SECURITY GLOSSARY
The core vocabulary of AI agent security
Professional, technically precise, cross-source cited. Each entry links to the matching ATR detection rules, OWASP mapping, and real-world examples from production deployments.
Agent Threat Rule (ATR)
An Agent Threat Rule (ATR) is a YAML-formatted detection rule for AI agent security threats. ATR is to AI agents what Sigma is to SIEM logs and YARA is to malware files: an open, machine-readable detection standard with multi-vendor adoption.
Full definitionPrompt Injection
Prompt injection is an attack where untrusted input embedded in a prompt causes a large language model to follow instructions from the input instead of the system prompt. OWASP classifies it as the top risk in both the LLM Top 10 (LLM01:2025) and the Agentic Top 10 (ASI01:2026).
Full definitionTool Poisoning
Tool poisoning is an attack where a malicious tool description or tool response injects instructions into the agent. The agent reads the tool definition or output as plain text and treats embedded instructions as authoritative — a special case of indirect prompt injection focused on the MCP and skill ecosystem.
Full definitionAI Agent Skill
An AI agent skill is a packaged capability — code, prompt template, and tool definitions — that an AI agent can install and invoke. Formats include Claude Skills (SKILL.md), MCP servers (npm packages), OpenClaw skills, and custom proprietary formats. Skills are the "apps" of the agent era — and have the same supply-chain risk as npm packages.
Full definitionSkill Auditor
A Skill Auditor is a pre-install security gate for AI agent skills. It scans skill manifests, tool definitions, and packaged code for prompt injection, tool poisoning, hidden capabilities, supply-chain signals, and behavior-description mismatches before the skill is installed. PanGuard ships an open-source Skill Auditor with 8 checks.
Full definitionMCP Poisoning
MCP poisoning is a class of attack where malicious instructions are embedded in an MCP (Model Context Protocol) server's tool descriptions, tool responses, or resource content. The agent reads them as part of its operating context and follows them as if they were system instructions.
Full definitionIndirect Prompt Injection
Indirect prompt injection is an attack where malicious instructions are embedded in content the AI agent reads as part of doing its job — tool outputs, web pages, retrieved documents, email bodies, screenshots, even image text. The user never directly sends the malicious prompt; the agent encounters it while doing work.
Full definitionAgent Supply Chain Attack
An agent supply chain attack compromises an AI agent by targeting the upstream software, models, prompts, or skills it depends on — rather than attacking the agent runtime directly. The compromise persists through every install and every invocation downstream.
Full definition