← Latest news 
One command can turn open source repos into AI agent backdoors OpenClaw exposes a blind spot in scanning
Business
Published on 6 May 2026
Your security tools scan code and dependencies but not instructions
A new tool called CLI-Anything can generate agent-ready SKILL.md files from open-source repos with a single command. Researchers warn this same mechanism enables instruction-level poisoning that won’t trigger CVEs or appear in SBOMs. Existing SAST and SCA cover code and dependencies, but a “third layer” of agent integration files is largely unscanned—leaving a pre-exploitation window as attacks spread.
- Agent skills can be poisoned without CVEs or SBOM visibility
- SAST and SCA miss the “agent integration layer” instructions
- Attackers can make agents run malicious directives using trusted credentials
- New scanners are only just emerging, leaving a fast-closing gap
Read the full story at Venture Beat
This summarization was done by Beige for a story published on 
Venture Beat