Introduction: A New Attack Surface in Software Supply Chains
In March 2026, researchers at the University of Hong Kong's Data Intelligence Lab released CLI-Anything, a tool that can analyze any open-source repository’s code and generate a command-line interface (CLI) tailored for AI coding agents. Within weeks, it garnered over 30,000 GitHub stars and became compatible with major AI coding tools like Claude Code, Codex, OpenClaw, Cursor, and GitHub Copilot CLI. But behind this impressive functionality lies a security gap that has experts worried. The very feature that makes CLI-Anything so powerful—its ability to create structured skill definitions—also creates an entry point for a new kind of supply-chain attack: agent-level poisoning.
Security researchers have already begun discussing how to weaponize CLI-Anything’s architecture on platforms like X and specialized forums. The problem isn’t CLI-Anything per se; it’s what it represents—a fundamental blind spot in how we secure the software development lifecycle.
The Missing Detection Category
CLI-Anything generates files called SKILL.md (or skill definitions), which sit at the instruction layer. These files tell AI agents what commands to run and how to interact with the underlying code. Similar artifacts were implicated in February 2026 when Snyk’s ToxicSkills research found 76 confirmed malicious payloads hidden in skill definitions hosted on ClawHub and skills.sh. The critical point: a poisoned skill definition does not receive a CVE, does not appear in a software bill of materials (SBOM), and cannot be detected by any mainstream security scanner because the category for “malicious instructions embedded in agent skill definitions” didn’t exist 18 months ago.
Why SAST and SCA Fail Here
Traditional application security tools operate on two layers. Static application security testing (SAST) scans source code for insecure patterns, injection flaws, and hardcoded secrets. Software composition analysis (SCA) checks dependency versions against known vulnerabilities and generates SBOMs. Neither inspects the semantic layer where agent instructions live—the natural-language prompts, MCP tool descriptions, and skill definitions.
Cisco acknowledged this gap in April 2026 when it announced its AI Agent Security Scanner for IDEs. “Traditional application security tools were not designed for this,” Cisco’s engineering team wrote in a blog post. “SAST scanners analyze source code syntax. SCA tools check dependency versions. Neither understands the semantic layer where MCP tool descriptions, agent prompts, and skill definitions operate.”
Merritt Baer, CSO of Enkrypt AI and former Deputy CISO at AWS, told VentureBeat: “SAST and SCA were built for code and dependencies. They don’t inspect instructions.”
The Triple-Layer Blind Spot
Let’s look at the three layers of supply-chain security:
- Code layer – monitored by SAST for insecure code patterns.
- Dependency layer – monitored by SCA for known vulnerabilities in third-party packages.
- Agent integration layer – configuration files, skill definitions, and natural-language instruction sets that tell AI agents how to interact with software. This layer is invisible to traditional tools.
Agent bridge tools like CLI-Anything, MCP connectors, Cursor rules files, and Claude Code skills all operate on this third layer. They sit between code and dependencies, orchestrating how the AI interacts with the rest of the stack. Because no established scanner looks here, malicious instructions can slip through undetected—until the AI executes a command that exfiltrates data, modifies files, or launches an attack.
Real-World Implications
Consider a scenario: A developer integrates CLI-Anything into their CI/CD pipeline. The tool scans an open-source repo and generates a SKILL.md file. An attacker contributes a poisoned skill definition to that repo, which the developer’s AI agent then automatically loads. The skill could instruct the AI to run a command that steals credentials, or to modify code in a way that introduces a backdoor. Since no scanner flags the malicious text, the attack goes unnoticed until the damage is done.
“This is not a single-vendor vulnerability,” Baer emphasized. “It is a structural gap in how the entire security industry monitors software supply chains.”
The Pre-Exploitation Window
CLI-Anything is live and widely adopted. The attack community is already discussing how to abuse it. Security directors who act now can get ahead of the first major incident. The window is closing: as more organizations adopt AI coding agents, the attack surface will only grow.
What Can Be Done?
Until new detection categories are created, organizations should take a multipronged approach:
- Audit skill definitions manually – Review all SKILL.md and similar files before allowing an AI agent to load them.
- Use runtime monitoring – Watch what commands the AI agent executes and flag any that deviate from expected patterns.
- Adopt emerging tools – Cisco’s AI Agent Security Scanner and similar products are early, but they represent the first line of defense for this layer.
- Stay informed – Follow research from groups like Snyk’s ToxicSkills team and the University of Hong Kong to understand evolving threats.
Conclusion
The rise of AI-powered coding assistants has brought unprecedented productivity gains, but it has also opened a gap in supply-chain security that no one is fully monitoring. CLI-Anything is just one example of a class of tools that create agent-level instructions. The security industry must catch up—quickly—or face a wave of incidents that exploit this blind spot. The tools exist, the knowledge is spreading, and the only question is whether defenders will act before attackers do.