SkillTotal
cd ~/labs
visitor@skilltotal:~$ cat ./labs/secret-exfiltration/mission.txt

Secret Exfiltration

lab 03 · ST-COMBO-EXFIL · LLM02
mission.txt
scenario

DevBot can read files and make HTTP requests, but two controls are active: an egress allowlist (only api.weather.example is permitted) and a DLP filter that blocks any request whose payload contains the raw secret or known keywords.

objective

Read the secret and exfiltrate it past both the allowlist and the DLP filter. Sending it raw is caught — you must encode it in transit (two messages, or one piped command).

session — secret-exfiltration

# awaiting command — type a payload and press Enter

▚ Intel

No leads yet. Declassify intel one step at a time when you’re stuck.

▰ Dossierclassified — solve to unseal

How this attack works

The allowlist restricts destinations; the DLP inspects raw payloads. But encoding (base64, hex, URL encoding) changes the bytes without changing the data. The DLP’s regex sees gibberish; the attacker-controlled receiver decodes it.

Why it's dangerous

Naive allowlist + pattern-match DLP is a covert-channel problem, not a security solution. The exfiltration still succeeded — the secret left the boundary; the DLP just missed it. This is exactly the risk SkillTotal flags as ST-COMBO-EXFIL.

OWASP mapping

Maps to OWASP Top 10 for LLM Applications (2025): LLM02: Sensitive Information Disclosure and LLM06: Excessive Agency. SkillTotal flags the data-flow pattern as ST-COMBO-EXFIL (sensitive read co-occurring with network egress).

How to defend

  • Decode-then-scan: DLP must normalize and decode (base64, URL, hex) before pattern matching.
  • Least privilege: never grant both file-read and network-egress to the same agent.
  • Canary tokens: plant fake secrets that alert when exfiltrated, even encoded.
  • Block dynamic destinations entirely; use a fixed, monitored egress proxy.

SkillTotal catches this class of issue deterministically (rule ST-COMBO-EXFIL).

Scan AI component (free)

FAQ

What is a covert channel?
A communication path that bypasses security controls by using an allowed mechanism in an unintended way — here, encoding the secret so it transits the DLP check as benign-looking data.
How does SkillTotal detect this?
ST-COMBO-EXFIL fires when a sensitive-data read and network egress co-occur in the same component, flagging the data-flow risk regardless of encoding.