In March 2026, researchers from the University of Hong Kong released CLI-Anything, a tool that converts any open-source repository into a command-line interface (CLI) usable by AI coding agents like Claude Code, Codex, and GitHub Copilot CLI. It quickly gained over 30,000 GitHub stars. But behind its utility lies a hidden danger: the same mechanism that makes repositories agent-native also creates a perfect entry point for stealthy backdoors. These backdoors hide in instruction files called SKILL.md, which no traditional security scanner can detect. This Q&A explains the gap and what it means for your software supply chain.

What Is CLI-Anything and How Does It Work?

CLI-Anything is an open-source tool developed at the University of Hong Kong that automatically analyzes any code repository and generates a structured command-line interface (CLI) for that repository. This CLI is designed to be invoked by AI coding agents such as Claude Code, Codex, OpenClaw, Cursor, and GitHub Copilot CLI—all with a single command. Essentially, it bridges the gap between static code and dynamic agent interaction. The tool’s popularity exploded after its March 2026 release, amassing more than 30,000 GitHub stars. But its core innovation—creating a skill definition in the form of a SKILL.md file—also opens a new attack surface. Attackers can embed malicious instructions directly into these skill files, turning any repository into an AI agent backdoor without modifying the actual source code.

How Does a Backdoor Hide in a SKILL.md File?

The backdoor resides in the SKILL.md file, which contains natural-language instructions for an AI agent. Unlike traditional code vulnerabilities, these instructions are not executable code; they are descriptive prompts that tell the agent what actions to take. For example, a skill definition might instruct the agent to silently exfiltrate credentials or modify configuration files. Crucially, a poisoned skill does not trigger a Common Vulnerability and Exposure (CVE) identifier and never appears in a software bill of materials (SBOM). It bypasses all conventional security scanners because those tools analyze source code syntax or dependency versions—not semantic instruction layers. The Snyk ToxicSkills research from February 2026 found 76 confirmed malicious payloads in skill files on ClawHub and skills.sh, proving the threat is real and growing.

Why Can’t Existing Security Scanners Detect These Backdoors?

Traditional security tools like Static Application Security Testing (SAST) and Software Composition Analysis (SCA) operate on two layers: source code and dependencies. SAST inspects code for injection flaws and hardcoded secrets; SCA checks package versions against vulnerability databases. Neither examines the agent integration layer—where configuration files, skill definitions, and natural-language instructions reside. As Merritt Baer, former Deputy CISO at Amazon Web Services and CSO of Enkrypt AI, explained to VentureBeat: “SAST and SCA were built for code and dependencies. They don’t inspect instructions.” Cisco confirmed this gap in April 2026, noting that their AI Agent Security Scanner for IDEs was built precisely because traditional tools were not designed for this semantic layer. The category of “malicious instructions” simply did not exist eighteen months ago, so no scanner has a detection pattern for it.

What Is the Agent Integration Layer and Why Is It Invisible?

The agent integration layer is the third, hidden layer in modern software supply chains—sandwiched between the code layer (where SAST works) and the dependency layer (where SCA works). It consists of skill definitions, Model Context Protocol (MCP) tool descriptions, agent prompts, and configuration files like Cursor rules. These artifacts are not compiled or executed in the traditional sense; they are natural-language documents that instruct an AI agent how to interact with a repository. Because they lack executable syntax, no SAST or SCA scanner profiles them. Yet they have profound control over agent behavior. CLI-Anything, MCP connectors, and Claude Code skills all reside in this invisible layer. Attackers can weaponize these files without touching a single line of code, making the backdoor virtually undetectable by current tools.

What Did Cisco Confirm About This Security Gap?

In April 2026, Cisco’s engineering team published a blog post announcing the AI Agent Security Scanner for IDEs. In it, they explicitly stated: “Traditional application security tools were not designed for this.” They explained that SAST scanners analyze source code syntax; SCA tools check dependency versions. Neither understands the semantic layer where MCP tool descriptions, agent prompts, and skill definitions operate. This confirmation from a major security vendor underscores the structural nature of the gap. It is not a single-vendor vulnerability but a blind spot affecting the entire security industry. Cisco’s new scanner attempts to address this by inspecting agent-specific files, but its existence is a direct admission that the industry has been flying blind when it comes to AI agent backdoors.

What Should Security Directors Do Right Now?

This is a pre-exploitation window: CLI-Anything is live, the attack community is actively discussing and translating its architecture into offensive playbooks, but no major incident has yet been reported. Security directors should act now to get ahead. Recommended steps include:

• Audit all repositories for SKILL.md files and similar agent instruction artifacts.
• Implement manual review of any skill definition before allowing agents to execute commands based on it.
• Deploy emerging tools like Cisco’s AI Agent Security Scanner or alternative solutions that inspect the semantic layer.
• Educate development teams about the risks of agent-native tools and the difference between code-level and instruction-level threats.

Waiting for the first incident report will mean scrambling to patch a gap that could have been closed proactively. The time to reinforce your supply-chain defenses is now.

How Does This Differ from Traditional Supply-Chain Attacks?

Traditional supply-chain attacks exploit code vulnerabilities (e.g., injection flaws) or dependency weaknesses (e.g., using a library with a known CVE). Both are detected by SAST and SCA scanners. Agent-level poisoning, by contrast, targets the instructional layer that tells AI agents how to behave. The malicious content is not executable code—it’s natural language or structured skill definitions. This means it does not appear in an SBOM, cannot be flagged by a CVE database, and evades every mainstream scanner. It’s a fundamentally new attack vector that requires a new category of security tool. The difference is critical: while traditional attacks tamper with what the software does, instruction-layer attacks tamper with what the agent is told to do. This distinction makes the latter far stealthier and harder to detect.