Anomity Research
The AI Agent Threat Model
AI agents, MCP servers, skills, and rules files form a new execution layer on the endpoint. This threat model maps that layer: the entities involved, the surfaces where attacks land, and the risks security teams should rank first. Every page includes the attack flow and the controls that break it.
Start with the entities
Threat surfaces
Where attacker-controlled input meets agent authority.
The Context Window
Every input an agent reads - the user's prompt, rules and skills files, fetched web pages, and tool output - lands in one context window with the same standing, which makes it the central trust boundary of agentic AI.
Crown Jewels on the Endpoint
Attackers do not want the agent; they want what the endpoint holds: cloud keys, SSH keys, session cookies, source code, and network position. An AI agent that reads files fluently and runs with the developer's privileges concentrates access to all of it.
Code Execution Paths
Agentic environments are dense with ways to run code - shell tools, MCP processes, skill and hook scripts, and config files that execute on their own. Each is an execution primitive an attacker can reach with text.
Internet-Sourced Content
Agents constantly pull outside content into the working environment - web pages, docs, packages, repo issues, SaaS records. Every fetch is both useful input and a delivery channel an attacker can plant into.
Top risks
The concrete failure modes we see most often in agentic environments.
Malicious MCP Servers
An MCP server is code you invite into your agent's loop. Thousands circulate publicly with no central vetting, and installing a local one means running its code on the endpoint with the developer's full privileges.
Malicious AI Rules Files
Rules files like CLAUDE.md, AGENTS.md, and .cursorrules load into the agent's context at the start of every session. A tampered or hostile rules file is prompt injection with persistence: the payload re-arms itself each time the agent starts.
Malicious Agent Skills
A skill is instructions plus code that loads into an agent and runs with its full authority. The open SKILL.md standard made one malicious skill portable across the entire agent ecosystem.
Excessive MCP Permissions
MCP servers and agent integrations routinely hold far more access than the task needs. That surplus scope is what turns any injection or compromise into a breach instead of a contained incident.
Local Network Exposure
AI tooling opens listening services on developer machines - local MCP servers, inference gateways, agent daemons, debug endpoints - often unauthenticated. Attackers reach them through the browser, SSRF, and internet-wide scanning.
Prompt Injection
Any content an agent reads can carry instructions it will follow. Prompt injection turns web pages, READMEs, tickets, and tool output into a command channel that hijacks the agent's authority.
AI-Generated Vulnerabilities
AI agents generate code faster than human review was ever sized for. The result is not malware but quiet exposure growth: insecure patterns replicated at scale, hallucinated dependencies attackers can register, and secrets committed into generated config.
See this surface in your own fleet
Anomity's Endpoint Sensor discovers every AI agent, MCP server, skill, and rules file on every endpoint, and governs each tool call at the hook. Book a 30-minute demo.




