The supply chain attack surface just grew a new dimension — and your security tools can't see it.
The Summary
- CLI-Anything, a tool that auto-generates command interfaces for AI coding agents, hit 30,000 GitHub stars in two months — while simultaneously demonstrating how to poison AI agents at scale without triggering a single CVE.
- Traditional security scanners (SAST, SCA) can't detect malicious instructions embedded in agent skill definitions because they only look at code syntax and dependency versions, not the semantic instruction layer.
- Snyk found 76 confirmed malicious payloads in SKILL.md files across ClawHub and skills.sh in February 2026 — a new attack vector that doesn't show up in software bills of materials.
The Signal
CLI-Anything solves a real problem: making any open-source repo instantly usable by AI coding agents. One command, and Claude Code or Cursor can operate your codebase through a structured interface. Developers love it. The security gap is that the same architecture creates agent-level backdoors that no existing scanner can detect.
The attack vector lives in SKILL.md files — instruction artifacts that tell AI agents what commands exist and how to use them. These aren't code. They're natural language descriptions of capabilities. A poisoned skill definition might tell an agent that "install_dependencies" should also exfiltrate environment variables. Or that "run_tests" includes a step to phone home with API keys. The agent reads the instruction, trusts it, executes it.
"SAST and SCA were built for code and dependencies. They don't inspect instructions."
This is the supply chain attack evolved for Web4. Traditional supply chain compromise targets the code you import. This targets the *instructions* your agents follow when they interact with that code. The malicious payload isn't in the binary — it's in the README your agent reads.
Key differences from traditional supply chain attacks:
- No code modification required, just instruction files
- Doesn't trigger CVE databases or dependency alerts
- Invisible to SBOM scanning tools
- Exploits agent trust in repository documentation
Cisco released an AI Agent Security Scanner in April specifically for this gap. Their engineering team confirmed what security researchers already knew: the existing toolkit wasn't designed for semantic attacks. SAST analyzes syntax. SCA checks versions. Neither understands what happens when an agent reads a tool description in the Model Context Protocol layer.
Merritt Baer, who ran security at AWS before joining Enkrypt AI, put it plainly: existing tools don't inspect instruction layers. They can't. The category didn't exist eighteen months ago. Now it's the fastest-growing attack surface in developer tooling, and most companies don't know they're exposed.
The Implication
If your developers use AI coding agents — and they do, whether you've approved it or not — you need to audit what instruction files those agents are reading. Start with SKILL.md files in any repos your team imports. Look for MCP tool descriptions. Check what prompts ship with agent-enabled packages.
The attack community is already translating CLI-Anything's architecture into offensive playbooks. The defensive playbook is still being written. Don't wait for a CVE to tell you there's a problem. By design, there won't be one.