Skill Data Exfiltration via Compound Patterns - ATR-2026-00149 (b73d8b7c-3528-5532-a0ed-3d2188fd9749)
Detects compound exfiltration patterns in SKILL.md files where sensitive data (credentials, SSH keys, wallet files, browser data, environment variables) is read AND transmitted to an external endpoint. Single-action patterns (just reading env vars or just mentioning curl) are intentionally excluded to avoid false positives on legitimate security and DevOps skills.