detectors: add Agent Threat Rules

[eeee2345]

Summary

Adds ATR (Agent Threat Rules) detectors for AI agent-specific threats not covered by garak's existing injection/jailbreak detectors. Focuses on MCP tool poisoning, skill compromise, context exfiltration, and excessive autonomy.

What's included

Two files:

• garak/detectors/atr.py -- 9 detector classes + rule sync + rule generation utilities
• garak/detectors/atr_rules.json -- 714 regex patterns from 108 ATR rules (bundled, no runtime dependency)

9 detector classes:

Detector	ATR Category	Patterns	Catches
atr.AgentThreats	all 9	714	Comprehensive scan
atr.PromptInjection	prompt-injection	198	Instruction overrides, persona hijacking
atr.ToolPoisoning	tool-poisoning	64	Hidden instructions in tool descriptions
atr.CredentialExfiltration	context-exfiltration	102	API keys, private keys, DB URLs
atr.PrivilegeEscalation	privilege-escalation	68	Shell commands, permission changes
atr.SkillCompromise	skill-compromise	148	Typosquatting, rug pulls, impersonation
atr.ExcessiveAutonomy	excessive-autonomy	42	Retry loops, resource exhaustion
atr.AgentManipulation	agent-manipulation	56	Cross-agent attacks, trust exploitation
atr.DataPoisoning	data-poisoning	36	Poisoned content, injected instructions

Two utility functions:

• sync_rules_from_github() -- pull latest ATR rules (requires git + PyYAML, optional)
• generate_rule_from_probe() -- generate ATR rule drafts from successful garak probe outputs (red team -> blue team feedback loop)

Why this belongs in garak

garak's existing detectors cover LLM-level threats (jailbreaks, known-bad signatures, encoding tricks). ATR covers agent-level threats specific to the MCP/tool-use ecosystem:

• Tool descriptions with hidden exfiltration instructions
• Skill impersonation via typosquatted tool names
• Rug pull attacks (tools that change behavior after trust is established)
• Cross-agent manipulation in multi-agent systems

These are not redundant with existing garak detectors -- they scan for a different attack surface.

Provenance

ATR rules are MIT-licensed, community-driven, and adopted by Cisco AI Defense (34 rules merged into their official skill-scanner). The bundled JSON is a static snapshot; sync_rules_from_github() enables updates without waiting for garak releases.

Source: https://github.com/Agent-Threat-Rule/agent-threat-rules

Usage

# Use as detector in garak config
detectors:
  - atr.PromptInjection
  - atr.ToolPoisoning
  - atr.CredentialExfiltration

# Or scan everything
detectors:
  - atr.AgentThreats

# Sync to latest rules
from garak.detectors.atr import sync_rules_from_github
sync_rules_from_github()

# Generate rules from probe results
from garak.detectors.atr import generate_rule_from_probe
rule = generate_rule_from_probe(successful_attacks, category="tool-poisoning")

[github-actions]

DCO Assistant Lite bot All contributors have signed the DCO ✍️ ✅

[leondz]

please sign dco for review

[leondz]

please use the data mechanism within garak

[eeee2345]

I have read the DCO Document and I hereby sign the DCO

[eeee2345]

recheck

[jmartin-tech]

Thanks for submission.

As an extra detector to mix into a run this could be useful. The helper methods that have been placed in the detector should likely be extracted as separate tooling.

[jmartin-tech]

subprocess.run is not an acceptable method of retrieving data at runtime.

[jmartin-tech]

This is an interesting utility for creating yaml files to contribute to defensive tooling. It is never called by code in this PR. I would suggest it should be extracted as a utility that could be used to post process either a report.jsonl or hitlog.jsonl. I could see this being placed in the tools path for use only in a repo based install or exposed as an analyze module to be available as a package provided utility shipped as part of installed package similar to how report_digest is exposed.

[jmartin-tech]

I would suggest this also is likely better extracted into the tools path as a separate utility to be executed independently to configuration the user's system. The utility should likely write the generated configuration to the user's XDG based data_path by default or to stdout so the user can place it in the correct location in their XDG_DATA_HOME for the detector to pick it up in place of the shipped version.

[jmartin-tech]

This should use the data_path access pattern see:

garak/garak/probes/snowball.py

Lines 42 to 47 in 2569a60

	with open(
	data_path / "graph_connectivity.json",
	"r",
	encoding="utf-8",
	) as f:
	self.prompts = json.load(f)

from garak.data import path as data_path

This helper class provides access to files in the installed package's data directory and supports user override of the file via the XDG base directory specification so users can provider their own content without needed write permissions to the python runtime library path.

Also it is preferred to load this inside of __init__ for a detector instead of globally on module import. This could be accomplished using a the ABC abstract class patterns. See:

garak/garak/probes/packagehallucination.py

Lines 63 to 102 in 2569a60

	class PackageHallucinationProbe(garak.probes.Probe, ABC):
	"""Abstract base class for package hallucination probes
	Generators sometimes recommend importing non-existent packages into code. These
	package names can be found by attackers and then squatted in public package
	repositories, so that incorrect code from generators will start to run, silently
	loading malicious squatted packages onto the machine. This is bad. This probe
	checks whether a model will recommend code that uses non-existent packages."""
	lang = "*"
	doc_uri = "https://vulcan.io/blog/ai-hallucinations-package-risk"
	tags = [
	"owasp:llm09",
	"owasp:llm02",
	"quality:Robustness:GenerativeMisinformation",
	"payload:malicious:badcode",
	]
	goal = "base probe for importing non-existent packages"
	DEFAULT_PARAMS = garak.probes.Probe.DEFAULT_PARAMS | {
	"follow_prompt_cap": True,
	}
	@property
	@abstractmethod
	def language_name(self) -> str:
	"""Programming language name - must be overridden by subclasses"""
	raise NotImplementedError
	def __init__(self, config_root=_config):
	super().__init__(config_root=config_root)
	self.prompts = []
	for stub_prompt in stub_prompts:
	for code_task in code_tasks:
	self.prompts.append(
	stub_prompt.replace("<language>", self.language_name).replace(
	"<task>", code_task
	)
	)
	if self.follow_prompt_cap:
	self._prune_data(cap=self.soft_probe_prompt_cap)

[eeee2345]

Thanks @jmartin-tech @leondz for the thorough review. Addressed all four points:

1. data_path: rules moved to garak/data/atr/rules.json, loaded via from garak.data import path as data_path. Supports XDG user override.

2. No subprocess: removed entirely from the detector. Sync tool now uses urllib.request to download a zip — no git dependency.

3. Extracted tools: sync_rules() and generate_rule() moved to tools/atr.py. Writes to XDG data_path by default or --stdout. Detector is now pure detection logic only.

4. Init-time loading: _load_rules() called in __init__, not on module import.

For context on the rule set and methodology — the full spec is at agentthreatrule.org and the academic paper is on Zenodo. Would appreciate any design feedback on how the detector categories map to garak's existing taxonomy — happy to adjust the tagging.

[jmartin-tech]

A few more adjustments requested.

[jmartin-tech]

I am not sure the fallback location for the exception handler makes sense. If the import fails the tool was likely executed from a location other than the repo source. It is also somewhat unexpected for a tool to create something in a relative path like that. I would hazard that support for either XDG path or a user supplied command line location is sufficient and if the XDG path search raises and exception it may best to exit early and suggest the user to supply a valid --output value or utilize the --stdout option.

Suggested change

	return Path(__file__).parent.parent / "garak" / "data" / "atr" / "rules.json"
	print("The user XDG storage location could not be identified, supply --output or --stdout options or ensure garak is available in the python environment.", file=sys.stderr)
	sys.exit(1)

[jmartin-tech]

Required to ensure consistent windows support:

Suggested change

	main()
	sys.stdout.reconfigure(encoding="utf-8")
	main()

[jmartin-tech]

Combining in this manner may not work with data_path as the / operator is doing custom things in this context. I am also not sure the constant really adds value here as it is only used once, I could see value in the constant if utilized in test code.

_RULES_FILENAME = "rules.json"

Suggested change

	rules_path = data_path / _ATR_RULES_FILE
	rules_path = data_path / __name__.split(".")[-1] / _RULES_FILENAME

[jmartin-tech]

Based on the code in detect there is no reason to keep the _rules dictionary outside the init scope.

Suggested change

	self._rules = _load_rules()
	self._compiled: list[tuple[str, re.Pattern]] = []
	for cat in self.atr_categories or list(self._rules.keys()):
	self._compiled.extend(_compile_category(self._rules, cat))
	logger.info(
	"ATR detector %s: %d patterns from %d categories",
	self.__class__.__name__,
	len(self._compiled),
	len(self.atr_categories) or len(self._rules),
	)
	rules = _load_rules()
	self._compiled: list[tuple[str, re.Pattern]] = []
	for cat in self.atr_categories or list(rules.keys()):
	self._compiled.extend(_compile_category(rules, cat))
	logger.info(
	"ATR detector %s: %d patterns from %d categories",
	self.__class__.__name__,
	len(self._compiled),
	len(self.atr_categories) or len(rules),
	)

[eeee2345]

@jmartin-tech @leondz — all four review points have been addressed (data_path, no subprocess, extracted tools, init-time loading). Ready for re-review when you have a moment.

Since the original submission, ATR has shipped v2.0.0 with some changes worth noting:

• 113 rules (up from 108), including 3 rules generated end-to-end by our Threat Cloud crystallization pipeline — the first detection rules produced by automated threat intelligence, not hand-written regex
• RFC-001 v1.1: a vendor-neutral quality standard for detection rules with maturity levels, confidence scoring, and review tier definitions. This means every ATR rule ships with machine-readable quality metadata
• 96,096-skill ecosystem scan discovered 751 active malware from 3 coordinated threat actors — validating these rules against real attacks, not just benchmarks
• Compound detection gates: MCP-context rules now require 30%+ condition match, reducing false positives on legitimate documentation

Happy to update the PR to v2.0.0 rules if that's useful. The sync tool already supports pulling latest from npm, so garak users would get rule updates automatically via atr sync.

Also — if there's interest, ATR's Threat Cloud can accept detection signals from garak runs. That means every garak user running ATR detectors would contribute back to the rule pipeline. No PII, just pattern hashes. Happy to discuss if that's in scope.

[eeee2345]

Apologies — my previous comment referenced the round-1 feedback only. I missed that there was a second round of review on 4/10.

This commit addresses all round-2 items:

1. Fallback path: removed relative fallback, exits with error + guidance
2. Windows encoding: added sys.stdout.reconfigure
3. data_path: inlined per suggestion, dropped constant
4. _rules scope: moved to local in init

Also updated rules.json to ATR v2.0.0 (113 rules, 736 patterns).