In late April 2026 the Five Eyes cyber agencies — CISA and NSA in the US, Australia’s ASD-ACSC, Canada’s Cyber Centre, and the UK and New Zealand NCSCs — published Careful Adoption of Agentic AI Services. One line carries the weight of the whole document:
understand dependencies — manage supply chain risk for third-party components, models, tools and integrations.
They were specific about where the risk hides. MCP, the guidance says, “validates tool interfaces rather than inspecting underlying implementations” — your agent trusts external code it has never read.
So we read it. We scanned 96,096 AI agent skills and MCP server definitions across five public registries. 1,302 tripped our detection rules; 552 were confirmed malicious after manual review — credential theft, silent exfiltration, command execution buried in tool descriptions an agent ingests as instructions. Three coordinated publisher accounts shipped most of them.
The guidance asks you to verify third-party components. Agent Threat Rules (ATR) is the open, MIT-licensed rule set that does exactly that — 651 detection rules, running against any skill or MCP manifest in seconds. The agencies named the gap; this fills it.
What the guidance named is what we caught
That malicious set is not theoretical. Many were insecure or compromised MCP servers allowing unauthenticated remote code execution — ATR-2026-00531 (PraisonAI unauthenticated agent API, CVE-2026-44338), ATR-2026-00538 (LangChain-ChatChat MCP RCE, CVE-2026-30617), and ATR-2026-00415 (Flowise MCP injection, CVE-2026-40933) each cover one. The other half is tool-description poisoning — ATR-2026-00161 catches the IMPORTANT-tag cross-tool shadowing attack inside MCP tool descriptions, and ATR-2026-00103 catches instructions hidden in a tool description that tell the LLM to ignore its safety mechanisms.
Be clear about what this is. Pattern detection catches the known shape; it does not read minds. A variant that builds names from char codes, or exfiltrates over DNS, will slip past. Run it as one layer, not the only one — but it is the one layer of the “third-party component verification” the guidance asks for that you can run today.
Run it
npm install -g [email protected]
npx agent-threat-rules scan .Point it at your skill directory or MCP config. If it flags a component you did not write, treat it as untrusted and deal with it before your agent wires it in. The rules are open — read them, test them, send us a variant we miss.