Skip to main content

Fased Threat Model v1.0

MITRE ATLAS Framework

Version: 1.0-draft Last Updated: 2026-05-20 Methodology: MITRE ATLAS + Data Flow Diagrams Framework: MITRE ATLAS (Adversarial Threat Landscape for AI Systems)

Framework Attribution

This threat model is built on MITRE ATLAS, the industry-standard framework for documenting adversarial threats to AI/ML systems. ATLAS is maintained by MITRE in collaboration with the AI security community. Key ATLAS Resources:

Contributing to This Threat Model

This is a living document maintained by the Fased contributor community. See Contributing to the threat model for guidelines on contributing:
  • Reporting new threats
  • Updating existing threats
  • Proposing attack chains
  • Suggesting mitigations

1. Introduction

1.1 Purpose

This threat model documents adversarial threats to the Fased agent/runtime platform and plugin catalog, using the MITRE ATLAS framework designed specifically for AI/ML systems.

1.2 Scope

ComponentIncludedNotes
Fased RuntimeYesCore agent execution, tool calls, sessions
GatewayYesAuthentication, routing, channel integration
Channel IntegrationsYesWhatsApp, Telegram, Discord, Signal, Slack, etc.
Plugin CatalogYesPublic registry contract plus Fased review/install client
Wallet RuntimeYesWallet roles, passkey approvals, skill grants
MCP ServersYesExternal tool providers
User DevicesPartialMobile apps, desktop clients and Advanced > Nodes diagnostics

1.3 Coverage Limits

No major Fased runtime surface is intentionally excluded. Coverage depth still varies by area: third-party services, cloud providers, wallets, chains, and model providers are covered at the Fased integration boundary, not as complete audits of those external systems.

2. System Architecture

2.1 Trust Boundaries

┌─────────────────────────────────────────────────────────────────┐
│                    UNTRUSTED ZONE                                │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │
│  │  WhatsApp   │  │  Telegram   │  │   Discord   │  ...         │
│  └──────┬──────┘  └──────┬──────┘  └──────┬──────┘              │
│         │                │                │                      │
└─────────┼────────────────┼────────────────┼──────────────────────┘
          │                │                │
          ▼                ▼                ▼
┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 1: Channel Access                 │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                      GATEWAY                              │   │
│  │  • Device Pairing (30s grace period)                      │   │
│  │  • AllowFrom / AllowList validation                       │   │
│  │  • Token/Password/Tailscale auth                          │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 2: Session Isolation              │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                   AGENT SESSIONS                          │   │
│  │  • Session key = agent:channel:peer                       │   │
│  │  • Tool policies per agent                                │   │
│  │  • Agent-scoped skill allowlists                          │   │
│  │  • Transcript logging                                     │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 3: Tool Execution                 │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                  EXECUTION SANDBOX                        │   │
│  │  • Docker sandbox OR Host (exec-approvals)                │   │
│  │  • Agent > Tools allow/deny policy                        │   │
│  │  • Node remote execution                                  │   │
│  │  • SSRF protection (DNS pinning + IP blocking)            │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 4: External Content               │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │              FETCHED URLs / EMAILS / WEBHOOKS             │   │
│  │  • External content wrapping (XML tags)                   │   │
│  │  • Security notice injection                              │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 5: Supply Chain                   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                  PLUGIN CATALOG                           │   │
│  │  • Skill publishing (semver, SKILL.md required)           │   │
│  │  • Pattern-based moderation flags                         │   │
│  │  • Review before install                                  │   │
│  │  • Dependency install remains separate from Agent access   │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                 TRUST BOUNDARY 6: Wallet Authority               │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │                      WALLETS                              │   │
│  │  • Role-separated wallets (agent/mining/vault)            │   │
│  │  • Passkey approvals and caps                             │   │
│  │  • Wallet > Skill Grants for reviewed skills only         │   │
│  │  • Mining wallet reserved for SAT mining runtime          │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘

2.2 Data Flows

FlowSourceDestinationDataProtection
F1ChannelGatewayUser messagesTLS, AllowFrom
F2GatewayAgentRouted messagesSession isolation
F3AgentToolsTool invocationsPolicy enforcement
F4AgentExternalweb_fetch requestsSSRF blocking
F5CatalogAgentSkill filesReview, moderation, path checks
F6AgentChannelResponsesOutput filtering
F7AgentWalletWallet actionsRole policy, caps, approval gates, skill grants

3. Threat Analysis by ATLAS Tactic

3.1 Reconnaissance (AML.TA0002)

T-RECON-001: Agent Endpoint Discovery

AttributeValue
ATLAS IDAML.T0006 - Active Scanning
DescriptionAttacker scans for exposed Fased gateway endpoints
Attack VectorNetwork scanning, shodan queries, DNS enumeration
Affected ComponentsGateway, exposed API endpoints
Current MitigationsTailscale auth option, bind to loopback by default
Residual RiskMedium - Public gateways discoverable
RecommendationsDocument secure deployment, add rate limiting on discovery endpoints

T-RECON-002: Channel Integration Probing

AttributeValue
ATLAS IDAML.T0006 - Active Scanning
DescriptionAttacker probes messaging channels to identify AI-managed accounts
Attack VectorSending test messages, observing response patterns
Affected ComponentsAll channel integrations
Current MitigationsNone specific
Residual RiskLow - Limited value from discovery alone
RecommendationsConsider response timing randomization

3.2 Initial Access (AML.TA0004)

T-ACCESS-001: Pairing Code Interception

AttributeValue
ATLAS IDAML.T0040 - AI Model Inference API Access
DescriptionAttacker intercepts pairing code during 30s grace period
Attack VectorShoulder surfing, network sniffing, social engineering
Affected ComponentsDevice pairing system
Current Mitigations30s expiry, codes sent via existing channel
Residual RiskMedium - Grace period exploitable
RecommendationsReduce grace period, add confirmation step

T-ACCESS-002: AllowFrom Spoofing

AttributeValue
ATLAS IDAML.T0040 - AI Model Inference API Access
DescriptionAttacker spoofs allowed sender identity in channel
Attack VectorDepends on channel - phone number spoofing, username impersonation
Affected ComponentsAllowFrom validation per channel
Current MitigationsChannel-specific identity verification
Residual RiskMedium - Some channels vulnerable to spoofing
RecommendationsDocument channel-specific risks, add cryptographic verification where possible

T-ACCESS-003: Token Theft

AttributeValue
ATLAS IDAML.T0040 - AI Model Inference API Access
DescriptionAttacker steals authentication tokens from config files
Attack VectorMalware, unauthorized device access, config backup exposure
Affected Components~/.fased/credentials/, config storage
Current MitigationsFile permissions
Residual RiskHigh - Tokens stored in plaintext
RecommendationsImplement token encryption at rest, add token rotation

3.3 Execution (AML.TA0005)

T-EXEC-001: Direct Prompt Injection

AttributeValue
ATLAS IDAML.T0051.000 - LLM Prompt Injection: Direct
DescriptionAttacker sends crafted prompts to manipulate agent behavior
Attack VectorChannel messages containing adversarial instructions
Affected ComponentsAgent LLM, all input surfaces
Current MitigationsPattern detection, external content wrapping
Residual RiskCritical - Detection only, no blocking; sophisticated attacks bypass
RecommendationsImplement multi-layer defense, output validation, user confirmation for sensitive actions

T-EXEC-002: Indirect Prompt Injection

AttributeValue
ATLAS IDAML.T0051.001 - LLM Prompt Injection: Indirect
DescriptionAttacker embeds malicious instructions in fetched content
Attack VectorMalicious URLs, poisoned emails, compromised webhooks
Affected Componentsweb_fetch, email ingestion, external data sources
Current MitigationsContent wrapping with XML tags and security notice
Residual RiskHigh - LLM may ignore wrapper instructions
RecommendationsImplement content sanitization, separate execution contexts

T-EXEC-003: Tool Argument Injection

AttributeValue
ATLAS IDAML.T0051.000 - LLM Prompt Injection: Direct
DescriptionAttacker manipulates tool arguments through prompt injection
Attack VectorCrafted prompts that influence tool parameter values
Affected ComponentsAll tool invocations
Current MitigationsExec approvals for dangerous commands
Residual RiskHigh - Relies on user judgment
RecommendationsImplement argument validation, parameterized tool calls

T-EXEC-004: Exec Approval Bypass

AttributeValue
ATLAS IDAML.T0043 - Craft Adversarial Data
DescriptionAttacker crafts commands that bypass approval allowlist
Attack VectorCommand obfuscation, alias exploitation, path manipulation
Affected Componentsexec-approvals.ts, command allowlist
Current MitigationsAllowlist + ask mode
Residual RiskHigh - No command sanitization
RecommendationsImplement command normalization, expand blocklist

3.4 Persistence (AML.TA0006)

T-PERSIST-001: Malicious Skill Installation

AttributeValue
ATLAS IDAML.T0010.001 - Supply Chain Compromise: AI Software
DescriptionAttacker publishes malicious skill to the plugin catalog
Attack VectorCreate account, publish skill with hidden malicious code
Affected ComponentsPlugin catalog, skill loading, agent execution
Current MitigationsRegistry moderation where available, Fased install review, path/layout checks, required SKILL.md, Agent allowlist separate from install
Residual RiskHigh - Skills can still steer tool use and dependency installers may introduce supply-chain risk
RecommendationsPackage integrity/pinning, stronger external package trust warnings, skill sandboxing, community review

T-PERSIST-002: Skill Update Poisoning

AttributeValue
ATLAS IDAML.T0010.001 - Supply Chain Compromise: AI Software
DescriptionAttacker compromises popular skill and pushes malicious update
Attack VectorAccount compromise, social engineering of skill owner
Affected ComponentsPlugin catalog versioning, auto-update flows
Current MitigationsVersion fingerprinting, update-risk review before replacing installed content
Residual RiskMedium - Updates can still add dangerous instructions or dependencies
RecommendationsImplement update signing, rollback capability, version pinning

T-PERSIST-003: Agent Configuration Tampering

AttributeValue
ATLAS IDAML.T0010.002 - Supply Chain Compromise: Data
DescriptionAttacker modifies agent configuration to persist access
Attack VectorConfig file modification, settings injection
Affected ComponentsAgent config, tool policies
Current MitigationsFile permissions
Residual RiskMedium - Requires local access
RecommendationsConfig integrity verification, audit logging for config changes

3.5 Defense Evasion (AML.TA0007)

T-EVADE-001: Moderation Pattern Bypass

AttributeValue
ATLAS IDAML.T0043 - Craft Adversarial Data
DescriptionAttacker crafts skill content to evade moderation patterns
Attack VectorUnicode homoglyphs, encoding tricks, dynamic loading
Affected ComponentsPlugin registry moderation and Fased skill/archive scanner
Current MitigationsRegistry moderation plus Fased archive and permission review
Residual RiskHigh - Simple regex easily bypassed
RecommendationsAdd behavioral analysis (VirusTotal Code Insight), AST-based detection

T-EVADE-002: Content Wrapper Escape

AttributeValue
ATLAS IDAML.T0043 - Craft Adversarial Data
DescriptionAttacker crafts content that escapes XML wrapper context
Attack VectorTag manipulation, context confusion, instruction override
Affected ComponentsExternal content wrapping
Current MitigationsXML tags + security notice
Residual RiskMedium - Novel escapes discovered regularly
RecommendationsMultiple wrapper layers, output-side validation

3.6 Discovery (AML.TA0008)

T-DISC-001: Tool Enumeration

AttributeValue
ATLAS IDAML.T0040 - AI Model Inference API Access
DescriptionAttacker enumerates available tools through prompting
Attack Vector”What tools do you have?” style queries
Affected ComponentsAgent tool registry
Current MitigationsNone specific
Residual RiskLow - Tools generally documented
RecommendationsConsider tool visibility controls

T-DISC-002: Session Data Extraction

AttributeValue
ATLAS IDAML.T0040 - AI Model Inference API Access
DescriptionAttacker extracts sensitive data from session context
Attack Vector”What did we discuss?” queries, context probing
Affected ComponentsSession transcripts, context window
Current MitigationsSession isolation per sender
Residual RiskMedium - Within-session data accessible
RecommendationsImplement sensitive data redaction in context

3.7 Collection & Exfiltration (AML.TA0009, AML.TA0010)

T-EXFIL-001: Data Theft via web_fetch

AttributeValue
ATLAS IDAML.T0009 - Collection
DescriptionAttacker exfiltrates data by instructing agent to send to external URL
Attack VectorPrompt injection causing agent to POST data to attacker server
Affected Componentsweb_fetch tool
Current MitigationsSSRF blocking for internal networks
Residual RiskHigh - External URLs permitted
RecommendationsImplement URL allowlisting, data classification awareness

T-EXFIL-002: Unauthorized Message Sending

AttributeValue
ATLAS IDAML.T0009 - Collection
DescriptionAttacker causes agent to send messages containing sensitive data
Attack VectorPrompt injection causing agent to message attacker
Affected ComponentsMessage tool, channel integrations
Current MitigationsOutbound messaging gating
Residual RiskMedium - Gating may be bypassed
RecommendationsRequire explicit confirmation for new recipients

T-EXFIL-003: Credential Harvesting

AttributeValue
ATLAS IDAML.T0009 - Collection
DescriptionMalicious skill harvests credentials from agent context
Attack VectorSkill code reads environment variables, config files
Affected ComponentsSkill execution environment
Current MitigationsSkill install/config is separate from Agent access; service credentials belong in Services/skill config; wallet and mining grants are separate
Residual RiskHigh - A malicious allowed skill can still influence the Agent to reveal or misuse available context/tools
RecommendationsSkill sandboxing, credential isolation, stronger secret redaction and review warnings

3.8 Impact (AML.TA0011)

T-IMPACT-001: Unauthorized Command Execution

AttributeValue
ATLAS IDAML.T0031 - Erode AI Model Integrity
DescriptionAttacker executes arbitrary commands on user system
Attack VectorPrompt injection combined with exec approval bypass
Affected ComponentsBash tool, command execution
Current MitigationsExec approvals, Docker sandbox option
Residual RiskCritical - Host execution without sandbox
RecommendationsDefault to sandbox, improve approval UX

T-IMPACT-002: Resource Exhaustion (DoS)

AttributeValue
ATLAS IDAML.T0031 - Erode AI Model Integrity
DescriptionAttacker exhausts API credits or compute resources
Attack VectorAutomated message flooding, expensive tool calls
Affected ComponentsGateway, agent sessions, API provider
Current MitigationsGateway auth rate limits, task run budgets, provider cooldown/failover, and channel/provider backoff where implemented
Residual RiskHigh - public or high-volume channels can still exhaust account/API/provider resources if policy is too loose
RecommendationsExpand per-sender limits, cost budgets, and operator alerts for public/high-volume routes

T-IMPACT-003: Reputation Damage

AttributeValue
ATLAS IDAML.T0031 - Erode AI Model Integrity
DescriptionAttacker causes agent to send harmful/offensive content
Attack VectorPrompt injection causing inappropriate responses
Affected ComponentsOutput generation, channel messaging
Current MitigationsLLM provider content policies
Residual RiskMedium - Provider filters imperfect
RecommendationsOutput filtering layer, user controls

T-IMPACT-004: Unauthorized Wallet Or Mining Action

AttributeValue
ATLAS IDAML.T0031 - Erode AI Model Integrity
DescriptionAttacker causes an Agent or skill to spend funds, change wallet policy, or start mining
Attack VectorPrompt injection, malicious skill instructions, overbroad tool/wallet grants
Affected ComponentsWallet runtime, SAT mining runtime, Agent tool policy, Skill Grants
Current MitigationsRole-separated wallets, caps, passkey/approval gates, explicit Wallet > Skill Grants, mining wallet not available to generic skills
Residual RiskHigh - User can still over-grant or approve a malicious action
RecommendationsStronger policy simulation, clearer approval diffs, hardware wallet support where possible

4. Plugin Supply Chain Analysis

4.1 Current Security Controls

Fased has two different control layers:
  • Plugin registry controls: public publishing, search, versioning, reporting, moderation, and registry metadata.
  • Fased install controls: the code in this repo that reviews downloaded archives before copying skill files into an Agent workspace or shared skill library.
ControlImplementationEffectiveness
Trusted registry originFased install path records and checks the configured registry origin.Medium - Prevents silent origin drift
Archive extraction safetyInstall flow rejects traversal, symlink, oversized, VCS, dependency, and binary-style archive risks.High - Prevents common filesystem and archive attacks
Required SKILL.mdsrc/agents/skills-marketplace-policy.ts rejects archives without a conventional SKILL.md.Medium - Ensures the install has a reviewable skill contract
Permission inspectioninspectSkillMarketplaceManifest() records requested wallet, tool, and install metadata.Medium - Makes risky asks visible before grant
Dependency trust summarysummarizeSkillInstallTrust() flags unpinned npm/go/uv/brew/download installers.Medium - Shows package-manager trust and integrity gaps
Archive/content scanningsrc/security/skill-scanner.ts and plugin artifact review surface suspicious files/patterns.Medium - Useful guardrail, not a proof of safety
Install ReviewAgent Skills / plugin review flow shows source, warnings, permissions, and dependency plan.Medium - Makes source, warnings, and dependencies visible before install
Grant SeparationAgent Skills / Tools / Wallet Skill GrantsHigh - Install does not grant Agent, tool, wallet, mining, or vault access
Dependency VerificationInstaller result plus requirement checkMedium - Command success is not enough; required binaries must be visible to gateway PATH
Agent-scoped skill accessAgent Skills stores allow/deny policy for the selected Agent.High - A skill installed for one Agent is not automatically policy-approved everywhere
Wallet role restrictionSkill install policy only permits agent wallet role requests.High - Generic skills cannot request mining or vault wallet roles

4.2 Moderation Flag Patterns

Registry moderation can use denylist and suspicious-pattern checks, but Fased must not rely on those checks alone. The Fased client-side review path uses archive scanning, permission extraction, install-plan review, and post-install dependency verification even when the registry says a skill is visible. Examples of suspicious patterns a registry or local scanner should treat as review pressure: 
/(malware|stealer|phish|phishing|keylogger)/i
/(api[-_ ]?key|token|password|private key|secret)/i
/(wallet|seed phrase|mnemonic|crypto)/i
/(discord\.gg|webhook|hooks\.slack)/i
/(curl[^\n]+\|\s*(sh|bash))/i
/(bit\.ly|tinyurl\.com|t\.co|goo\.gl|is\.gd)/i
Limitations:
  • Pattern checks can miss obfuscated or indirect behavior
  • Text-only skill instructions can still steer an Agent toward unsafe tool use
  • Simple regex easily bypassed with obfuscation
  • No local behavioral analysis proof exists today
  • Dependency installers still rely on external package ecosystems unless pinned and reviewed

4.3 Planned Improvements

ImprovementStatusImpact
Package integrity/pinning UXRecommended next hardeningHigh - Reduces dependency installer ambiguity
Stronger archive diff reviewRecommended next hardeningMedium - Makes updates easier to audit
Community reporting sync in Fased UIFuture registry workMedium - Brings registry trust signals into UI
Runtime sandbox for skills/toolsFuture runtime workHigh - Reduces blast radius after Agent approval

5. Risk Matrix

5.1 Likelihood vs Impact

Threat IDLikelihoodImpactRisk LevelPriority
T-EXEC-001HighCriticalCriticalP0
T-PERSIST-001MediumCriticalHighP1
T-EXFIL-003MediumCriticalHighP1
T-IMPACT-004MediumCriticalHighP1
T-IMPACT-001MediumCriticalHighP1
T-EXEC-002HighHighHighP1
T-EXEC-004MediumHighHighP1
T-ACCESS-003MediumHighHighP1
T-EXFIL-001MediumHighHighP1
T-IMPACT-002HighMediumHighP1
T-EVADE-001HighMediumMediumP2
T-ACCESS-001LowHighMediumP2
T-ACCESS-002LowHighMediumP2
T-PERSIST-002LowHighMediumP2

5.2 Critical Path Attack Chains

Attack Chain 1: Skill-Based Data Theft 
T-PERSIST-001 → T-EVADE-001 → T-EXFIL-003
(Publish malicious skill) → (Evade moderation) → (Harvest credentials)
Attack Chain 1b: Skill-Based Wallet Abuse 
T-PERSIST-001 → T-EXEC-001 → T-IMPACT-004
(Install malicious skill) → (Steer Agent behavior) → (Over-granted wallet/mining action)
Attack Chain 2: Prompt Injection to RCE 
T-EXEC-001 → T-EXEC-004 → T-IMPACT-001
(Inject prompt) → (Bypass exec approval) → (Execute commands)
Attack Chain 3: Indirect Injection via Fetched Content 
T-EXEC-002 → T-EXFIL-001 → External exfiltration
(Poison URL content) → (Agent fetches & follows instructions) → (Data sent to attacker)

6. Recommendations Summary

6.1 Immediate (P0)

IDRecommendationAddresses
R-001Package integrity/pinning for dependency installersT-PERSIST-001, T-PERSIST-002
R-002Implement skill sandboxingT-PERSIST-001, T-EXFIL-003
R-003Add output validation for sensitive actionsT-EXEC-001, T-EXEC-002

6.2 Short-term (P1)

IDRecommendationAddresses
R-004Expand rate limiting, cost budgets, and operator alertsT-IMPACT-002
R-005Add token encryption at restT-ACCESS-003
R-006Improve exec approval UX and validationT-EXEC-004
R-007Implement URL allowlisting for web_fetchT-EXFIL-001
R-011Improve wallet approval diffs and policy simulationT-IMPACT-004

6.3 Medium-term (P2)

IDRecommendationAddresses
R-008Add cryptographic channel verification where possibleT-ACCESS-002
R-009Implement config integrity verificationT-PERSIST-003
R-010Add update signing and version pinningT-PERSIST-002

7. Appendices

7.1 ATLAS Technique Mapping

ATLAS IDTechnique NameFased Threats
AML.T0006Active ScanningT-RECON-001, T-RECON-002
AML.T0009CollectionT-EXFIL-001, T-EXFIL-002, T-EXFIL-003
AML.T0010.001Supply Chain: AI SoftwareT-PERSIST-001, T-PERSIST-002
AML.T0010.002Supply Chain: DataT-PERSIST-003
AML.T0031Erode AI Model IntegrityT-IMPACT-001, T-IMPACT-002, T-IMPACT-003, T-IMPACT-004
AML.T0040AI Model Inference API AccessT-ACCESS-001, T-ACCESS-002, T-ACCESS-003, T-DISC-001, T-DISC-002
AML.T0043Craft Adversarial DataT-EXEC-004, T-EVADE-001, T-EVADE-002
AML.T0051.000LLM Prompt Injection: DirectT-EXEC-001, T-EXEC-003
AML.T0051.001LLM Prompt Injection: IndirectT-EXEC-002

7.2 Key Security Files

PathPurposeRisk Level
src/infra/exec-approvals.tsCommand approval logicCritical
src/gateway/auth.tsGateway authenticationCritical
src/web/inbound/access-control.tsChannel access controlCritical
src/infra/net/ssrf.tsSSRF protectionCritical
src/security/external-content.tsPrompt injection mitigationCritical
src/agents/sandbox/tool-policy.tsTool policy enforcementCritical
src/security/skill-scanner.tsSkill archive scannerHigh
src/agents/skills-marketplace-policy.tsSkill permission inspectionHigh
src/agents/skills-install-trust.tsDependency trust summaryHigh
src/routing/resolve-route.tsSession isolationMedium
src/wallet/Wallet policy and approvalsCritical
src/mining/SAT mining runtime policyCritical

7.3 Glossary

TermDefinition
ATLASMITRE’s Adversarial Threat Landscape for AI Systems
Plugin catalogFased’s reviewable skill and plugin discovery surface
GatewayFased’s message routing and authentication layer
MCPModel Context Protocol - tool provider interface
Prompt InjectionAttack where malicious instructions are embedded in input
SkillDownloadable extension for Fased agents
Skill GrantExplicit wallet permission granted to a reviewed skill
SSRFServer-Side Request Forgery
This threat model is a living document. For security issues, use the repository policy in SECURITY.md.