SECURITY GLOSSARY

What is Agent Supply Chain Attack?

An agent supply chain attack compromises an AI agent by targeting the upstream software, models, prompts, or skills it depends on — rather than attacking the agent runtime directly. The compromise persists through every install and every invocation downstream.

Agent supply chain attacks exploit the same patterns as classic software supply chain attacks (think SolarWinds, the npm event-stream incident, the PyPI colorama typosquats) but operate one layer up the stack. Where classic attacks target the executable or library, agent attacks target the prompt template, the tool description, the fine-tuned model weights, or the published skill package.

Five common vectors. Typosquatting: register panguard-cli next to panguard to trick users into installing the wrong one. Dependency confusion: publish a malicious package with the same name as an internal package, exploiting npm/PyPI resolution order. Postinstall hijack: a skill's package runs code at install time, before any audit. Author takeover: compromise the publisher account of a popular skill, ship a malicious update. Prompt-template poisoning: a community-contributed prompt template in a marketplace contains injection patterns that activate when the template runs.

PanGuard's Wild Scan (2026-04) measured the actual footprint. 122 of 67,799 scanned skills had postinstall scripts that ran before any review. 249 had the triple-threat permission combination (shell + network + filesystem). 1,096 were confirmed malicious. The data is published; the methodology is reproducible; the raw dataset is downloadable for independent verification.

Defense requires checks at three points. (1) Pre-install via Skill Auditor (catches typosquats, postinstall scripts, triple-threat, manifest-behavior mismatch). (2) At-rest via signed evidence packs and SBOM tracking (catches author-takeover by detecting unsigned updates). (3) Runtime via PanGuard Guard (catches activated payloads regardless of how they got installed). The skill-compromise category in ATR contains 40 rules targeting these patterns.

OWASP

LLM03:2025 + ASI04:2026

References

Related terms

AI Agent Skill

An AI agent skill is a packaged capability — code, prompt template, and tool definitions — that an AI agent can install and invoke. Formats include Claude Skills (SKILL.md), MCP servers (npm packages), OpenClaw skills, and custom proprietary formats. Skills are the "apps" of the agent era — and have the same supply-chain risk as npm packages.

Learn more

Tool Poisoning

Tool poisoning is an attack where a malicious tool description or tool response injects instructions into the agent. The agent reads the tool definition or output as plain text and treats embedded instructions as authoritative — a special case of indirect prompt injection focused on the MCP and skill ecosystem.

Learn more

Skill Auditor

A Skill Auditor is a pre-install security gate for AI agent skills. It scans skill manifests, tool definitions, and packaged code for prompt injection, tool poisoning, hidden capabilities, supply-chain signals, and behavior-description mismatches before the skill is installed. PanGuard ships an open-source Skill Auditor with 8 checks.

Learn more

Agent Threat Rule (ATR)

An Agent Threat Rule (ATR) is a YAML-formatted detection rule for AI agent security threats. ATR is to AI agents what Sigma is to SIEM logs and YARA is to malware files: an open, machine-readable detection standard with multi-vendor adoption.

Learn more

Reviewed byAdam Lin·Last reviewed2026-05-12