Skill Rug Pull Setup Pattern - ATR-2026-00126 (34304941-1231-5e7f-b209-dd3ccb497a38)
Detects SKILL.md files architecturally designed for rug pulls: initially safe content that can be remotely updated to become malicious. Patterns include dynamic code loading from URLs (eval(fetch(...))), base64-decoded execution, post-install hooks with remote payloads, and obfuscated function constructors. True rug pull detection requires comparing hashes over time (TC verdict cache), but this rule catches the setup patterns that make rug pulls possible. Inspired by Claude Code leak analysis and npm supply chain attacks.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Skill Rug Pull Setup Pattern - ATR-2026-00126 (34304941-1231-5e7f-b209-dd3ccb497a38) | Agent Threat Rules | ML Supply Chain Compromise (d2cf31e0-a550-4fe0-8fdb-8941b3ac00d9) | MITRE ATLAS Attack Pattern | 1 |