Skill

model-theft

Prevents model theft in LLM inference endpoints via checks for authentication requirements, per-user rate limits, stripped logprobs/embeddings, and extraction pattern monitoring.

REST API

security

api-development

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Prevents unauthorized replication of proprietary models through API abuse. Unauthenticated

SKILL.md

Similar Skills

model-dos

Flags Model DoS vulnerabilities in LLM API handlers like unbounded prompts, missing max_tokens, unbounded context, and no rate limiting. Suggests fixes and verification checklist.

soundcheck

owasp-llm-top10

Audits LLM and GenAI applications for OWASP Top 10 2025 vulnerabilities including prompt injection, data leakage, supply chain risks, and more. Use before deployment, for RAG reviews, or pen testing.

mastepanoski-claude-skills

llm-integration

Integrates local LLMs using llama.cpp and Ollama with secure model loading, inference optimization, prompt handling, and defenses against prompt injection, model theft, and DoS attacks. Ideal for privacy-focused AI inference.

3 files

martinholovsky-claude-skills-generator

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Model Theft (OWASP LLM10:2025)

What this checks

Prevents unauthorized replication of proprietary models through API abuse. Unauthenticated or unthrottled inference endpoints let attackers systematically query a model to reconstruct its weights or distill a clone — stealing the commercial and IP value of the deployment.

Vulnerable patterns

Inference endpoint has no authentication — any client can query freely
Rate limiting applied per IP only, trivially bypassed with rotating proxies
Response includes raw logprobs or full embedding vectors, enabling extraction
No monitoring for systematic/grid-search query patterns that signal extraction attempts

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

Every inference endpoint requires authentication — API key, bearer token, or mTLS. Unauthenticated endpoints are free training data for anyone who wants to clone the model.
Rate limits are keyed on the authenticated principal, not the IP. IP-only throttles are defeated by rotating proxies and residential IP pools; a per-user/per-key quota follows the attacker even as IPs churn.
Extraction-signal fields are stripped from responses. logprobs, full embedding vectors, and per-token probabilities are the primary signals distillation attacks use to reconstruct a model. If a caller doesn't strictly need them, don't return them.
Query patterns are monitored for extraction signatures — high-volume, low-entropy, systematic grid-search probes. Alerts fire on anomalies; the handler records user identity, timestamp, and prompt for after-the-fact investigation.

Anchor — shape, not implementation:

require(valid_api_key(request))                    # authenticated
require(rate_limit.allow(request.user_id))         # per-user, not per-IP
result = model.generate(prompt)
log_query(user_id, prompt, result.tokens)
detect_extraction_pattern(user_id, prompt)         # entropy-based alert
return { text: result.text }                       # no logprobs, no embeddings

Verification

Every inference endpoint requires a valid API key or bearer token
Rate limits are enforced per authenticated user, not per IP address
logprobs, raw embeddings, and weight data are excluded from API responses
Query logs include user identity, timestamp, and either the prompt itself or a stable fingerprint (hash, embedding, or normalized form) sufficient to detect content-pattern anomalies. Logging only metadata (length, token count, request id) without any reconstructable prompt signal does not satisfy this. Choice between raw prompt and fingerprint is a privacy tradeoff — document the decision.

References

CWE-285 (Improper Authorization)
CWE-307 (Improper Restriction of Excessive Authentication Attempts)
OWASP LLM10:2025 Model Theft