A deep dive into how AI agents amplify existing package security vulnerabilities across all ten OWASP Agentic Application risk categories. Covers typosquatting and namespace confusion in MCP server packages, registry poisoning, metadata/descriptor injection attacks, lockfile manipulation, install-time code execution with elevated agent permissions, credential exfiltration, and cascading dependency graph failures. Uses OpenClaw (an agent coding platform with 238 CVEs) as a case study showing that agent platforms are rediscovering classic package manager bugs — path traversal, auto-loading from working directories, unsanitized inputs — but with faster propagation and broader permissions since no human is in the review loop.
Table of contents
Package name attacks #Registry and repository attacks #Metadata and descriptor poisoning #Dependency resolution and lockfile attacks #Install-time and import-time code execution #Credential and secret leakage through packages #Cascading failures through the dependency graph #Skill and plugin installation #Sort: