Skip to content
Changelog

Every release.
On the record.

Generated from CHANGELOG.md at build time. Rule IDs are permanent once published. rule_version may bump; the ID stays stable. Full commit history is on GitHub.

View full release history on GitHub →

v2.0.0

2026-04-15
BREAKING
  • Compound detection gate: MCP rules now require 30%+ conditions to match in skill context. This prevents over-triggering when MCP-specific patterns appear in legitimate SKILL.md documentation.
  • Code block suppression: Skill rules no longer suppress matches inside code blocks (they are instructions, not documentation examples).
  • All fields resolve to content in skill context: tool_description, tool_args, user_input all map to the full skill content for static analysis.
Added
  • 26 new rules (87 to 113 total, 9 categories): - ATR-2026-00149: Compound exfiltration (12 patterns: SSH archive, wallet, browser, DNS, IMDS) - ATR-2026-00158/159/160: TC-crystallized rules (first rules generated end-to-end by Threat Cloud) - ATR-2026-00161: Cross-tool shadowing via IMPORTANT tag (from Invariant Labs PoC) - ATR-2026-00162: Credential exfil combo - ATR-2026-00163: Hidden override instructions - ATR-2026-00164: Scope hijack - Plus 19 more across prompt-injection, tool-poisoning, and data-exfiltration categories
  • RFC-001 v1.1 (ATR Quality Standard): - Two-Dimensional Compliance Model (metadata presence + provenance) - L0-L5 Review Tier Levels (first standard to include LLM-assisted review as formal tier) - Community Signal Aggregation (confirmations, FP reports, evasion reports) - Multi-Runtime Compatibility (14 runtimes: Claude Code, Cursor, Hermes, OpenAI Assistants, Google A2A, etc.) - Relaxed experimental gate (3/3/0) for community velocity; stable tier retains full 5/5/3 - Future Work: RFC-002 (Detection Types), RFC-003 (Collective Defense), RFC-004 (Enterprise)
  • GOVERNANCE.md v1.1: - Permanent MIT license commitment (never BSL/SSPL) - MITRE ATLAS positioning: ATR = detection rules complement to ATLAS (like Sigma to ATT&CK) - ATR Numbering Authority specification - Technical Advisory Group roadmap
  • 96,096 real-world skills scanned (OpenClaw 56K + Skills.sh 3K + Hermes 123 + ClawHub 36K + MCP Registry 5K) - 751 malware skills discovered (hightower6eu 354, sakaen736jih 212, 52yuanchangxing 137) - Research report: docs/research/openclaw-malware-campaign-2026-04.md - NousResearch notified (hermes-agent#9809)
  • Threat Cloud blacklist: 554 entries uploaded from wild scan
  • 4 export formats: SARIF v2.1.0, Splunk SPL, Elasticsearch DSL, generic regex (714 portable patterns)
  • Exponential backoff for npm registry crawl (fixes Daily Ecosystem Scan rate limiting)
Changed
  • Engine: compound gate for context-aware matching
  • Confidence formula: cross-context penalty (0.7x) for rules firing outside their tested runtime
  • SKILL.md denylist reduced from 22 to 10 rules (re-enabled low-FP rules for better coverage)
Metrics
  • 113 rules (7 stable, 85 experimental, 21 draft)
  • 361 tests passing
  • SKILL.md benchmark (498 corpus): 100% recall, 97% precision, 0.20% FP rate
  • MCP benchmark (PINT 850): 62.7% recall, 99.6% precision
  • Wild scan (96K): 1.35% flag rate, 751 confirmed malware
  • OWASP Agentic Top 10: 10/10 coverage
  • MITRE ATLAS: 100/113 rules mapped
  • SAFE-MCP: 91.8% technique coverage
  • Avg scan latency: 14ms per file
Ecosystem
  • Cisco AI Defense: 34 ATR rules shipped in production (PR #79 merged)
  • OWASP: Attack examples contributed (PR #814 merged)
  • NousResearch: Malware campaign reported (hermes-agent#9809)

v1.0.0

2026-04-06
BREAKING
  • Rule IDs: 3-digit → 5-digit (ATR-2026-001ATR-2026-00001). Zero-padded, detection logic unchanged.
Added
  • ATR-SPEC-v1.md — Formal rule format specification. Third parties can build conforming engines in any language.
  • GOVERNANCE.md — Contribution process, quality gates, severity rubric.
  • `scan_target` metadata — Every rule declares mcp or skill. Engines filter by scan context.
  • `rule_version` field — All rules carry version number. Bump on detection logic changes.
  • Unified CLIatr scan auto-detects JSON (MCP) vs .md (SKILL.md).
  • `ScanResult` type — Unified output with scan_type, content_hash (SHA-256).
  • MCP server `atr_scan_skill` tool — 7 tools total.
  • 6 new skill rules: context poisoning (00125), rug pull setup (00126), subcommand overflow (00127), HTML comment hidden payload (00128), unicode smuggling (00129), exfil URL in instructions (00135).
Metrics
  • 87 rules (75 MCP + 12 skill)
  • 53,399 real-world skills scanned (skills.sh + OpenClaw)
  • 670 confirmed malicious skills detected
  • SKILL.md recall: 94.4%, FP rate: 0.096%
  • MCP recall: 62.7% (PINT 850, unchanged)

v0.3.0

2026-03-18
Added
  • Evaluation framework (src/eval/): - npm run eval: 341-sample corpus (321 attacks + 20 benign), 9 attack categories - npm run eval:pint: 850-sample external PINT benchmark - Per-rule quality metrics (TP/FP/matchCount per rule) - Confusion matrix, precision/recall/F1, latency percentiles - Regression gate (auto-fail on metric degradation) - JSON report output (data/eval-report.json)
  • CI gate (.github/workflows/eval.yml): typecheck + test + eval + validate on PR
  • 279 auto-extracted corpus samples from rule test_cases
  • 8 new detection layers in ATR-2026-001: - forget-everything shorthand, task switching, system prompt extraction, - praise-then-redirect, German formal/informal, French injection patterns
  • PINT benchmark integration (deepset/prompt-injections + Lakera gandalf datasets)
Changed
  • Embedding similarity threshold: 0.82 -> 0.65 (10 extra TP, 0 extra FP on PINT)
  • Test count: 225 -> 246 (+21 eval framework tests)
Fixed
  • shadow-evaluator.ts type error (TS2352)
  • Removed external product references from ATR-FRAMEWORK-SPEC.md
  • Added temp file patterns to .gitignore
Benchmark Results (honest numbers)
  • Self-corpus (341 samples): Precision 100%, Recall 99.4%, F1 99.5%
  • PINT external (850 samples): Precision 99.4%, Recall 39.9%, F1 57.0%
  • Only 6/61 rules fire on external attacks
  • See LIMITATIONS.md for full analysis

v0.2.3

2026-03-16
Added
  • 9 new rules from Threat Cloud community promotion (ATR-2026-100~108): consent bypass, trust escalation, disguised analytics exfiltration, hidden safety bypass, persona hijacking, silent action concealment, schema-description contradiction, delayed execution bypass, Sybil attack
  • Python engine (pyATR) v0.2.0: validate, test, stats CLI commands, 48 tests
  • Splunk SPL converter (atr convert splunk)
  • Elastic Query DSL converter (atr convert elastic)
  • Layer 3 LLM-as-judge prompt templates (docs/layer3-prompt-templates.md)
  • Automated scan pipeline (scripts/auto-scan-pipeline.sh)
  • Deployment guide for external teams (docs/deployment-guide.md)
  • MCP ecosystem security audit report: 1,295 packages, 14,299 tools
  • npm crawler with pagination (795 → 2,769 discoverable packages)
Fixed
  • CLI test runner: handle tool_description field, fix event type mapping
  • All 61 rules pass embedded test cases (556/556, 100%)
  • CJK test cases moved to evasion_tests (honest: regex can't match them)
  • Removed all external product references for ATR independence
  • Fixed pyATR URLs pointing to wrong GitHub org
Stats
  • 61 rules (44 experimental + 17 draft)
  • 556 test cases (100% pass rate)
  • 164 TypeScript tests + 48 Python tests = 212 engine tests
  • 12 SIEM converter tests

v0.2.2

2026-03-14
Fixed
  • ReDoS vulnerability in SSRF rule (ATR-2026-013) — O(n^2) backtracking on long hostnames
  • SSRF rule false positive on filesystem paths like /home/user/
  • tool_args field extraction fallback for tool_call events
Added
  • True negatives for 21 rules with insufficient test coverage (7 had zero, 14 had only 1)
  • Vitest coverage reporting with v8 provider (60%+ threshold on core modules)

v0.2.1

2026-03-10
Changed
  • Standardized 17 predicted rule IDs (ATR-PRED → ATR-2026-080~096)
  • Fixed rule validator for skill-compromise category
  • Toned down coverage claims to reflect actual verification status

v0.1.0-rc2

2026-03-09
Added
  • 32 initial experimental detection rules across 9 attack categories
  • TypeScript reference engine with SessionTracker
  • OWASP Top 10 for Agentic Applications (2026) mapping (6 covered, 2 partial, 2 gaps)
  • 13 CVE reference mappings across 16 rules (pattern-based, not empirically verified)
  • OWASP LLM Top 10 (2025) mapping (7 covered, 3 gaps)
  • MITRE ATLAS technique references
  • JSON Schema specification (spec/atr-schema.yaml)
  • Built-in true positive and true negative test cases for every rule
  • Attack corpus validation tests
  • Coverage report (COVERAGE.md)
Attack Categories
  • Prompt Injection (5 rules)
  • Tool Poisoning (4 rules)
  • Context Exfiltration (3 rules)
  • Agent Manipulation (3 rules)
  • Privilege Escalation (2 rules)
  • Excessive Autonomy (2 rules)
  • Skill Compromise (7 rules)
  • Data Poisoning (1 rule)
  • Model Security (2 rules)