The Landscape

Agents have no standardized way to assess a source before interacting with it.

Every URL is equally trustworthy. Every MCP server is installable. Every skill is loadable. AI agents make billions of web requests daily with no standard way to assess whether a source is reliable, well-behaved, or even accessible before consuming it.

Three attack surfaces

Every entity an agent interacts with falls into one of three interaction patterns. Each has a distinct risk profile.

Content Poisoning

fetch & read

Hidden text, metadata injection, context stuffing, and adversarial content designed to manipulate agent behavior through consumed web pages and API responses.

Palo Alto Unit 42 documented prompt injection campaigns targeting AI agent content pipelines

ChatGPT Atlas manipulation demonstrated large-scale content poisoning via search results

Brave Security research showed injection vectors in search-augmented generation

OpenAI acknowledged content poisoning as a primary threat to agent reliability

OWASP LLM01 — Prompt Injection

Tool Compromise

call & execute

Undocumented behavior, excessive permissions, adversarial tool responses, and capability escalation through MCP servers and API endpoints that agents invoke.

CNCERT warning on MCP server supply chain attacks targeting agentic systems

PromptArmor demonstrated tool-based privilege escalation in MCP environments

Anthropic MCP documentation warns of behavioral manipulation through tool responses

April 2025 analysis revealed widespread permission over-scoping in MCP tool servers

OWASP LLM07 — Insecure Plugin Design

Instruction Injection

load & run

Adversarial SKILL.md files, declaration file manipulation, and supply chain attacks through agent skill packages that execute in the agent runtime.

ClawHavoc campaign (documented by Snyk) planted reverse shells in skill packages

Tego found 25%+ of tested skills contained security vulnerabilities

Multiple reverse shell incidents traced to compromised skill declaration files

OWASP LLM05 — Supply Chain Vulnerabilities

By the numbers

44%

of internet traffic is now bots, rivaling human traffic for the first time.

Cloudflare Radar, 2025

25%+

of agent skills tested contained security vulnerabilities in tool execution or declaration files.

Tego Cyber, 2025

73%

of CISOs concerned about AI agent security; only 30% feel ready to address it.

NeuralTrust, 2025

233

AI interaction incidents documented in the past year across agentic systems.

Stanford HAI AI Index, 2025

25 of 30

frontier AI agent labs do not publicly disclose evaluation results.

MIT AI Agent Index, 2025

83%

of security teams concerned about data exfiltration through AI agent interactions.

Okta, 2025

53%

of enterprise AI deployments use RAG or agentic pipelines consuming external content.

AIUC-1, 2025

80%+

of major websites now actively block AI bot traffic, creating an adversarial landscape.

Cloudflare, 2025

86%

of organizations report no visibility into AI data flows across their agent systems.

AIUC-1, 2025

Where AWI fits

Agent identity (Signet, Web Bot Auth), agent-to-agent communication (A2A), agent-to-commerce (UCP), and agent-to-tools (MCP) all have protocols. The content layer — the thing agents actually consume to do useful work — has no standard intelligence layer. AWI fills this gap by measuring the delta between what sources declare and what they actually do.

AWI is infrastructure, not a competing product. It sits behind agent tools like Exa, Tavily, and MCP clients, providing intelligence that informs every interaction.

How AWI works →Explore the index