Supply Chain

Supply chain attacks target the path between the skill author and you. Instead of attacking the skill directly, the attacker compromises something the skill depends on: a library, a build tool, a registry, a CDN, or the author development environment. The skill itself might be well-written and well-intentioned, but it ships with a backdoor that was inserted upstream.

In the AI skill ecosystem, the supply chain includes the skill registry (where you discover skills), the hosting platform (where the skill code lives), the skill dependencies (npm packages, Python libraries, system tools), and the MCP server framework itself. A compromise at any of these layers can inject malicious behavior into skills that appear completely clean.

Aguara supply chain rules detect patterns like dependency confusion setups, typosquatting indicators, suspicious package installation commands, post-install hooks that execute code, and references to known-compromised packages or registries.

The AI skill ecosystem is young, which means its supply chain is immature. Most skill registries do not have the security infrastructure that npm, PyPI, or crates.io have built over years. There is no package signing, no transparent build logs, no reproducible builds, limited (if any) malware scanning on upload.

This creates opportunity for attackers. Typosquatting (registering skill names similar to popular ones) is trivial when there is no name reservation system. Dependency confusion works when skills reference private packages without scoping. Account takeover is easier when registries do not enforce 2FA.

The trust model is also different. When you npm install a package, you are trusting the package and its transitive dependencies. When you install an MCP skill, you are trusting the skill, its dependencies, AND giving it access to your agent full capability set. The blast radius of a compromised skill is not just code execution. It is code execution with access to every other tool your agent is connected to.

Verify skill authenticity before installation. Check the author identity, the repository history, and the skill age. Brand-new skills with no community activity deserve extra scrutiny. If the registry supports verified publishers or signed packages, prefer those.

Audit your skills dependencies. Run npm audit, pip-audit, or equivalent tools. Pin dependency versions in lockfiles. Avoid auto-updating to latest versions in production. Subscribe to security advisories for your dependencies so you learn about compromises quickly.

For skill authors: use lockfiles, enable 2FA on every account that can publish, review dependency updates before merging, and set up automated security scanning in your CI pipeline. If you maintain popular skills, you are a high-value target. Act accordingly.