Supply chain security for agentic AI

On this page

What it is

Supply chain security for agentic AI applies software composition analysis (SCA), package signing, and bill-of-materials practices to the new categories of artifact that agentic systems consume: skills, plugins, MCP servers, model weights, cognitive identity files (SOUL.md, IDENTITY.md), and agent frameworks. The threat model mirrors npm and PyPI supply chain attacks (typosquatting, dependency confusion, malicious packages) because agentic skill registries use the same open-submission model without the decade of hardening that software registries have accumulated.

The evidence base

Three Q1 2026 incidents confirm the threat model is not theoretical:

MITRE ATLAS added “Publish Poisoned AI Agent Tool” as a technique in Q1 2026 to capture this attack class.

JFrog’s 2026 report measures the threat at registry scale: its Security Research team found 969 malicious AI agent skills across the ClawHub and Skills.sh repositories and 56 malicious extensions on OpenVSX, where AI coding-agent extensions grew 262% year over year (roughly 1,000 to 3,803 new packages). Attackers exploit the open-submission agentic-tooling registries today.1

Multi-layer defense model

Registry publish time  →  Registry scan (Aguara Watch)
Install time           →  Pre-install scan (SecureClaw)
Post-install           →  Checksum verification + baseline
Continuous             →  File integrity monitoring (FIM for cognitive files)

Layer 1: Registry-Level Scanning (Pre-Install)

  • Aguara Watch (Oktsec): monitors 5 skill registries daily; flags malicious indicators before skills become installable.
  • ClawHub Code Insight (official registry): built-in scanner; tension exists between flagging legitimate security tools that modify system files and actual malicious skills.
  • Bidirectional intelligence flow: runtime security detections feed back into pre-install rules.

Layer 2: Pre-Install Scanning

Before installing any skill/plugin:

  • SecureClaw (Adversa AI): 55 audit checks; typosquat detection; ClawHavoc campaign IOCs; maps to OWASP ASI10 and MITRE ATLAS. It runs as external bash processes and consumes zero LLM tokens, which lowers cost and keeps the scan off the model path.
  • Check for C2 callback patterns, credential-harvesting code, and unusual network destinations.
  • Verify publisher identity. New publishers with minimal history warrant increased scrutiny.

Layer 3: Checksum Verification at Install

  • Every skill package should include checksums.json with SHA-256 hashes of all files.
  • Verify hashes before executing any installed code.
  • Treat checksum mismatch as an automatic reject.

Layer 4: cognitive file integrity monitoring

This extends traditional FIM to agentic systems. See Cognitive File Integrity for the dedicated treatment.

  • AI agents have behavioral identity files (for example, SOUL.md and IDENTITY.md) that define their goals and behavioral rules.
  • These files matter as much as the agent’s code. Silent tampering changes the agent’s behavior without changing its code.
  • Establish SHA-256 baselines on all cognitive identity files at deployment.
  • Monitor for drift using SecureClaw or equivalent; alert on unauthorized changes.
  • SlowMist’s Brain Git: version-controls all cognitive state files in git, enabling rollback to a known-good configuration.

Layer 5: runtime behavioral drift detection

A skill that is clean at install can behave differently at runtime:

  • Establish behavioral baselines per skill or tool: what API calls it normally makes, what data it reads and writes.
  • Alert on behavioral drift. A skill that suddenly starts reading SSH keys was not doing that before.
  • See Agent Observability for the monitoring stack.

AI-BOM: bills of materials for agentic systems

Traditional SBOM tracks software dependencies. Agentic deployments require an AI-BOM that additionally tracks:

  • Model weights (name, version, provenance, training data attestation)
  • Skills/plugins (source, publisher, hash, behavioral scope)
  • MCP servers (version, origin, transport security)
  • Cognitive identity files (hash, change history)
  • Framework dependencies (LangChain, CrewAI, AutoGEN, etc.)

See AI-BOM: AI Bill of Materials for the dedicated page on this control.

Mapping to traditional security

Agentic practiceTraditional equivalent
Skill pre-install scanningSCA (software composition analysis)
Checksum verificationPackage signing (npm provenance, PyPI sigstore)
Cognitive file integrityFIM (OSSEC, Tripwire, Wazuh)
AI-BOMSBOM (SPDX, CycloneDX)
Registry scanningPrivate registry security (Artifactory, Nexus)
IOC-based detection (ClawHavoc)Threat intel and IOC feeds in SIEM

Implementation priorities

  1. Immediately: do not install skills or plugins without pre-install scanning. Establish checksums.json verification.
  2. Before scaling: deploy cognitive file integrity monitoring; establish SHA-256 baselines at deployment.
  3. At organizational scale: implement AI-BOM; integrate with the existing SBOM workflow; feed to SIEM.
  4. Continuous: monitor registries with tools like Aguara Watch; receive IOC updates.

Key references

  • SlowMist 3-tier defense matrix: pre-action blacklists, in-action permission narrowing, post-action audits, and Brain Git.
  • SecureClaw 55-check audit framework: maps to all 10 ASI categories and MITRE ATLAS.
  • ClawHavoc: the reference incident for this control domain.
  • AgentShield: an open-source static scanner over the agent-configuration tree. It ships 23 MCP-server rules and a --supply-chain[-online] mode that pulls npm-registry metadata (postinstall scripts, maintainers, deprecation, package age, npm-vs-git and pinned-vs-unpinned provenance). It serves the pre-action blacklist and MCP supply-chain control points.

Notes

See also

Footnotes

  1. JFrog — 2026 Software Supply Chain Security State of the Union (announcement), 2026, report p.4–5. 969 malicious AI agent skills (ClawHub, Skills.sh); 56 malicious OpenVSX extensions; OpenVSX AI coding-agent extensions grew 262% YoY. See JFrog 2026 SSC State of the Union.