Supply Chain Security for Agentic AI
What It Is
Supply chain security for agentic AI applies software composition analysis (SCA), package-signing, and bill-of-materials practices to the new categories of artifact that agentic systems consume: skills, plugins, MCP servers, model weights, cognitive identity files (SOUL.md, IDENTITY.md), and agent frameworks. The threat model directly mirrors npm/PyPI supply chain attacks — the same typosquatting, dependency confusion, and malicious package techniques — because agentic skill registries have the same open-submission model without the decade of hardening that software registries have accumulated.
The Evidence Base
Three Q1 2026 incidents confirm the threat model is not theoretical:
- ClawHavoc — Agentic Skill Marketplace Supply Chain Attack (Jan–Feb 2026): 1,184+ malicious skills on ClawHub, Atomic Stealer infostealer, 36% of all skills found to contain security flaws (Snyk post-campaign).
- SANDWORM_MODE npm worm — AI Toolchain Poisoning: toolchain poisoning via MCP injection.
- LiteLLM Supply Chain Compromise (Google ADK Dependency): Google ADK dependency chain.
MITRE ATLAS added “Publish Poisoned AI Agent Tool” as a new technique in Q1 2026 specifically to capture this attack class. ML-BOM adoption still lags 48% behind SBOM requirements (Lineaje, June 2025).
Multi-Layer Defense Model
Registry publish time → Registry scan (Aguara Watch)
Install time → Pre-install scan (SecureClaw)
Post-install → Checksum verification + baseline
Continuous → File integrity monitoring (FIM for cognitive files)
Layer 1: Registry-Level Scanning (Pre-Install)
- Aguara Watch (Oktsec): monitors 5 skill registries daily; flags malicious indicators before skills become installable.
- ClawHub Code Insight (official registry): built-in scanner; tension exists between flagging legitimate security tools that modify system files and actual malicious skills.
- Bidirectional intelligence flow: runtime security detections feed back into pre-install rules.
Layer 2: Pre-Install Scanning
Before installing any skill/plugin:
- SecureClaw (Adversa AI): 55 audit checks; typosquat detection; ClawHavoc campaign IOCs; maps to OWASP ASI10 and MITRE ATLAS. Runs as external bash processes (zero LLM tokens consumed — important for cost and security).
- Check for C2 callback patterns, credential-harvesting code, and unusual network destinations.
- Verify publisher identity — new publishers with minimal history warrant increased scrutiny.
Layer 3: Checksum Verification at Install
- Every skill package should include
checksums.jsonwith SHA-256 hashes of all files. - Verify hashes before executing any installed code.
- Treat checksum mismatch as an automatic reject.
Layer 4: Cognitive File Integrity Monitoring
This is the distinctive extension of traditional FIM to agentic systems:
- AI agents have behavioral identity files (e.g., SOUL.md, IDENTITY.md) that define their personality, goals, and behavioral rules.
- These files are as important as the agent’s code — silent tampering changes the agent’s behavior without changing its code.
- Establish SHA-256 baselines on all cognitive identity files at deployment.
- Monitor for drift using SecureClaw or equivalent; alert on unauthorized changes.
- SlowMist’s Brain Git: version-control all cognitive state files in git, enabling rollback to a known-good configuration.
Layer 5: Runtime Behavioral Drift Detection
Even a clean-at-install skill can behave differently at runtime:
- Establish behavioral baselines per skill/tool (what API calls does it normally make? what data does it read/write?).
- Alert on behavioral drift: a skill that suddenly starts reading SSH keys was not doing that before.
- See Agent Observability for the monitoring stack.
AI-BOM: Bills of Materials for Agentic Systems
Traditional SBOM tracks software dependencies. Agentic deployments require an AI-BOM that additionally tracks:
- Model weights (name, version, provenance, training data attestation)
- Skills/plugins (source, publisher, hash, behavioral scope)
- MCP servers (version, origin, transport security)
- Cognitive identity files (hash, change history)
- Framework dependencies (LangChain, CrewAI, AutoGEN, etc.)
See AI-BOM: AI Bill of Materials for the dedicated page on this control.
Mapping to Traditional Security
| Agentic Practice | Traditional Equivalent |
|---|---|
| Skill pre-install scanning | SCA (software composition analysis) |
| Checksum verification | Package signing (npm provenance, PyPI sigstore) |
| Cognitive file integrity | FIM (OSSEC, Tripwire, Wazuh) |
| AI-BOM | SBOM (SPDX, CycloneDX) |
| Registry scanning | Private registry security (Artifactory, Nexus) |
| IOC-based detection (ClawHavoc) | Threat intel / IOC feeds in SIEM |
Implementation Priorities
- Immediately: never install skills/plugins without pre-install scanning. Establish
checksums.jsonverification. - Before scaling: deploy cognitive file integrity monitoring; establish SHA-256 baselines at deployment.
- At organizational scale: implement AI-BOM; integrate with existing SBOM workflow; feed to SIEM.
- Continuous: monitor registries with tools like Aguara Watch; receive IOC updates.
Key References
- SlowMist 3-tier defense matrix (pre-action blacklists, in-action permission narrowing, post-action audits + Brain Git)
- SecureClaw 55-check audit framework, maps to all 10 ASI categories + MITRE ATLAS
- ClawHavoc: the reference incident for this control domain. See ClawHavoc — Agentic Skill Marketplace Supply Chain Attack.
See Also
- AI-BOM: AI Bill of Materials — dedicated page on AI bills of materials
- Security Controls for AI Stacks — data layer where this control sits
- ClawHavoc — Agentic Skill Marketplace Supply Chain Attack, SANDWORM_MODE npm worm — AI Toolchain Poisoning, LiteLLM Supply Chain Compromise (Google ADK Dependency) — the incident evidence base