Why Supply Chain Now Ranks Above Injection
In 2026 the agent-security order of priority has been reshuffled: supply chain is #1 and prompt injection is #2. Injection attempts surged 340% year over year, yet the larger losses come from dependencies you already trust. In March 2026 a backdoor package impersonating LiteLLM stayed exposed on PyPI for three hours and was downloaded roughly 47,000 times, while the skill marketplace ClawHub was found to host 1,184 malicious skills. Injection can be countered at the input boundary, but a poisoned package inherits your agent's full execution privileges.
Tool Poisoning: Commands Hidden in the Description
Tool poisoning plants model-directed instructions inside a tool's or skill's metadata and description text. Fields invisible to the user are read by the agent as directives, leading to credential leakage or unauthorized calls. OWASP classifies this among the top risks for LLM applications. The baseline defense is to review tool definitions like human-read code and to pin their integrity with signatures and hashes.
The Two Axes: Verification and Isolation
Supply-chain defense compresses into verification and isolation. Verification means version pinning, hash pins, signature checks, and quarantine review of new dependencies. Isolation means binding the agent to least privilege, restricting network egress to an allowlist, and confining tool execution to a sandbox. You cannot drive contamination to zero, so the core discipline is designing to shrink the blast radius when contamination does occur.
A Full Guide: From Planning to Operations
In planning, nail down target metrics as numbers. For every new dependency, set the baseline at 100% SBOM generation, 100% signature-verification pass rate, and zero unverified packages reaching production. Cap false-positive blocking of legitimate work at the tool-approval gate to 5% or less, and hold p95 deployment delay caused by quarantine review to within 24 hours.
Sort failures into three patterns. First, a new or updated package fails hash or signature verification. Second, an instruction pattern is detected inside a tool description. Third, the agent attempts egress to a domain outside the allowlist. Map a recovery branch to each pattern in advance so response is never delayed.
Layer the recovery strategy into automatic retry, human review, safe reduction, and halt. Transient registry errors retry up to three times with exponential backoff. Signature mismatches or new top-level dependencies are blocked from auto-pass and routed to a human-review queue. A tool where an injection pattern is detected is handled by safe reduction, disabling only that capability while the rest of the service stays up. When credential access and an egress violation coincide, halt the session immediately and revoke tokens. Set the halt condition conservatively so it fires on a single violation.
Back the operational checklist with standard logs. Every tool call records a request ID, tool and version hash, caller, approval-gate result, egress target, and latency. When persisting logs and prompts, mask PII such as email, phone, and token patterns, and keep raw text only in an access-controlled, short-retention store. The deployment pipeline makes SBOM and signature verification mandatory gates, holding the pass count of unverified artifacts at zero.
Run the continuous-improvement loop weekly. Aggregate block, retry, and halt events by type to track false-positive rate and missed threats together, and fold new threat indicators into detection rules. Reconcile the dependency inventory against new CVEs via automated scans, and each quarter measure mean response time through isolation drills that actually trigger the recovery branches.
Executive Summary
In 2026, agent security puts supply chain at #1 and injection at #2. As the LiteLLM backdoor and ClawHub's 1,184 malicious skills show, trusted dependencies are the biggest hole. Make verification (SBOM, signatures, hash pins) and isolation (least privilege, egress allowlist, sandbox) mandatory gates, and define a retry, human-review, safe-reduction, and halt branch for every failure. Keeping unverified packages out of production at zero is the starting point.