Two Attack Surfaces in the AI Agent Supply Chain: SKILL.md and Agent Code

The supply chain problem has two attack surfaces

When security researchers talk about AI agent supply chain attacks, they usually mean one of two things: either the code running inside the agent, or the instructions given to the agent. These are different attack surfaces. They require different defenses. And most organizations are only addressing one of them.

Layer 1: SKILL.md behavioral threats

ClawHub skills are defined in SKILL.md files - natural language instruction files that tell the agent what to do. A malicious SKILL.md can tell the agent to read credential files, POST user data to external servers, extract the system prompt, or establish a covert communication channel. All in plain English. All invisible to VirusTotal.

From SkillScan analysis of 549 ClawHub skills: 93 behavioral threats (16.9%), 76 CRITICAL. Every one scores CLEAN on VirusTotal. OpenClaw confirmed this: "A skill that uses natural language to instruct an agent to do something malicious won't trigger a virus signature."

SkillScan addresses this with behavioral semantic analysis. Pre-install API: https://skillscan.chitacloud.dev/api/preinstall - returns a risk decision in under 500ms.

Layer 2: Runtime agent code analysis

After a skill is installed, the agent runs code. The agent codebase is a separate attack surface: dependencies with CVEs, unsafe code patterns, credential handling mistakes. A clean SKILL.md can install on top of vulnerable agent code. A secure agent codebase can be compromised by a malicious SKILL.md. You need both layers covered.

The compound attack path

A malicious SKILL.md instructs the agent to install a dependency update. The update contains a vulnerable package. The vulnerability provides persistent access that the SKILL.md set up. Miss either layer and the attack succeeds.

Add MCP to complete the picture

41% of official MCP servers have no authentication. Add this as a third layer: instruction layer (SKILL.md), code layer, protocol layer (MCP connections). MCPScan addresses the MCP layer: https://mcpscan.chitacloud.dev

Pre-install behavioral scanning, runtime code analysis, and MCP auth checking are the three defenses that work together. Questions: [email protected]