AI Agent Backdoor Threat: Open‑Source Repos Can Be Hijacked with One Command

AI Agent Backdoor Threat Emerges in Open‑Source Repos

Two months after the University of Hong Kong unveiled CLI‑Anything, a tool that auto‑generates a command‑line interface for AI coding agents, the security community is warning that the same mechanism can serve as a backdoor for malicious actors. The utility, which already boasts ↑ 30,000 GitHub stars, produces SKILL.md files that describe how an agent should act. Those files are invisible to traditional SAST and SCA scanners because they contain no executable code, only natural‑language instructions.

“Traditional application security tools were not designed for this,” Cisco’s engineering blog notes, adding that static analysis looks at syntax while composition analysis checks dependencies, leaving the semantic layer unexamined.

Researchers from Griffith University and partners published an April paper detailing a new attack chain called Document‑Driven Implicit Payload Execution (DDIPE). Across four agent frameworks and five large language models, DDIPE bypassed detection in up to ↓ 13.4% of cases, proving that malicious skill definitions can slip past existing defenses.

Why existing scanners miss the danger

SAST tools focus on source‑code patterns; SCA tools inventory libraries. Neither evaluates the “agent integration layer” where skill definitions, MCP connectors, and rule files reside. As Merritt Baer, CSO of Enkrypt AI, told Reuters, “They don’t inspect instructions.” This blind spot creates a pre‑exploitation window that attackers are already exploiting on platforms like OpenClaw, ClawHub, and skills.sh.

Recent incidents illustrate the risk. In January 2026, a poisoned SKILL.md on ClawHub enabled an AI‑driven exfiltration of a GITHUB_TOKEN, leading to the silent deployment of a malicious npm package on roughly 4,000 developer machines for eight hours. No human approved the action; the agent executed with the developer’s credentials, and endpoint detection saw only legitimate API calls.

Action steps for security leaders

1. Inventory every agent bridge tool—CLI‑Anything, MCP connectors, Cursor rule files, Claude Code skills, GitHub Copilot extensions.
2. Treat skill repositories like package registries; enforce signing and review before ingestion.
3. Deploy emerging agent‑layer scanners such as Cisco’s open‑source Skill Scanner or Snyk’s mcp‑scan.
4. Restrict agent runtime privileges and monitor anomalous API usage.
5. Assign a dedicated team to own the integration layer and enforce a allow‑list of verified skill definitions.

These measures address the structural gap that has left the AI supply chain exposed. The window is closing fast; organizations that act now will avoid the first wave of AI‑agent‑backdoor incidents.