Foreign media reports that the head of blockchain security company CertiK warns that while the internet, enterprise networks, and consumer applications are rapidly deploying autonomous AI agents, the corresponding isolation and oversight are not keeping pace, accumulating new security risks. As these systems begin to invoke external tools, read local files, and connect to financial infrastructure, the attack surface expands.
The more access permissions a user has, the closer they are to being identified as an "insider."
CertiK co-founder and CEO Guo Ronghui told CoinDesk that many AI agents are no longer just answering questions, but are starting to read local storage, invoke workflows, and manage emails, database credentials, and even financial accounts. If the execution environment is not isolated and external tools are not scanned, users are essentially handing over extensive internal access to a potentially manipulated system.
He believes the fundamental problem with the current AI agent craze lies in a flawed "trust model." Users often assume that the agent will perform tasks as expected, but as long as the system can access local files, execution logs, or account credentials, it can become the most dangerous entry point for insider threats.
Prompt injection and malicious plugins are harder to defend against.
Guo Ronghui stated that CertiK discovered numerous security vulnerabilities while researching early AI agent infrastructure, including high-risk security s, unpatched common vulnerabilities, and exposure of local credentials and session memories due to inconsistent boundary checks.
He also mentioned that attackers don't necessarily need to write malicious code to alter agent behavior at the inference layer. Common methods include embedding hidden instructions in web pages, PDFs, or emails, and influencing system decisions through prompt injection.
CertiK also discovered a large number of malicious techniques, disguised installers, and counterfeit dependency packages on open proxy tool platforms. These plugins subtly alter proxy targets and behaviors through natural language, making them difficult for traditional antivirus software that relies on dependency signature recognition to detect in a timely manner.
Short-term scams targeting AI have emerged on the blockchain.
Guo Ronghui stated that CertiK's monitoring also revealed an increase in on-chain automated scams, with some attacks lasting only 10 minutes to several hours before quickly disappearing. These short-lived attacks are not primarily aimed at human users, but rather specifically at AI trading bots and automated agent systems.
According to him, this means that "machine-to-machine" financial attacks are emerging. Attackers can complete fund transfers before human intervention, shortening the exposure time and increasing the difficulty of tracking.
Based on these findings, CertiK calls on the software industry to reduce interaction methods based on default trust and move towards a zero-trust architecture that isolates execution environments and continuously verifies every instruction and dependency.
