Taxonomy · Attack Classes

40 attack classes, grouped by vulnerability pattern

Each class collects related techniques that share a root cause or exploitation pattern. Classes are organized into six categories spanning agent governance, the software supply chain, runtime infrastructure, identity, sandboxing, and NemoClaw-specific exposure.

Governance

11 attack classes in this category.

ASSEMBLY-INJECT0 techniques

Context Assembly Pipeline Injection

Attacks targeting the system prompt assembly process where components combine into exploitable injections

PHANTOM-SOUL1 technique

Phantom Soul

Agent deployed with zero behavioral constraints — no SOUL.md, no system prompt, no governance

Techniques

T-1006 · Agent Card Discovery

Detection · 2 checks

SOUL-HB-001SOUL-HB-002

SOUL-BOUNDARY1 technique

Soul Boundary Bypass

Exploiting ambiguous or incomplete constraint definitions to find unguarded actions

Techniques

T-2008 · System Prompt Boundary Bypass

Detection · 2 checks

SOUL-CB-001SOUL-CB-002

SOUL-DELEGATE1 technique

SOUL Delegation Abuse

Exploiting delegation and capability transfer mechanisms to exceed authorized scope

Techniques

T-4001 · Capability Override

Detection · 2 checks

SOUL-DH-001SOUL-DH-002

SOUL-DRIFT2 techniques

SOUL/System Prompt Drift

Gradually displacing safety instructions from the active context through conversation manipulation

Techniques

T-2004 · Context Window Exploitation T-4006 · Safety Instruction Displacement

Detection · 2 checks

SOUL-TH-003SOUL-TH-004

SOUL-FORK1 technique

Soul Forking

Different behavior under evaluation vs production — agent passes safety tests but behaves differently in deployment

Techniques

T-5002 · A2A Agent Pivoting

Detection · 4 checks

SOUL-AS-001SOUL-AS-002SOUL-HT-001SOUL-HT-002

SOUL-HIJACK2 techniques

Soul Hijacking

External content achieving full override of agent behavioral constitution

Techniques

T-4002 · Admin Impersonation T-5002 · A2A Agent Pivoting

Detection · 2 checks

SOUL-HO-001SOUL-HO-002

SOUL-HV2 techniques

Harm Avoidance Override

Techniques to bypass agent harm avoidance constraints (4 sub-types)

Techniques

T-2001 · Direct Prompt Injection T-2003 · Role-Play Jailbreak

Detection · 4 checks

SOUL-HV-001SOUL-HV-002SOUL-HV-003SOUL-HV-004

SOUL-IMPERSONATE1 technique

Soul Impersonation

False capability claims exceeding actual authorization level

Techniques

T-4002 · Admin Impersonation

Detection · 1 check

SOUL-TH-005

SOUL-INJECT5 techniques

SOUL/System Prompt Injection

Directly manipulating or overriding the agent's system-level instructions and behavioral boundaries

Techniques

T-1003 · System Prompt Extraction T-2001 · Direct Prompt Injection T-2003 · Role-Play Jailbreak T-2007 · Multi-Turn Manipulation T-2008 · System Prompt Boundary Bypass

Detection · 7 checks

SOUL-IH-001SOUL-IH-002PROMPT-001PROMPT-002PROMPT-003PROMPT-004+1 more

SOUL-POISON4 techniques

Soul Poisoning

Malicious instructions injected into governance files at write-time

Techniques

T-2001 · Direct Prompt Injection T-2003 · Role-Play Jailbreak T-2007 · Multi-Turn Manipulation T-2008 · System Prompt Boundary Bypass

Detection · 2 checks

SOUL-TH-001SOUL-TH-002

Supply Chain

11 attack classes in this category.

FAKETOOL-INJECT0 techniques

Tool Impersonation and Injection

MCP tool impersonation, squatting, and schema poisoning attacks

HEARTBEAT-RCE2 techniques

Heartbeat Remote Code Execution

Exploiting scheduled task or heartbeat mechanisms to achieve persistent code execution

Techniques

T-6005 · Scheduled Task Injection T-9003 · Malicious Code Deployment

Detection · 7 checks

HEARTBEAT-001HEARTBEAT-002HEARTBEAT-003HEARTBEAT-004HEARTBEAT-005HEARTBEAT-006+1 more

MEM-POISON5 techniques

Memory Poisoning

Injecting malicious entries into agent persistent memory to maintain control across sessions

Techniques

T-2002 · Indirect Prompt Injection T-3004 · Memory Credential Mining T-6001 · Memory Injection T-6002 · Self-Replicating Memory Entry T-7004 · Memory Dump

Detection · 6 checks

MEM-001MEM-002MEM-003MEM-004MEM-005MEM-006

ORG-SKILL-SPREAD4 techniques

Organizational Skill Spread

Propagating malicious capabilities across an organization's agent fleet through shared skills and registries

Techniques

T-9002 · Service Disruption T-9004 · Multi-Agent Consensus Manipulation T-9005 · Reputation Poisoning T-9006 · Supply Chain Compromise

Detection · 8 checks

SUPPLY-001SUPPLY-002SUPPLY-003SUPPLY-004DEP-001DEP-002+2 more

PERSIST-STATE0 techniques

Persistent State Manipulation

Cross-session persistence via memory poisoning, state tampering, and cached context injection

RAG-POISON2 techniques

RAG Poisoning

Injecting malicious content into retrieval-augmented generation data sources

Techniques

T-2002 · Indirect Prompt Injection T-7006 · PII Discovery

Detection · 4 checks

RAG-001RAG-002RAG-003RAG-004

SKILL-EXFIL6 techniques

Skill-Based Exfiltration

Using legitimate tool capabilities for unauthorized data transfer

Techniques

T-5001 · SSRF via Tool T-7003 · API Data Harvesting T-8001 · Email Exfiltration T-8002 · HTTP Callback T-8004 · Tool Chain Exfiltration T-8006 · Webhook Exfiltration

Detection · 4 checks

SKILL-006NET-001NET-002NET-003

SKILL-FRONTMATTER3 techniques

Skill/Plugin Frontmatter Injection

Embedding malicious instructions in skill or plugin metadata and description fields

Techniques

T-2005 · Tool Description Injection T-6004 · Skill/Plugin Backdoor T-6006 · Tool Registration Persistence

Detection · 10 checks

SKILL-001SKILL-002SKILL-004SKILL-005SKILL-007SKILL-008+4 more

SKILL-MEM-AMP1 technique

Skill Memory Amplification

Skill plants payload in agent memory that survives skill uninstall — cross-session persistence

Techniques

T-3004 · Memory Credential Mining

Detection · 1 check

SKILL-MEM-001

SUPPLY-CHAIN-INSTALL1 technique

Supply Chain Install Attack

Unsigned installation scripts executed without integrity verification — curl|sh without checksum

Techniques

T-9003 · Malicious Code Deployment

Detection · 1 check

INSTALL-001

UNICODE-STEGO2 techniques

Unicode Steganography

Using invisible Unicode characters, homoglyphs, and encoding tricks to bypass filters

Techniques

T-2006 · Unicode/Encoding Bypass T-4005 · Policy Bypass via Encoding

Detection · 5 checks

UNICODE-STEGO-001UNICODE-STEGO-002UNICODE-STEGO-003UNICODE-STEGO-004UNICODE-STEGO-005

Infrastructure

10 attack classes in this category.

A2A-EXPOSE2 techniques

A2A Protocol Exposure

Agent-to-Agent protocol endpoints publicly discoverable without access control

Techniques

T-1006 · Agent Card Discovery T-5002 · A2A Agent Pivoting

Detection · 2 checks

A2A-001A2A-002

AITOOL-EXPOSE3 techniques

AI Tool Exposure

AI development tools (Jupyter, MLflow, Gradio, Streamlit) exposed without authentication

Techniques

T-1001 · Endpoint Enumeration T-1004 · Security Level Probing T-1005 · Capability Mapping

Detection · 4 checks

AITOOL-001AITOOL-002AITOOL-003AITOOL-004

CODE-INJECTION2 techniques

Code Injection

Injecting and executing arbitrary code through SQL injection, command injection, or code generation

Techniques

T-7002 · Database Extraction T-9001 · Data Manipulation

Detection · 1 check

DOCKERINJ-001

GATEWAY-EXPLOIT1 technique

Gateway Configuration Exploitation

Modifying gateway or proxy configurations to intercept, redirect, or manipulate agent traffic

Techniques

T-6003 · Configuration Modification

Detection · 8 checks

GATEWAY-001GATEWAY-002GATEWAY-003GATEWAY-004GATEWAY-005GATEWAY-006+2 more

INTEGRITY-BYPASS1 technique

Integrity Check Bypass

Digest or hash verification bypass on empty or missing values — tampered artifacts pass silently

Techniques

T-9001 · Data Manipulation

Detection · 1 check

INTEGRITY-001

LLM-EXPOSE2 techniques

LLM Inference Exposure

LLM inference endpoints exposed without authentication — allows arbitrary prompt execution

Techniques

T-1001 · Endpoint Enumeration T-1004 · Security Level Probing

Detection · 4 checks

LLM-001LLM-002LLM-003LLM-004

MCP-EXPLOIT6 techniques

MCP Protocol Exploitation

Attacking Model Context Protocol server configurations, tool registrations, and inter-server trust

Techniques

T-1002 · Tool Discovery T-1005 · Capability Mapping T-4003 · Tool Parameter Injection T-5003 · MCP Server Hopping T-5005 · Database Pivoting T-5006 · Internal API Discovery

Detection · 11 checks

MCP-001MCP-002MCP-003MCP-004MCP-005MCP-006+5 more

PARSER-DIFFERENTIAL0 techniques

Parser Differential Exploitation

Exploits differences between parser implementations to bypass security controls

RETROACTIVE-PRIV9 techniques

Retroactive Privilege Exploitation

Exploiting previously granted access or cached credentials to gain unauthorized capabilities

Techniques

T-1001 · Endpoint Enumeration T-1004 · Security Level Probing T-1007 · Context Window Probing T-3001 · System Prompt Credential Extraction T-3003 · Tool Response Credential Capture T-3005 · Configuration File Access T-3006 · Context Window Credential Leak T-5004 · Credential Reuse T-8005 · Conversation Exfiltration

Detection · 9 checks

CRED-001CRED-002CRED-003CRED-004WEBEXPOSE-001WEBEXPOSE-002+3 more

TOCTOU-RACE1 technique

TOCTOU Race Condition

Time-of-check-time-of-use race between verification and execution — swap window for attackers

Techniques

T-9001 · Data Manipulation

Detection · 1 check

TOCTOU-001

NemoClaw-Specific

5 attack classes in this category.

NEMO-CRED-LEAK2 techniques

Credential Leakage

Unintended exposure of credentials through environment variables, logs, or error messages

Techniques

T-3002 · Environment Variable Leakage T-7005 · Configuration Harvesting

Detection · 5 checks

HMA-NMC-001HMA-NMC-002HMA-NMC-003NEMO-004NEMO-007

NEMO-NETWORK-EXPOSE3 techniques

NemoClaw Network Exposure

NemoClaw network services bound to public interfaces — gateway, k3s API, mDNS beacons

Techniques

T-1001 · Endpoint Enumeration T-1004 · Security Level Probing T-5001 · SSRF via Tool

Detection · 6 checks

HMA-NMC-010HMA-NMC-011HMA-NMC-012HMA-NMC-013HMA-NMC-014HMA-NMC-015

NEMO-OPENCLAW-INHERIT1 technique

NemoClaw OpenClaw Inheritance

Inherited OpenClaw flaws that survive NemoClaw sandboxing — heartbeat persistence, pre-allowed APIs

Techniques

T-1001 · Endpoint Enumeration

Detection · 4 checks

HMA-NMC-040HMA-NMC-041HMA-NMC-042NEMO-010

NEMO-SANDBOX-ESCAPE1 technique

Sandbox Escape

Breaking out of agent sandbox restrictions to access the underlying file system or OS

Techniques

T-7001 · File System Enumeration

Detection · 7 checks

HMA-NMC-030HMA-NMC-031HMA-NMC-032NEMO-003NEMO-005NEMO-006+1 more

NEMO-SUPPLY-CHAIN1 technique

Supply Chain Attack

Compromising upstream dependencies or infrastructure to affect downstream agent deployments

Techniques

T-9006 · Supply Chain Compromise

Detection · 6 checks

HMA-NMC-020HMA-NMC-021HMA-NMC-022NEMO-001NEMO-002NEMO-009

Identity

2 attack classes in this category.

AGENT-IMPERSONATE4 techniques

Agent Impersonation

Impersonating trusted agents or administrative roles to gain unauthorized access

Techniques

T-1006 · Agent Card Discovery T-4002 · Admin Impersonation T-4004 · Delegation Abuse T-5002 · A2A Agent Pivoting

Detection · 3 checks

AIM-001AIM-002AIM-003

BEHAVIORAL-IMPERSONATE1 technique

Behavioral Impersonation

Using stolen credentials detected via behavioral baseline mismatch — agent DNA forgery

Techniques

T-4002 · Admin Impersonation

Detection · 3 checks

DNA-001DNA-002DNA-003

Sandbox

1 attack class in this category.

SANDBOX-ESCAPE1 technique

Sandbox Escape

General sandbox escape via privileged containers, LSM degradation, or process environment leakage

Techniques

T-7001 · File System Enumeration

Detection · 1 check

SANDBOX-005

Looking for how these classes chain into full attacks? See the attack paths or the kill-chain grid.