Revolutionizing the Coding Landscape: CLI-Anything and the Rise of Agent-Level Poisoning
Just two months ago, the Data Intelligence Lab at the University of Hong Kong introduced CLI-Anything, a cutting-edge tool that has taken the coding world by storm. This innovative tool analyzes the source code of any repository and generates a structured command-line interface (CLI) that AI coding agents can effortlessly operate with just a single command. With support for popular coding agents like Claude Code, Codex, OpenClaw, Cursor, and GitHub Copilot CLI, CLI-Anything has quickly gained popularity, amassing over 30,000 GitHub stars since its launch in March.
However, while CLI-Anything has been praised for its groundbreaking capabilities, it has also raised concerns within the cybersecurity community. The very feature that makes CLI-Anything so powerful – its ability to make software agent-native – has inadvertently opened the door to potential agent-level poisoning. Discussions within the attack community regarding the implications of CLI-Anything’s architecture have already begun, with experts translating its functionalities into offensive playbooks.
The security issue at hand does not lie in what CLI-Anything itself does, but rather in what it represents. CLI-Anything generates SKILL.md files, which are instruction-layer artifacts that were previously found to be contaminated with 76 confirmed malicious payloads across platforms like ClawHub and skills.sh in February 2026, as revealed in Snyk’s ToxicSkills research. These poisoned skill definitions do not trigger common vulnerabilities and exposures (CVEs) and are not typically detected by mainstream security scanners, as they involve malicious instructions embedded within agent skill definitions – a category that did not exist until recently.
Cisco acknowledged this security gap in April, emphasizing that traditional application security tools like static application security testing (SAST) scanners and software composition analysis (SCA) tools are ill-equipped to handle threats at the semantic layer where tools like CLI-Anything operate. Merritt Baer, Chief Security Officer of Enkrypt AI and former Deputy CISO at Amazon Web Services, highlighted the limitations of existing security measures, stating that SAST and SCA tools were not designed to inspect instructions.
This vulnerability is not exclusive to a single vendor; rather, it signifies a structural gap in how the entire security industry monitors software supply chains. CLI-Anything’s emergence marks the beginning of a pre-exploitation window, with security directors urged to take proactive measures to stay ahead of potential incidents.
The Unseen Integration Layer
Traditional supply-chain security typically operates on two layers: the code layer, where SAST tools scan source files for vulnerabilities, and the dependency layer, where SCA tools check package versions for known security issues. However, tools like CLI-Anything exist in an intermediate layer – the agent integration layer – which comprises configuration files, skill definitions, and natural-language instruction sets that guide AI agents on how to interact with software.
This third layer, situated between the code and dependency layers, plays a critical role in enabling AI agents to perform tasks based on skill definitions and prompts. Despite not resembling conventional code, the instructions within this layer execute just like code, posing a unique challenge for security professionals.
Carter Rees, VP of AI at Reputation, highlighted the vulnerabilities introduced by third-party plugins in modern large language models (LLMs), which can potentially compromise the integrity of the conversation flow by injecting malicious data. Researchers at various universities have documented supply-chain poisoning attacks against LLM coding agent skill ecosystems, showcasing the potential for malicious logic to be embedded within skill documentation.
These attacks, as demonstrated in recent studies, have demonstrated the ability to evade detection by static analysis tools, posing a significant challenge for security teams tasked with safeguarding AI-powered coding environments.
The Complex Kill Chain
The anatomy of the kill chain in AI agent poisoning incidents involves a multi-step process, starting with the submission of a seemingly benign SKILL.md file containing covert instructions to an open-source project. These instructions, when parsed by an AI agent, can lead to unauthorized actions being executed under the guise of legitimate commands.
Developers who connect their coding agents to repositories using agent bridge tools unknowingly ingest these skill definitions, assuming they are safe due to the lack of verification mechanisms at the instruction level. This blind trust in skill definitions can facilitate data exfiltration, configuration changes, and credential harvesting, all of which can go undetected by traditional security monitoring tools.
The inherent flaw in enterprise AI systems, as identified by Rees, lies in the lack of robust access control mechanisms, allowing malicious skill definitions to exploit flat authorization planes within large language models. This vulnerability enables compromised instructions to bypass security measures and execute unauthorized actions without raising suspicion.
Recent security assessments have revealed instances of prompt injection attacks against agent frameworks like Cursor, underscoring the real-world implications of agent-level poisoning. Attackers have leveraged these vulnerabilities to compromise developer machines and infiltrate coding environments, highlighting the critical need for enhanced security measures in the face of evolving threats.
Real-world Implications
In documented attack chains from April 2026, malicious actors exploited AI triage bots wired into coding platforms to exfiltrate sensitive data and install unauthorized agents on developer machines. These incidents, coupled with the findings from ToxicSkills audits, paint a concerning picture of the security landscape within AI-powered coding environments.
The ease of publishing skills on platforms like ClawHub and the lack of stringent security checks have paved the way for a surge in malicious skill submissions, raising alarm bells within the cybersecurity community. With the barrier to entry for publishing skills lowered significantly, the threat of agent-level poisoning looms large, necessitating immediate action from security professionals.
In conclusion, the advent of tools like CLI-Anything has ushered in a new era of coding capabilities, but it has also exposed vulnerabilities that demand urgent attention. As the security industry grapples with the challenges posed by agent-level poisoning, proactive measures and robust security protocols are essential to safeguard AI-powered coding ecosystems from malicious actors. The time to act is now, before the next incident report surfaces, signaling a potential breach in the digital defenses of the coding world.
Enhancing your skill set can be as easy as uploading a Word document or a lightweight config file. This presents a significantly different risk profile compared to compiled code. The rise of projects like ClawPatrol, which focuses on cataloging and scanning for malicious skills, indicates that the technology ecosystem is advancing at a pace that surpasses traditional enterprise defense mechanisms.
The ClawHavoc campaign, which was initially uncovered by Koi Security in late January 2026, identified 341 malicious skills on ClawHub. Further investigation by Antiy CERT revealed a total of 1,184 compromised packages on the platform. The campaign distributed Atomic Stealer (AMOS) through skill definitions accompanied by professional documentation. Notably, skills such as solana-wallet-tracker and polymarket-trader were tailored to match what developers were actively seeking.
The MCP protocol layer faces similar vulnerabilities. OX Security reported in April that researchers were able to compromise nine out of 11 MCP marketplaces using proof-of-concept servers. Trend Micro discovered that initially, 492 MCP servers were exposed to the internet with zero authentication. By April, this number had grown to 1,467. The root cause of these issues, as highlighted by The Register, is attributed to a flaw in Anthropic’s MCP software development kit (SDK) transport mechanism. Any developer utilizing the official SDK inherits this vulnerability.
VentureBeat has developed a Prescriptive Matrix that aligns with the three attack layers identified in recent research and incident reports. This matrix maps these layers against the detection capabilities of existing tools such as SAST, SCA, and agent-layer tools, revealing areas where current scanners lack coverage. It also provides recommended actions for security teams to address these gaps effectively.
In response to the evolving threat landscape, security leaders are advised to take proactive measures. This includes conducting a thorough inventory of all agent bridge tools within the environment, auditing agent skill sources, deploying agent-layer scanning tools for behavioral analysis, restricting agent execution privileges, and assigning ownership for the gap between layers.
The emergence of this new attack vector underscores the need for organizations to prioritize security measures in the face of rapidly evolving technology landscapes. By staying vigilant and adopting proactive security measures, businesses can mitigate risks associated with malicious skills and other potential threats in the digital ecosystem. The concept of artificial intelligence (AI) has been a hot topic in recent years. From self-driving cars to virtual assistants, AI technology has rapidly advanced and become an integral part of our daily lives. But what exactly is AI, and how does it work?
AI refers to machines that are capable of performing tasks that typically require human intelligence, such as learning, problem-solving, and decision-making. These machines are programmed to analyze data, recognize patterns, and make predictions based on the information they are given.
One of the key components of AI is machine learning, which is a subset of AI that allows machines to learn from data without being explicitly programmed. Machine learning algorithms use statistical techniques to identify patterns in data and make decisions accordingly. This enables machines to improve their performance over time and adapt to new information.
Another important aspect of AI is deep learning, which is a type of machine learning that is inspired by the way the human brain works. Deep learning algorithms use artificial neural networks to process data and learn from it. These networks consist of layers of interconnected nodes that work together to analyze and interpret complex patterns in data.
AI technology is being used in a variety of industries, from healthcare to finance to transportation. In healthcare, AI is being used to analyze medical images, predict patient outcomes, and assist in diagnosing diseases. In finance, AI is being used to detect fraud, make investment decisions, and improve customer service. In transportation, AI is being used to optimize traffic flow, improve driver safety, and develop autonomous vehicles.
Despite the many benefits of AI, there are also concerns about its impact on society. Some worry that AI will lead to job loss, as machines are able to perform tasks more efficiently than humans. Others are concerned about the ethical implications of AI, such as privacy issues and bias in decision-making.
Overall, AI technology has the potential to revolutionize industries and improve our quality of life. By understanding how AI works and its potential applications, we can better prepare for the future and ensure that AI is used responsibly and ethically.