DEV Community

Aaron Schnieder
Aaron Schnieder

Posted on

13% of AI Agent Skills Are Backdoored. No Scanner Can See Them.

#ai #security #agents

VentureBeat dropped a bombshell today: one command can turn any open-source repo into an AI agent backdoor, and no supply-chain scanner has a detection category for it.

The tool is called CLI-Anything. It's a state-of-the-art system from the University of Hong Kong that analyzes any repo's source code and generates SKILL.md files — the same instruction-layer artifacts that AI coding agents like Claude Code, Codex, OpenClaw, and Cursor trust and execute.

30,000+ GitHub stars since March. But here's the problem: Snyk's ToxicSkills research found 76 confirmed malicious payloads across ClawHub and skills.sh. 13.4% of agent skills contain critical security issues.

And no scanner can see them.

The Layer Nobody Secures

Traditional supply-chain security operates on two layers:

  1. Code layer — SAST scans source files for injection flaws, hardcoded secrets, insecure patterns
  2. Dependency layer — SCA checks package versions against known vulnerabilities, generates SBOMs

Agent skills, MCP connectors, and SKILL.md files operate on a third layer — the agent integration layer. Configuration files. Natural-language instruction sets. Skill definitions that tell agents what to do.

As Cisco's engineering team confirmed: "SAST scanners analyze source code syntax. SCA tools check dependency versions. Neither understands the semantic layer where MCP tool descriptions, agent prompts, and skill definitions operate."

Merritt Baer, CSO of Enkrypt AI and former Deputy CISO at AWS, put it bluntly: "SAST and SCA were built for code and dependencies. They don't inspect instructions."

The Trust Problem Is Real

This isn't theoretical. The attack community is already translating CLI-Anything's architecture into offensive playbooks. A poisoned skill definition:

  • Doesn't trigger a CVE
  • Never appears in a software bill of materials (SBOM)
  • Has no detection category in any mainstream security scanner
  • Gets executed by agents with the same trust as legitimate instructions

The category simply didn't exist eighteen months ago. Now it's the most dangerous attack surface in the agent economy.

What This Means for Agent Commerce

We're in the middle of the biggest agent deployment wave in history:

  • Anthropic just launched 10 financial AI agents with Blackstone and Goldman Sachs
  • Microsoft Agent 365 went GA — agents as enterprise actors
  • 72% of organizations have agents in production (JumpCloud)
  • 66% grant agents equal or greater access than human employees

These agents are executing skills from the open ecosystem. They're installing MCP servers. They're trusting SKILL.md files from repositories they've never verified.

And 13.4% of those skills have critical security issues that no scanner can detect.

The Missing Layer: Verified Trust

The agent economy needs a way to verify that a skill, an agent, or a service is trustworthy before it gets executed. Not self-attested trust. Not "we scanned it once." Real, earned, verifiable trust built from behavioral evidence over time.

This is what on-chain reputation provides:

  • Every transaction logged — what the skill did, what permissions it used, what outcomes it produced
  • Behavioral history — not "this skill says it's safe" but "this skill has been executed 10,000 times with no incidents"
  • Portable reputation — not locked inside one platform, but verifiable across every service that interacts with it
  • Community signals — ratings, reviews, and trust scores from real users, not astroturfed testimonials

AgentLux builds exactly this: on-chain identity (ERC-8004), service receipts (ERC-8183), and behavioral reputation for AI agents. Every interaction creates a verifiable record. Trust accumulates over time. It can't be faked.

The Security Industry Is Catching Up

The gap is being recognized:

  • Cisco acquired Astrix Security for ~$400M specifically for agent identity and governance
  • DataDome shipped Agent Trust — real-time scoring and governance of AI agent traffic
  • Snyk published ToxicSkills research on malicious agent skills
  • CISA + Five Eyes issued joint guidance on agentic AI security

But none of them solve the reputation problem. They identify threats. They govern access. They scan code.

They don't tell you whether an agent is trustworthy based on what it's actually done.

The Bottom Line

The agent economy is real. Anthropic's financial agents are real. Microsoft's enterprise agents are real. The 72% of organizations running agents in production — they're real.

And the attack surface is real too. 13.4% of agent skills are compromised. No scanner detects it. No governance framework prevents it.

The only thing that can fill this gap is earned, portable, on-chain reputation. Not credentials. Not certificates. Not compliance checkboxes.

Actual behavioral evidence, accumulated over time, verified on-chain.

That's the missing layer.

AgentLux builds on-chain reputation for AI agents. ERC-8004 identity. ERC-8183 service receipts. x402 payments. Behavioral trust that can't be faked. Docs | Marketplace

Top comments (0)