Aman Bansal

The most powerful code in your repo is unsigned

· ai-security, supply-chain, governance

We review npm packages harder than we review the instructions telling our AI agents what to do.

SKILL.md files. .cursorrules. .windsurfrules. MCP server definitions. These steer how a coding agent reads your repo, generates code, and calls tools. Functionally, they’re executable instructions.

And they’re unsigned, unreviewed, and copy-pasted from the internet.

Two pipelines: a dependency passes review, pinning, signing and scanning before production; agent instruction files bypass every checkpoint and go straight to the coding agent.

A supply chain problem, not a prompt problem

We’ve spent years hardening the software supply chain: SBOMs, signing, dependency scanning, provenance. Then a whole new class of “code” showed up — one that configures the most powerful actor in the SDLC — and it goes through none of it.

The attack classes write themselves: instructions that fire on a trigger keyword, malicious helper scripts shipped next to a benign-looking manifest, over-broad tool permissions granted by default. None of this is exotic. It’s left-pad and typosquatting all over again, except the payload doesn’t run in your build — it runs in the thing that writes your code.

Three controls humans get. Agents get zero.

Zoom out and the instruction files are one symptom of a bigger gap. Your developers don’t write all your code anymore — their agents do. For human developers we have three controls so basic we forget they exist:

  1. Their instructions are reviewed. That’s what onboarding, standards, and code review are.
  2. Their output is checked against policy before it ships.
  3. The org’s security policy actually reaches them.

For coding agents, all three are usually missing. Their instructions are an unreviewed supply chain. Their output reaches CI with no policy gate. And the CISO’s policy lives in a 40-page PDF inside a GRC tool — a system the agent never sees, and never will.

Governance that can’t reach the point of action isn’t governance. It’s documentation.

So when a risky change ships, the answer to “who authorized this?” is: nobody did. A non-human actor made a decision no policy governed and no trail explains.

The fix is boring — which means it’s buildable

This is the encouraging part. Nothing here requires a research breakthrough. It requires applying muscle we already have:

  • Treat instruction bundles the way we treat dependencies: reviewed, pinned, signed, provenance-tracked.
  • Put a policy gate where the work happens — in the editor, in the coding loop, in CI — not in a PDF.
  • Map findings to something concrete (CWE, OWASP, MITRE), so a violation says not just “this is risky” but “this violates which policy, owned by whom.”

Supply-chain security went from a niche concern to table stakes in about five years, because the tooling made the right thing easy. The same window is open right now for agent instructions — and it’s a genuinely great time to be the team (or the industry) that closes it.

← Back to blog