## Researchers Expose How CLI-Anything Transforms Open-Source Repos Into AI Agent Backdoors Undetected by Supply-Chain Scanners
A research team at the University of Hong Kong's Data Intelligence Lab has inadvertently demonstrated a systemic vulnerability in AI coding agent ecosystems. Their tool, CLI-Anything, generates structured command line interfaces that allow AI agents to operate repositories with a single command—supporting Claude Code, Codex, OpenClaw, Cursor, and GitHub Copilot CLI. Since its March launch, the tool has accumulated over 30,000 GitHub stars. But the same architectural mechanism that makes software agent-native has opened a direct pathway to agent-level poisoning, with the attack community already translating the tool's framework into offensive playbooks on X and security forums.

The core issue lies in what CLI-Anything produces: SKILL.md instruction-layer files. Research from Snyk's ToxicSkills initiative already identified 76 confirmed malicious payloads embedded across the ClawHub and skills.sh platforms in February, suggesting a pattern of abuse in exactly the mechanism CLI-Anything formalizes. Crucially, existing supply-chain scanners lack any detection category for this class of attack vector. The vulnerability is not specific to CLI-Anything itself—the tool performs as described—but rather represents a structural gap that attackers can exploit by leveraging the same approach at scale.

The implications extend across developer ecosystems and enterprise environments where AI coding agents operate with elevated permissions. Security researchers warn that repositories modified to generate malicious SKILL.md files could compromise agent behavior silently, potentially exfiltrating code, altering build processes, or establishing persistent access pathways. No major scanner currently categorizes SKILL.md poisoning as a distinct threat class, leaving detection to manual review or behavioral anomaly monitoring. The security community faces pressure to develop detection signatures and scanning capabilities before the technique becomes a mainstream attack vector in the wild.
---
- **Source**: VentureBeat
- **Sector**: The Lab
- **Tags**: AI agent security, supply chain vulnerability, SKILL.md poisoning, open-source backdoor, CLI-Anything
- **Credibility**: unverified
- **Published**: 2026-05-05 23:01:37
- **ID**: 79569
- **URL**: https://whisperx.ai/en/intel/79569