Three tool calls.
One exfiltration.
Each action passes every authorization check. But the sequence triggers AgentLair's behavioral trust engine. Step through it yourself.
Based on the MCP action chaining attack documented in our blog.
Agent is operating normally.
Trust score: 0.78 (ATF Senior).
Trust score
0.78
Trust engine signal
Agent has 90-day baseline. JSD stable at 0.02. Scope utilization 0.41. No anomalies.
Jensen-Shannon divergence between 7-day and 90-day tool category distributions. A JSD spike above 0.20 signals behavioral drift from baseline.
Scope utilization with Gaussian penalty at extremes, plus escalation appropriateness. Agents that use everything available without asking are flagged.
Payload size percentiles against 90-day baseline. Chain integrity analysis: read→transform→exfil within one session window is a known exfiltration signature.