In June 2026 Palo Alto Networks’ Unit 42 published research on the agent-skill supply chain, introducing Behavioral Integrity Verification (BIV). They statically scanned 49,943 skills on a public registry and found that 80% of skills deviate from their declared behavior, 18.9% of them with adversarial intent.
To us that isn’t news — it’s a second independent dataset landing on a conclusion we had already reached. We scanned 96,096 skills across six public registries: 1,302 flagged, 552 confirmed malicious after manual review, attributed to three coordinated publishers. Two teams, two datasets, two methods, one sentence: the agent-skill supply chain is the attack surface. Nobody is guessing.
BIV and ATR are two different layers
This is worth stating because it decides how you defend. BIV is a verificationframework: it parses which capabilities a skill’s manifest declares, statically infers which capabilities its code actually has, and flags the skill when the two sets diverge. The signal is the declared-vs-actual gap itself, at install time.
ATR is runtime detection content— machine-readable rules that fire on attack patterns in an agent’s inputs, outputs, tool descriptions, skills, and call sequences. So ATR maps onto the observed-behavior halfof BIV’s comparison: for a given capability, ATR answers “is there a rule that fires when this is exercised maliciously?” The two layers are complementary — static verification at install, plus attack detection at runtime.
We mapped their taxonomy in — and it found a hole in ours
We mapped BIV’s 7 capability families and 29 capabilities onto ATR’s rule classes. Along the way, their paper’s canonical credential-exfiltration example — a Python chain that reads a secret with os.environ, encodes it with base64, and ships it with requests.post — we ran against all 748 rules and got zero hits.
The reason is honest: our existing exfil-chain rules (ATR-2026-00201, ATR-2026-00224) key on shell syntax (cat ~/.aws/credentials | base64 | curl) and miss the code-surface (Python/Node) equivalent. So we shipped a language-agnostic rule, ATR-2026-02261, that fires on the ordered, proximate chain of secret-read → encode → outbound send, passing the 65K-sample benign 0-false-positive gate and the generalization gate. It is written from the attack mechanism, not from the report’s prose — the latter is a failure mode that detects the report rather than the attack, which our generalization gate exists to block.
What ATR does not do here
A standard earns trust by drawing its boundary. BIV’s core mechanism — comparing the manifest’s declared capabilities against the code’s actual ones and taking the set difference — is not something ATR does. ATR does not parse a manifest and cannot supply the declared half, so the declared-vs-actual set-difference step is out of its scope. ATR is the runtime detection layer, not the verifier. Run it as one layer, not the only one. The full mapping — 29 capabilities, 4 compound threats, each rated Detection / Partial / Out-of-scope — is here.
Run it
npm install -g agent-threat-rules
npx agent-threat-rules scan .Point it at your skill directory or MCP config. The rules are open and MIT-licensed — read them, test them, send us a variant we miss. That is exactly how ATR-2026-02261 got here: a payload from public research that exposed a real gap.