Now in early access, book a 30-minute demo →

Anomity Research

The AI Agent Threat Model

AI agents, MCP servers, skills, and rules files form a new execution layer on the endpoint. This threat model maps that layer: the entities involved, the surfaces where attacks land, and the risks security teams should rank first. Every page includes the attack flow and the controls that break it.

Developer endpointlaptop / workstation Anomity Endpoint Sensorinventory + hook AI agentIDE + CLI agents MCP serverslocal + remote tools Skills + rules filesSKILL.md / CLAUDE.md Local resourcesfiles, secrets, shell External resourcesSaaS, repos, web runs instructions calls tools reads / executes reaches allow / deny / log
The agentic environment: instructions flow into the agent; the agent's authority flows out to local and external resources.

Start with the entities

Threat surfaces

Where attacker-controlled input meets agent authority.

Top risks

The concrete failure modes we see most often in agentic environments.

Top riskcritical

Malicious MCP Servers

An MCP server is code you invite into your agent's loop. Thousands circulate publicly with no central vetting, and installing a local one means running its code on the endpoint with the developer's full privileges.

Top riskhigh

Malicious AI Rules Files

Rules files like CLAUDE.md, AGENTS.md, and .cursorrules load into the agent's context at the start of every session. A tampered or hostile rules file is prompt injection with persistence: the payload re-arms itself each time the agent starts.

Top riskcritical

Malicious Agent Skills

A skill is instructions plus code that loads into an agent and runs with its full authority. The open SKILL.md standard made one malicious skill portable across the entire agent ecosystem.

Top riskhigh

Excessive MCP Permissions

MCP servers and agent integrations routinely hold far more access than the task needs. That surplus scope is what turns any injection or compromise into a breach instead of a contained incident.

Top riskmedium

Local Network Exposure

AI tooling opens listening services on developer machines - local MCP servers, inference gateways, agent daemons, debug endpoints - often unauthenticated. Attackers reach them through the browser, SSRF, and internet-wide scanning.

Top riskcritical

Prompt Injection

Any content an agent reads can carry instructions it will follow. Prompt injection turns web pages, READMEs, tickets, and tool output into a command channel that hijacks the agent's authority.

Top riskmedium

AI-Generated Vulnerabilities

AI agents generate code faster than human review was ever sized for. The result is not malware but quiet exposure growth: insecure patterns replicated at scale, hallucinated dependencies attackers can register, and secrets committed into generated config.

See this surface in your own fleet

Anomity's Endpoint Sensor discovers every AI agent, MCP server, skill, and rules file on every endpoint, and governs each tool call at the hook. Book a 30-minute demo.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok