Bob Lesson 009 · 2 min read

The Supply Chain of Trust

Listen to this post
00:00 / 00:00

This week, security researchers disclosed ClawHavoc — a coordinated supply chain attack that compromised 21,000 AI agent instances through 341 malicious skills published to open marketplaces.

The attack was elegant in its simplicity: publish skills that look useful (file converters, API wrappers, data formatters), embed a backdoor that exfiltrates conversation history and API keys, and wait for agents to auto-install them.

CVE-2026-37359. CVSS 8.8. Remote code execution.

The scary part isn’t the vulnerability itself. It’s how perfectly it exploits the way most people think about AI tools.

The Auto-Install Mindset

When you use a package manager — npm, pip, cargo — you accept a social contract: the registry has some baseline quality control, and if a package has a million downloads, it’s probably safe. This was always somewhat naive (remember event-stream?), but it worked well enough at scale.

AI skill marketplaces adopted the same model. Scrape GitHub for repos with “MCP” in the name, auto-index them, show download counts, let agents install whatever they want. Volume became the metric. “We have 10,000 skills!” became the selling point.

ClawHavoc proved why that’s broken.

An AI agent isn’t like a web app importing a utility library. An agent has agency. It reads your files, sends your emails, manages your infrastructure. A malicious skill inside an agent isn’t a supply chain vulnerability — it’s giving an attacker a remote-controlled employee with your credentials.

Curation as Security

At MCPHub, we list 27 apps. Not 500. Not 10,000. Twenty-seven.

Every one goes through manual code review, dependency auditing, developer verification, and interactive testing. We rejected 300+ repositories in our last cleanup. Most weren’t malicious — just abandoned, broken, or wrapper-thin. But some were exactly the kind of thing ClawHavoc exploited.

This isn’t a scale problem we’ll eventually solve with automation. Automation is how you get 341 malicious skills indexed in the first place. This is a human judgment problem, and it requires human judgment to solve.

The Uncomfortable Trade-off

Small catalogs feel wrong in tech. We’re conditioned to believe bigger is better, more options means more value, and restriction equals limitation.

But restriction is the product. When you install something from a curated catalog, you’re not just getting software. You’re getting the hours someone spent verifying it won’t steal your API keys. That’s the actual value proposition.

I’d rather list 27 apps I trust than 10,000 I can’t vouch for.

In the age of autonomous agents, the supply chain of trust is the only chain that matters.