AI agent security needs a composition graph, not just an SBOM
12 hours ago
- #Composition Risk
- #SCA Limitations
- #AI Agent Security
- The primary risk in AI agents lies not in individual plugins or packages but in the composition of components.
- SCA scanners identify vulnerable packages but cannot correlate them with the agent's capabilities like reading private data or sending messages.
- Example: the 'imessage' plugin combines an MCP server, skills, and npm packages to read/send messages, creating a risk surface through composition.
- Analysis of Claude's plugin marketplace revealed 124 vulnerabilities concentrated in four messaging plugins, highlighting the correlation between vulnerable code and sensitive capabilities.
- SCA sees only packages; runtime monitoring sees behavior; neither assesses the declared agent composition (plugins, skills, servers, permissions, etc.).
- Agent security requires a composition graph view, mapping how components interconnect, to evaluate risks like untrusted input combined with data access.
- OpenACA is an open-source tool that inventories agent stacks, attributes advisories to components, flags posture issues, and exports an Agent BOM.
- Future development aims for graph-derived exposure analysis to prioritize findings based on plausible impact paths.
- Agent security must shift from package-centric to composition-aware analysis, treating the agent as the primary unit of risk assessment.