Scoopfeeds — Intelligent news, curated.
One command turns any open-source repo into an AI agent backdoor. OpenClaw proved no supply-chain scanner has a detection category for it
ai

One command turns any open-source repo into an AI agent backdoor. OpenClaw proved no supply-chain scanner has a detection category for it

VentureBeat AI · May 5, 2026, 10:09 PM

Why this matters: a development in AI with implications for how people work, create, and decide.

Just two months ago, researchers at the Data Intelligence Lab at the University of Hong Kong introduced CLI-Anything, a new state-of-the-art tool that analyzes any repo’s source code and generates a structured command line interface (CLI) that AI coding agents can operate with a single command. Claude Code, Codex, Open Claw, Cursor, and Git Hub Copilot CLI are all supported, and since its launch in March, CLI‑Anything has climbed to more than 30,000 Git Hub stars. But the same mechanism that makes software agent-native opens the door to agent-level poisoning. The attack community is already discussing the implications on X and security forums, translating CLI-Anything's architecture into offensive playbooks. The security problem is not what CLI-Anything does. It is what CLI-Anything represents. CLI-Anything generates SKILL.md files, the same instruction-layer artifacts that Snyk’s ToxicSkills research found laced with 76 confirmed malicious payloads across ClawHub and skills.sh in February 2026. A poisoned skill definition does not trigger a CVE and never appears in a software bill of materials (SBOM). No mainstream security scanner has a detection category for malicious instructions embedded in agent skill definitions, because the category simply did not exist eighteen months ago.Cisco confirmed the gap in April. “Traditional application security tools were not designed for this,” Cisco’s engineering team wrote in a blog post announcing its AI Agent Security Scanner for IDEs. “SAST [static application security testing] scanners analyze source code syntax. SCA [software composition analysis] tools check dependency versions. Neither understands the semantic layer where MCP [Model Context Protocol] tool descriptions, agent prompts, and skill definitions operate.”Merritt Baer, CSO of Enkrypt AI and former Deputy CISO at Amazon Web Services (AWS), told VentureBeat in an exclusive interview: “SAST and SCA were built for code and dependencies. They don’t inspect instruc

Article preview — originally published by VentureBeat AI. Full story at the source.
Read full story on VentureBeat AI → More top stories

More in ai

TechCrunch AI
SAP bets $1.16B on 18-month-old German AI lab and says yes to NemoClaw
VentureBeat AI
Miami startup Subquadratic claims 1,000x AI efficiency gain with SubQ model; researchers demand independent proof.
VentureBeat AI
GPT-5.5 Instant shows you what it remembered — just not all of it
Wired
‘I Actually Thought He Was Going to Hit Me,’ OpenAI’s Greg Brockman Says of Elon Musk
Wired
Telehealth Abortion Is Still Possible Without Mifepristone

Browse all ai coverage →

Aggregated and edited by the Scoop newsroom. We surface news from VentureBeat AI alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop