Agentic Supply Chain Compromise
Anti-pattern: compose agent capabilities at runtime from third-party tools, RAG sources, model providers, plugin marketplaces, and tool definitions, with no integrity check on what loaded.
Problem
Any compromise in the supply chain — a malicious MCP server, a poisoned RAG corpus, a tampered tool definition, a swapped model — cascades into the agent's operations. The agent itself is well-behaved; the inputs and definitions it composes from are not. Unlike classical software supply chain (npm typosquatting, GitHub action injection), the agentic surface includes tool definitions, RAG content, and prompt templates that look like data but execute like code.
Solution
Don't load third-party agent components without integrity verification. Pin and sign tool definitions, model versions, RAG corpora, plugin manifests. Apply allow-listed sources for MCP servers and plugins. Use static analysis on tool definitions before runtime composition. Pair with memory-poisoning and authorized-tool-misuse mitigations.
When to use
- Never. Cite when reviewing agent composability.
- Pin and sign external tool definitions, plugin manifests, and corpora.
- Allow-list MCP servers and plugin sources.
Open the full interactive page →
Diagram, neighbourhood map, code examples, related patterns and full provenance.