VentureBeat — CLI-Anything AI Agent Skill Backdoor and Structural Supply-Chain Gap

AI relevance: CLI-Anything auto-generates SKILL.md instruction files that operate as agent code but are invisible to every mainstream SAST and SCA scanner, creating a new supply-chain attack layer that no existing tool category detects.

• CLI-Anything (HKU Data Intelligence Lab, 30k+ GitHub stars) analyzes any repo and generates structured CLI definitions that AI coding agents (Claude Code, Codex, Cursor, GitHub Copilot CLI, OpenClaw) can operate with a single command.
• The same mechanism produces SKILL.md files — the same instruction-layer artifacts that Snyk's ToxicSkills research found laced with 76+ confirmed malicious payloads on ClawHub and skills.sh in February 2026.
• A poisoned skill definition does not trigger a CVE and never appears in a software bill of materials (SBOM). No mainstream security scanner has a detection category for malicious instructions embedded in agent skill definitions.
• Cisco confirmed the gap in April: "SAST scanners analyze source code syntax. SCA tools check dependency versions. Neither understands the semantic layer where MCP tool descriptions, agent prompts, and skill definitions operate."
• Merritt Baer (CSO, Enkrypt AI; former Deputy CISO at AWS): "SAST and SCA were built for code and dependencies. They don't inspect instructions."
• Researchers from Griffith University, NTU, UNSW, and the University of Tokyo documented Document-Driven Implicit Payload Execution (DDIPE) — a technique embedding malicious logic inside code examples within skill documentation, achieving 11.6%+ bypass rates across four agent frameworks and five LLMs.

Why it matters

This is not a single-vendor vulnerability. It is a structural blind spot: the "agent integration layer" (skill files, Cursor rules, MCP tool descriptions, natural-language instruction sets) sits between code and dependencies, executes like code, but is audited as documentation. The ClawHavoc campaign already demonstrated how 1,184+ compromised packages delivered Atomic Stealer through this exact vector. CLI-Anything scales the attack surface by making skill generation trivial.

What to do

• Audit any SKILL.md, .cursorrules, or MCP tool descriptions that enter your repo — treat them as executable code, not docs.
• Evaluate Cisco's AI Agent Security Scanner for IDEs (announced April 2026) or similar emerging tooling.
• Pin skill versions and require code review for any agent instruction files, just as you would for source code.

Sources

• VentureBeat — One command turns any open-source repo into an AI agent backdoor
• CLI-Anything (HKU) on GitHub
• Snyk — ToxicSkills: Malicious AI Agent Skills on ClawHub
• arXiv — Supply-Chain Poisoning Attacks Against LLM Coding Agent Skill Ecosystems
• Cisco — AI Agent Security Scanner for IDEs