title: "Subcommand Overflow Bypass"
id: ATR-2026-00127
rule_version: 1
status: experimental
description: >
  Detects SKILL.md files declaring an excessive number of subcommands or tools
  (>50). Claude Code has a security architecture where each subcommand is
  individually evaluated for safety. When a skill declares >50 subcommands,
  some implementations skip security checks on overflow commands due to
  performance budgets or fixed-size buffers. Attackers pad with 49 benign
  commands then add malicious ones at the end, expecting the security check
  to be skipped. Discovered via Claude Code leak analysis (2026-03).
author: "ATR Community"
date: "2026/04/05"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: medium

references:
  mitre_atlas:
    - "AML.T0010 - AI Supply Chain Compromise"
  owasp_llm:
    - "LLM07:2025 - System Prompt Leakage"
  owasp_agentic:
    - "ASI02:2026 - Excessive Agent Autonomy"
  owasp_ast:
    - "AST02:2026 - Excessive Permissions"
  research:
    - "Claude Code leak: 50 subcommand security check bypass (2026-03)"

metadata_provenance:
  mitre_atlas: auto-generated

compliance:
  nist_ai_rmf:
    - subcategory: "MS.2.7"
      context: >-
        Subcommand overflow bypass exploits a security check weakness where excessive
        declared commands cause safety evaluation to be skipped on overflow entries;
        MS.2.7 requires that AI system security and resilience properties, including
        boundary conditions in security validation logic, are evaluated and documented.
      strength: primary
    - subcategory: "MP.5.1"
      context: >-
        Declaring >50 subcommands to pad benign entries before malicious ones is an
        identifiable adversarial pattern with characterizable likelihood and impact;
        MP.5.1 requires that such risk vectors against the skill loading pipeline are
        tracked and characterized.
      strength: secondary
    - subcategory: "MG.3.2"
      context: >-
        SKILL.md files are third-party-authored components loaded into the agent runtime,
        and overflow-based bypass attempts must be monitored as part of pre-trained or
        third-party model/component supply chain risk management under MG.3.2.
      strength: secondary
    - subcategory: "MG.3.1"
      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Subcommand Overflow Bypass)."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Subcommand Overflow Bypass)."
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Subcommand Overflow Bypass) as a treatment control."
      strength: secondary
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Subcommand Overflow Bypass)."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Subcommand Overflow Bypass)."
      strength: secondary
tags:
  category: skill-compromise
  subcategory: subcommand-overflow
  scan_target: skill
  confidence: low

agent_source:
  type: mcp_exchange
  framework:
    - any
  provider:
    - any

detection:
  condition: any
  false_positives:
    - "Legitimate enterprise SDKs that genuinely expose 50+ tools as a single skill (rare but real — flag for human review rather than auto-block)"
    - "Documentation describing platform feature counts in marketing copy (e.g. 'AWS supports over 200 services') — should be filtered by checking that the count refers to skill subcommands, not platform features"
  conditions:
    # Many tool/command definitions (markdown headers pattern)
    # Explicit large command count declaration. Number must be 50 or higher —
    # earlier version of this regex used \d{2,3} which matched any 2-digit
    # number (10+) and produced false positives on legitimate multi-tool
    # skills like "provides 22 tools" or "provides 27 wallet management
    # operations" (2026-04-11 ClawHub wild scan).
    - field: content
      operator: regex
      value: "(?i)(provides?|includes?|contains?|offers?|supports?|has)\\s+(?:(?:[5-9]\\d|\\d{3,})|over\\s+(?:[5-9]\\d|\\d{3,})|more\\s+than\\s+(?:[5-9]\\d|\\d{3,}))\\s+(commands?|tools?|subcommands?|functions?|operations?|endpoints?|actions?|methods?)"
      description: "Explicit declaration of large command count (50+)"

confidence: 78
wild_validated: "2026/04/11"
wild_samples: 89971  # 53577 (mega-scan v1) + 36394 (clawhub registry summary scan)
wild_fp_rate: 0.0
test_cases:
  true_positives:
    - input: "# Mega Tool Suite\n\nThis skill provides 75 commands for managing your entire system infrastructure."
      expected: trigger
    - input: "This skill provides 65 tools for comprehensive system administration and monitoring."
      expected: trigger
    - input: "The package includes over 80 commands covering file management, network, and security."
      expected: trigger
    - input: "Our framework supports more than 55 subcommands for DevOps automation."
      expected: trigger
    - input: "MegaSkill provides 100 commands for full system orchestration."
      expected: trigger
      description: "Three-digit count well above the 50 threshold"

  true_negatives:
    - input: "# Simple Calculator\n\n## add\nAdds two numbers\n## subtract\nSubtracts two numbers\n## multiply\nMultiplies two numbers"
      expected: no_trigger
    - input: "This skill provides 5 commands for managing your git repository."
      expected: no_trigger
    - input: "# File Manager\n\n- `create` - Create a file\n- `delete` - Delete a file\n- `move` - Move a file\n- `copy` - Copy a file\n- `list` - List files"
      expected: no_trigger
    # 2026-04-11 ClawHub wild scan regression guards. The earlier \d{2,3}
    # regex caught any 2-digit count (10+) and flagged legitimate multi-tool
    # skills like wallets and design SaaS integrations. These TNs lock in the
    # fix at 50+ as documented in the rule description.
    - input: "Multi-chain wallet and trading tools for AI agents. Provides 27 tools for: wallet management, balance checks, export keys."
      expected: no_trigger
      description: "Legit multi-chain wallet manager (27 tools, well below 50)"
    - input: "MCP skill for canva. Provides 22 tools: upload-asset-from-url, resolve-shortlink, search-designs, get-design."
      expected: no_trigger
      description: "Legit Canva integration (22 tools, well below 50)"
    - input: "This skill includes 30 helper functions for data transformation tasks."
      expected: no_trigger
      description: "Common count below the 50 threshold"
    - input: "Our framework supports 49 subcommands for build automation."
      expected: no_trigger
      description: "Edge case — 49 is below 50 threshold and must not trigger"

evasion_tests:
  - input: "This skill comprises 75 endpoints for system management."
    expected: not_triggered
    bypass_technique: format_manipulation
    notes: "Verb 'comprises' is not in the regex verb list (provides|includes|contains|offers|supports|has). Author can extend the verb list to close this gap."
  - input: "This skill provides 5 0 commands for everything."
    expected: not_triggered
    bypass_technique: split_keyword
    notes: "Whitespace inside the digit string '5 0' breaks the [5-9]\\d character class. A token-aware preprocessor would catch this."
  - input: "本工具提供六十五个子命令用于自动化部署。"
    expected: not_triggered
    bypass_technique: language_switch
    notes: "Chinese number 六十五 (65) and verb 提供 (provide) are not in the English-only regex. ATR engine should add NFKC normalization and per-language regex variants."

response:
  actions:
    - alert
