June 5, 2026 A fast-growing open-source project called CLI-Anything is drawing attention from security researchers who warn it highlights a major gap in how organizations protect AI-powered software development. The concern is not the tool itself, but what it reveals about a new attack surface that traditional security products were never designed to monitor.

Developed by researchers at the University of Hong Kong’s Data Intelligence Lab, CLI-Anything was introduced in March as a system that analyzes source code repositories and automatically generates structured command-line interfaces that AI coding agents can operate. The project supports tools including Claude Code, Codex, OpenClaw, Cursor, and GitHub Copilot CLI, and has accumulated more than 30,000 GitHub stars since launch.

Security experts say the technology represents a broader shift toward making software “agent-native,” allowing AI systems to interact directly with repositories through instruction files and skill definitions. Those same instruction layers, however, are becoming a growing target for attackers.

One concern centers on SKILL.md files, instruction-based artifacts generated by systems such as CLI-Anything. According to Snyk’s ToxicSkills research, 76 confirmed malicious payloads were discovered in skill repositories earlier this year. Unlike traditional vulnerabilities, malicious instructions embedded in these files do not appear in software bills of materials and are not detected by conventional security scanners.

Cisco highlighted the challenge in April, noting that static application security testing (SAST) and software composition analysis (SCA) tools were built to inspect source code and dependencies, not the semantic instructions that guide AI agents. Merritt Baer, chief security officer at Enkrypt AI and former AWS deputy CISO, summarized the issue by saying that existing security tools inspect code and dependencies but not instructions.

Researchers from Griffith University, Nanyang Technological University, the University of New South Wales, and the University of Tokyo documented one example of the threat in an April study. Their work described a technique called Document-Driven Implicit Payload Execution (DDIPE), which embeds malicious logic inside documentation and code examples that AI agents later interpret as instructions. Testing across multiple agent frameworks produced bypass rates ranging from 11.6% to 33.5%.

The report argues that these attacks operate within what researchers describe as an “agent integration layer” positioned between source code and dependencies. This layer includes skill definitions, MCP configurations, agent prompts, and natural-language instructions that influence how AI systems behave.

Several real-world incidents have already been documented. A GitHub issue title was reportedly used in April to trigger an AI triage bot that exposed a GitHub token and ultimately led to the publication of a compromised npm package. Separately, Snyk’s audit of nearly 4,000 OpenClaw skills found that 13.4% contained at least one critical security issue.

Security experts are urging organizations to inventory AI agent tools, audit skill repositories, establish review processes for instruction files, and deploy emerging tools designed specifically to analyze agent-level instructions.

For many security teams, the challenge is no longer limited to securing code and dependencies. Increasingly, they must also secure the instructions that AI agents trust and execute.