Skip to content

feat: add ATR agent threat scanning MCP server#28

Open
eeee2345 wants to merge 2 commits into
FuzzingLabs:masterfrom
eeee2345:feat/atr-mcp-server
Open

feat: add ATR agent threat scanning MCP server#28
eeee2345 wants to merge 2 commits into
FuzzingLabs:masterfrom
eeee2345:feat/atr-mcp-server

Conversation

@eeee2345

@eeee2345 eeee2345 commented Apr 9, 2026

Copy link
Copy Markdown

Summary

Add an ATR (Agent Threat Rules) MCP server for regex-based AI agent threat detection. Unlike other servers in this hub that wrap external binaries, this server is pure Python with zero external tool dependencies.

Tools

Tool Description
atr_scan_text Scan arbitrary text against 20 ATR rules. Supports context-aware filtering (skill mode excludes high-FP rules).
atr_scan_mcp_config Scan a full MCP config JSON — extracts each server's command/args and scans for threats. Env var values are redacted to prevent credential-exposure false positives.
atr_list_rules List loaded rules with optional category filter.
atr_rule_info Get details for a specific rule by ID.

Threat categories covered (20 rules)

Prompt injection (3), jailbreak (2), system prompt override/extraction (2), tool poisoning (2), data exfiltration (2), reverse shell (1), credential exposure (1), privilege escalation (1), cross-agent manipulation (1), hidden instructions (1), social engineering (1), path traversal (1), code injection (1), encoded payload (1).

This is a curated subset of 20 high-precision rules from the ATR standard (108 rules total, MIT licensed).

Files

File Description
agent-security/atr-mcp/server.py MCP server implementation (4 tools)
agent-security/atr-mcp/rules.json 20 bundled ATR rules
agent-security/atr-mcp/Dockerfile Alpine-based, non-root, following project template
agent-security/atr-mcp/README.md Usage docs
agent-security/atr-mcp/requirements.txt mcp, pydantic (2 deps)
docker-compose.yml Added atr-mcp service
tests/test_mcp_servers.py Added test registration
examples/claude-desktop-config.json Added config example

Key design choices

  • Context-aware scanning: context="skill" excludes 4 high-FP rules for SKILL.md content
  • Deduplication: One finding per rule per scan (no duplicates)
  • Env var redaction: MCP config scanner redacts env values before scanning
  • Pure Python: No external binary, read_only: true Docker filesystem, 256M memory limit

Test plan

  • Server registers 4 tools via @app.list_tools()
  • Added to test_mcp_servers.py parametrized tests
  • Dockerfile builds successfully
  • CI validation

eeee2345 added 2 commits April 9, 2026 17:52
Add atr-mcp server providing regex-based AI agent threat detection:
- atr_scan_text: Scan text against 20 ATR rules
- atr_scan_mcp_config: Scan full MCP config for threats
- atr_list_rules: List loaded detection rules
- atr_rule_info: Get rule details

Pure Python, no external binary dependencies, <5ms per scan.
Source: https://github.com/anthropics/agent-threat-rules (MIT)
…xt-aware filtering

- Remove unused pydantic-settings dependency
- Add SKILL_CONTEXT_DENYLIST for context-aware rule filtering
- Skip credential scanning on env var values in MCP config scan
- Fix Dockerfile to match project template (EXPOSE, PYTHONUNBUFFERED, vendor label)
- Deduplicate findings by rule_id per scan
- Fix double-scanning in atr_scan_mcp_config
- Fix redundant exception handling
- Document 20-rule subset in README
- Fix README example output accuracy
- Fix README source URL with community attribution
- Remove context enum constraint for free-form string
@eeee2345

Copy link
Copy Markdown
Author

Bumping with new ecosystem credentials since this opened on 4/9. ATR now shipped in production at Microsoft Agent Governance Toolkit (#908, #1277), Cisco AI Defense skill-scanner (#79, #99), MISP galaxy + taxonomies (5/10), and OWASP Agent Skill Risk Hub (#74, 5/11). 344 rules, MIT licensed, npm 23K downloads/30d. Happy to adjust framing if needed.

@eeee2345

Copy link
Copy Markdown
Author

Heads up for maintainers: the two failing checks (validate and build (trivy-mcp, ./cloud-security/trivy-mcp)) are failing on the unrelated trivy-mcp component — specifically load metadata for docker.io/aquasec/trivy:latest — not on this PR's agent-security/atr-mcp/ addition. The build matrix cancels the other targets once that one fails. Looks like a transient/upstream Docker-registry issue from the original run (2026-04). Could a maintainer re-run the workflow when convenient? Happy to rebase if anything is needed on my side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant