The attack happens in the wild first.
A detection standard that only lives in a spec is worth nothing. ATR scanned 96,096 real skills, flagged 1,302 as risky, confirmed 552 as malware, and documented the actors behind them.
The list and the rules are public under MIT — anyone can query, cite, and verify them.
ATR tracks the people who write the attacks, not just the rules that catch them. The three actors below surfaced in a single scan — distributing malicious skills disguised as wallet tools, image generators, and business assistants across public registries. Each profile carries the actual evidence: C2 addresses, archive passwords, naming patterns, the mapped ATLAS technique. What is observed in the wild becomes a detection rule that flows back into the standard.
A 100%-malicious publisher on OpenClaw distributing 354 poisoned skills disguised as cryptocurrency and Google Workspace tools. Uses password-protected archives and paste services to bypass automated scanning.
The most technically direct actor of the three. Ships skills with base64-encoded curl-to-bash payloads that call back to C2 server 91.92.242.30 for arbitrary command execution.
Targets Chinese-speaking developers with business-tool skill disguises. Mixes malicious and benign skills (72% malicious) as a credibility-building and removal-evasion strategy.
The same ruleset proves what is clean. These skills passed the latest ATR 768-rule scan with zero CRITICAL / HIGH findings — one auditable standard that flags the malicious and vouches for the benign.
Every flagged skill lives in one machine-readable blacklist.json — each entry carries the rule it hit and the evidence behind it. Any CI, registry, or agent framework can pull it directly: no signup, no key, no toll.
This list is generated from open ATR ecosystem scans,
built on the MIT-licensed rules.
A flag is a signal, not a verdict —
check the rule it hit and judge for yourself.
Think we got one wrong? Open a GitHub Issue; we review it in the open.
Threat Cloud is an optional reference service operated by the ATR maintainers — not part of the standard. The standard is the spec plus the MIT-licensed rules, fully usable offline via npm / PyPI / raw YAML. Threat Cloud only adds hosted convenience (rule sync, threat submission); the same outcomes are reachable without it.