AI coding agents face new threat from invisible supply-chain attacks

The rise of AI coding assistants has unlocked unprecedented efficiency—but also introduced a hidden vulnerability that few security tools can detect. Researchers recently highlighted a gaping blind spot in supply-chain security: malicious instruction files that can turn harmless repositories into backdoors for AI agents.

A team at the University of Hong Kong’s Data Intelligence Lab introduced CLI-Anything in March, a tool designed to automatically generate command-line interfaces (CLIs) that AI agents like Claude Code and GitHub Copilot CLI can execute with a single command. The tool has since amassed over 30,000 GitHub stars, demonstrating its utility in bridging human-readable code and machine-executable workflows.

However, the same mechanism that makes CLI-Anything powerful also creates a novel attack vector. The tool generates SKILL.md files—instruction layers that define how AI agents interact with repositories. These files, while not traditional code, contain directives that agents interpret as executable commands. Security researchers now warn that attackers could embed malicious logic within these instruction files, exploiting a gap in current security frameworks.

The overlooked third layer of software supply chains

Traditional supply-chain security relies on two layers: the code layer, where static application security testing (SAST) scans for vulnerabilities, and the dependency layer, where software composition analysis (SCA) tools check for outdated or compromised libraries. Neither layer accounts for the agent integration layer—a third dimension where instruction files, skill definitions, and natural-language prompts guide AI agents.

Merritt Baer, CSO of Enkrypt AI and former AWS Deputy CISO, explained the blind spot to VentureBeat: “SAST and SCA were designed to inspect code and dependencies, not the semantic layer where agent instructions operate. This leaves a critical gap in supply-chain security.”

Cisco’s engineering team echoed this concern in April, announcing its AI Agent Security Scanner for IDEs. “Traditional security tools weren’t built for this,” they noted. “They don’t understand the semantic layer where Model Context Protocol (MCP) tool descriptions and agent prompts function.”

How attackers exploit the gap

Researchers from Griffith University, Nanyang Technological University, the University of New South Wales, and the University of Tokyo documented this vulnerability in an April paper titled “Supply-Chain Poisoning Attacks Against LLM Coding Agent Skill Ecosystems.” The team introduced Document-Driven Implicit Payload Execution (DDIPE), a technique that embeds malicious logic within code examples in skill documentation.

Their findings revealed alarming bypass rates: between 11.6% and 33.5% of tested attacks evaded detection across four agent frameworks and five large language models. Static analysis caught most samples, but 2.5% slipped through all detection layers. Responsible disclosure led to four confirmed vulnerabilities and two vendor fixes.

The attack chain follows a predictable kill chain:

• An attacker submits a malicious SKILL.md file to an open-source project, disguising it as standard documentation.
• A developer uses an AI agent bridge tool—like CLI-Anything—to connect their coding assistant to the repository.
• The agent ingests the skill definition, trusting its instructions because no verification layer exists to distinguish benign from malicious intent.
• The agent executes the embedded command using its own legitimate credentials. Endpoint detection and response (EDR) systems see an approved API call from an authorized process and allow it to proceed.
• Data exfiltration, configuration changes, or credential harvesting occur through channels deemed “normal” by existing monitoring stacks.

Carter Rees, VP of AI at Reputation, identified the core issue: “A significant vulnerability in enterprise AI is broken access control, where the flat authorization plane of an LLM fails to respect user permissions. A compromised skill definition riding that plane doesn’t need to escalate privileges—it already has them.”

Why traditional security tools fail

The problem isn’t a single vendor’s shortcoming—it’s a structural flaw in how the entire industry monitors software supply chains. SKILL.md files and similar instruction layers don’t trigger CVEs, nor do they appear in software bills of materials (SBOMs). No mainstream security scanner has a detection category for malicious instructions embedded in agent skill definitions, because the category didn’t exist until recently.

Pillar Security’s research further underscored this paradox: trusted commands executed by AI agents bypass traditional security controls, creating what they call “the agent security paradox.”

Security leaders now face a pre-exploitation window. Tools like CLI-Anything are live, attack communities are discussing their offensive potential, and the first incident report could arrive without warning. The question is no longer if this vulnerability will be exploited—but when.

To mitigate the risk, organizations must expand their security frameworks to include agent instruction layers. Until then, the invisible third layer of the supply chain remains a ticking time bomb.