Threat Model
MITRE ATLAS Framework for AI Agent Security
v1.0-draft MITRE ATLAS 2025
37
Total Threats
6
Critical Risk
16
High Risk
12
Medium Risk
3
Low Risk
Critical
High
Medium
Low
Threat Matrix by ATLAS Tactic
Reconnaissance
AML.TA0002
T-RECON-001
Agent Endpoint Discovery
T-RECON-002
Channel Integration Probing
T-RECON-003
Skill Capability Reconnaissance
Initial Access
AML.TA0004
T-ACCESS-001
Pairing Code Interception
T-ACCESS-002
AllowFrom Spoofing
T-ACCESS-003
Token Theft
T-ACCESS-004
Malicious Skill as Entry Point
T-ACCESS-005
Compromised Skill Update
T-ACCESS-006
Prompt Injection via Channel
Execution
AML.TA0005
T-EXEC-001
Direct Prompt Injection
T-EXEC-002
Indirect Prompt Injection
T-EXEC-003
Tool Argument Injection
T-EXEC-004
Exec Approval Bypass
T-EXEC-005
Malicious Skill Code Execution
T-EXEC-006
MCP Server Command Injection
Persistence
AML.TA0006
T-PERSIST-001
Skill-Based Persistence
T-PERSIST-002
Poisoned Skill Update Persistence
T-PERSIST-003
Agent Configuration Tampering
T-PERSIST-004
Stolen Token Persistence
T-PERSIST-005
Prompt Injection Memory Poisoning
Defense Evasion
AML.TA0007
T-EVADE-001
Moderation Pattern Bypass
T-EVADE-002
Content Wrapper Escape
T-EVADE-003
Approval Prompt Manipulation
T-EVADE-004
Staged Payload Delivery
Discovery
AML.TA0008
T-DISC-001
Tool Enumeration
T-DISC-002
Session Data Extraction
T-DISC-003
System Prompt Extraction
T-DISC-004
Environment Enumeration
Exfiltration
AML.TA0010
T-EXFIL-001
Data Theft via web_fetch
T-EXFIL-002
Unauthorized Message Sending
T-EXFIL-003
Credential Harvesting via Skill
T-EXFIL-004
Transcript Exfiltration
Impact
AML.TA0011
T-IMPACT-001
Unauthorized Command Execution
T-IMPACT-002
Resource Exhaustion (DoS)
T-IMPACT-003
Reputation Damage
T-IMPACT-004
Data Destruction
T-IMPACT-005
Financial Fraud via Agent
Critical Attack Chains
Malicious Skill Full Kill Chain
T-RECON-003→T-EVADE-001→T-ACCESS-004→T-EXEC-005→T-PERSIST-001→T-EXFIL-003
Recon ClawHub → Craft evasive skill → User installs → Code executes → Persists → Harvests credentials
Skill Supply Chain Attack
T-ACCESS-005→T-EVADE-004→T-EXEC-005→T-PERSIST-002→T-EXFIL-004
Compromise publisher → Push staged payload → Execute on update → Maintain persistence → Exfil transcripts
Prompt Injection to RCE
T-ACCESS-006→T-EXEC-001→T-EVADE-003→T-EXEC-004→T-IMPACT-001
Access via channel → Inject prompt → Manipulate approval → Bypass checks → Execute commands
Indirect Injection Data Theft
T-EXEC-002→T-DISC-004→T-EXFIL-001
Poison fetched content → Enumerate environment → Exfiltrate via web_fetch
Token Theft Persistent Access
T-ACCESS-003→T-PERSIST-004→T-DISC-002→T-EXFIL-002
Steal tokens → Maintain access → Extract session data → Exfil via messages
Financial Fraud Chain
T-ACCESS-006→T-EXEC-001→T-DISC-001→T-IMPACT-005
Gain channel access → Inject prompts → Enumerate financial tools → Execute fraud
Trust Boundaries
1
Supply Chain
ClawHub
- Skill publishing (semver, SKILL.md required)
- Pattern-based moderation flags
- VirusTotal Code Insight
- GitHub account age verification
2
Channel Access Control
Gateway
- Device Pairing (30s grace)
- AllowFrom / AllowList validation
- Token/Password/Tailscale auth
3
Session Isolation
Agent Sessions
- Session key = agent:channel:peer
- Tool policies per agent
- Transcript logging
4
Tool Execution
Execution Sandbox
- Docker sandbox OR Host (exec-approvals)
- Node remote execution
- SSRF protection (DNS pinning + IP blocking)
5
External Content
Fetched URLs / Emails / Webhooks
- External content wrapping (XML tags)
- Security notice injection