What is the AI Agent Supply Chain?
Just like software supply chain attacks target dependencies (think Log4j, SolarWinds), the AI agent supply chain encompasses every external component your agent relies on: third-party skills, external APIs, retrieval databases, fine-tuning datasets, and base model providers.
The Attack Surfaces
Third-Party Skills
Marketplace skills are installed with elevated trust. A malicious skill author can embed payloads that activate under specific conditions — like when the agent is processing financial data or accessing sensitive systems.
Retrieval-Augmented Generation (RAG) Databases
If your agent uses RAG, the documents in your vector database are part of your attack surface. An attacker who can inject a document into your knowledge base can influence every response that cites it.
External Tool APIs
When your agent calls external APIs, you're trusting those API providers. A compromised API can return responses designed to manipulate your agent's subsequent behavior.
Base Model Providers
This is theoretical today but worth considering: fine-tuning on poisoned datasets or using a compromised model checkpoint could introduce subtle backdoors activated by specific trigger phrases.
Supply Chain Hygiene
- Audit every dependency: Know what skills you've installed, who maintains them, and what permissions they have
- Pin versions: Don't use floating version references for skills and tools
- Monitor for updates: Supply chain attacks often come through legitimate update channels
- Sandbox external calls: External API responses should be validated before being used as agent context
- Review RAG content: Apply content policies to documents before they enter your knowledge base
The weakest link in your AI system might not be your own code — it might be the skill you installed last Tuesday.