v1.0.0
- timestamp — ISO 8601 with timezone
- hallucinated_packages — array of discovered hallucinated names with consistency scores
- slopsquatting_opportunities — ranked list of unregistered hallucinated names
- mcp_injection_results — which tool definitions were accepted and propagated
- worm_propagation_map — graph of MCP clients that received the worm payload
- pivot_persistence — .pth file placement results per environment
- warlord_handoff — WARLORD-compatible campaign continuation data
- signature — Ed25519 signature and SHA-256 evidence hash
The Pipeline
PHANTOM SKILL is Tool 59 of the NIGHTFALL offensive framework. The supply chain is the terminal layer — every layer above it depends on trusting that the packages and tools loaded are what they claim to be.
- FORGE — Test the LLM before you build with it
- ARSENAL — Test the AI agent during development
- PHANTOM — Coordinated AI agent swarm assault
- WARLORD — Autonomous offensive campaign engine
- SIGNAL — Mobile AI agent attack engine
- FOUNDRY — Inference server exploitation
- ADAPTER — LoRA/PEFT supply chain weaponisation
- DELEGATE — Agent identity & OAuth delegation attacks
- PHANTOM SKILL — AI agent skill & package supply chain attack (Tool 59)
IDRIS — Discovery & Governance | AI Shield — Defence | redspecter-siem — SIEM Integration
PHANTOM SKILL findings feed directly into WARLORD campaign engine. Slopsquatting opportunity maps and MCP worm propagation graphs become autonomous campaign inputs.
Key Features
Requirements
- Python 3.11+
- httpx — async HTTP client for MCP server communication
- typer — CLI framework
- rich — terminal formatting and progress bars
- pydantic — data validation and schema handling
- cryptography — Ed25519 signing
- packaging — Python package metadata generation (SCAFFOLD)
- build — PEP 517 package building (SCAFFOLD)
Installation
Also available as .deb (Kali Linux, Parrot, REMnux, Tsurugi) and PKGBUILD (BlackArch).
Or from source:
Standards Coverage
PHANTOM SKILL findings map to OWASP LLM Top 10 2025:
- LLM03 — Supply Chain (slopsquatting, SCAFFOLD, hallucinated dependencies)
- LLM04 — Data and Model Poisoning (MCP tool definition injection via SKILL)
- LLM07 — System Prompt Leakage (LiteLLM TeamPCP callback exfiltration)
- LLM08 — Vector and Embedding Weaknesses (MCP worm propagation via WORM)
- LLM09 — Misinformation (AI-generated code recommending non-existent packages)
PHANTOM SKILL UNLEASHED
Cryptographic override. Private key controlled. One operator. Founder's machine only.
Three access tiers, each requiring progressively stronger authorisation:
- Standard — HALLUCINATE + REPORT only. Passive probing. No Ed25519 key required.
- --override — SKILL, SCAFFOLD, PIVOT. Active supply chain exploitation. Requires Ed25519 override key.
- --override --confirm-destroy — WORM. Self-propagating MCP worm deployment (CVE-2026-32922, CVSS 9.9). Requires Ed25519 override key AND explicit confirm-destroy flag. Irreversible once seeded.
Packaging
PHANTOM SKILL is available across security-focused Linux distributions and package managers:
- Debian / Kali / Parrot / REMnux / Tsurugi — .deb package
- BlackArch — PKGBUILD
- PyPI —
pip install red-specter-phantom-skill - macOS / Windows — pip install
- Docker — docker pull
For access, contact richard@red-specter.co.uk
Disclaimer
Red Specter PHANTOM SKILL is designed for authorised security testing, research, and educational purposes only. The WORM subsystem implements CVE-2026-32922 — a self-propagating payload that spreads automatically to all connected MCP clients. It must only be used in fully isolated, authorised test environments. The SCAFFOLD subsystem generates malicious packages for controlled lab registry testing only. You must have explicit written permission from the system owner before running any PHANTOM SKILL subsystem against a target. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse. Apache License 2.0.