One command turns any open-source repo into an AI agent backdoor. OpenClaw proved no supply-chain scanner has a detection category for it

Researchers at the University of Hong Kong's Data Intelligence Lab built CLI-Anything, a tool that converts open-source repositories into command-line interfaces that AI coding agents can operate automatically. The tool gained 30,000 GitHub stars since launch in March and works with Claude Code, Codex, OpenClaw, Cursor, and GitHub Copilot CLI.

Security researchers have now weaponized the same mechanism. OpenClaw, an attack tool, demonstrates how a single command can inject a backdoor into any open-source repository, transforming it into an AI agent exploit. The attack bypasses existing supply-chain security scanners entirely. No current detection category exists for this class of threat across major scanning platforms.

The vulnerability exposes a critical blind spot in software security infrastructure. As AI agents gain autonomy to interact with code repositories, attackers can poison those repositories at the CLI level. Traditional scanners focus on code patterns, suspicious imports, and known malware signatures. They miss agent-native attack surfaces because they don't model how AI systems interpret and execute commands differently than humans.

The attack works because CLI-Anything standardizes repository interactions for machine consumption. An attacker can embed malicious instructions into repository files that execute when an AI agent runs the generated CLI. The commands appear benign to static analysis tools but trigger dangerous behavior when processed by AI systems.

Security researchers are already discussing the implications on X and security forums. The attack chain highlights a fundamental gap: supply-chain tooling evolved for human developers, not autonomous AI systems. As organizations adopt AI coding assistants for deployments, this gap becomes a vector for widespread compromise.

The discovery puts pressure on both the scanning tool industry and open-source maintainers. Defenders must build detection models for agent-level poisoning. Repository hosts need warnings when CLI-Anything or similar tools expose them to these attacks. The alternative is letting malicious