Ghost in the Machine: Detecting and Defending Against Malicious AI Agent Skills in the Supply Chain

This article introduces the Ghost in the Machine project, which focuses on detecting and defending against malicious AI Agent Skills in the supply chain. It uses technologies like the OSM API to protect platform engineering Golden Paths from security threats posed by autonomous workflows. The project addresses new supply chain risks in the AI Agent era through a multi-layered detection mechanism, providing practical tools and methods for the safe use of AI Skills.

Agentic AI is transforming software development and operations, bringing efficiency leaps while introducing new security risks. Traditional software supply chain security tools focus on dependency libraries and container images, but lack the ability to detect new components like AI Skills. Malicious AI Skills may quietly collect sensitive information or plant backdoors—they are highly stealthy, making it hard for existing methods to detect them.

An AI Skill supply chain attack refers to attackers contaminating the code or configuration of an AI Skill to make it perform malicious operations. Reasons for its high stealth include: Skills often exist as a mix of natural language and code, which traditional static analysis struggles to cover; malicious behavior may be hidden in conditional logic or ambiguous instructions; malicious behavior is only triggered under specific contexts; and AI Agents have high permissions, leading to a wide impact range.

The Ghost in the Machine project detects malicious AI Skills through the following mechanisms:

1. Metadata Analysis: Using the OSM API to collect metadata such as author reputation, project maintenance status, and dependency trees to identify suspicious Skills;
2. Static Code Analysis: Scanning for sensitive API calls, data flows, obfuscation detection, and natural language descriptions;
3. Dynamic Behavior Analysis: Observing actual behaviors like network connections and file access in a sandbox environment;
4. Threat Intelligence Correlation: Correlating with known malicious signatures, attack patterns, and CVEs.

Golden Paths (the organization's standard development and deployment paths) are targets of attacks. The project provides the following protection strategies:

1. Access Control: Establish a Skill whitelist and use automated evaluation tools to review security;
2. Continuous Monitoring: Track Skill changes and re-evaluate risks;
3. Principle of Least Privilege: Assign the minimum necessary permissions to limit the impact range of attacks.

The project applies to the following scenarios:

1. CI/CD Integration: Automatically scan AI Skills in the build process to block high-risk ones from entering production;
2. Regular Audits: Rescan existing Skills to detect new risks;
3. Incident Response: Quickly scan assets to confirm impact when new attacks are publicly disclosed.

The project has the following limitations:

1. Detection Completeness: Cannot capture all malicious Skills; advanced attackers may bypass detection;
2. False Positive Issues: Aggressive strategies easily lead to false positives that impact efficiency, requiring a balance between security and usability;
3. Threat Evolution: Attack techniques are constantly evolving, so detection rules need continuous iteration.

Ghost in the Machine fills the gap in AI Skill supply chain security and promotes industry standardization (such as metadata standards and scanning benchmarks). Community collaboration is needed to address systemic issues. It is recommended that teams using AI Agents pay attention to this project, and while improving efficiency, attach importance to the supply chain security defense line.