The dependency chain now includes agent behavior
Supply chain used to mean packages, images, actions and scripts. With agents, it also includes tool descriptions, MCP servers, Agentic Skills, AGENTS.md, project rules and instruction files. All of these can influence what the agent reads, writes, executes or decides.
MCP tool poisoning is dangerous because malicious instructions can hide inside a tool description, tool response or server change. The agent may interpret it as trusted guidance and call a tool with too much permission.
What to review
- Every installed MCP server, origin, version and transport.
- Available tools and what each one can actually reach.
- Tool descriptions, schemas and responses that enter model context.
- Agentic Skills with versioned scripts, resources and instructions.
- AGENTS.md, CLAUDE.md, GEMINI.md and rule files from external repositories.
- Dependencies that install MCP servers, hooks or post-install commands.
- Tool-call logs and audit trails without sensitive data.
Risk signals
An MCP server asks for broad scope for a simple task. A skill includes a script that accesses the network. An external repository AGENTS.md tells the agent to ignore tests. A tool description contains hidden instructions. A package adds agent configuration without review.
That is not paranoia. It is supply chain applied to agent behavior.
Promptbook helps founders list boundaries. Risk Review applies when the chain touches production, customers, billing, data or command-running tools.
Sources
In agents, supply chain does not end at the installed package. It includes the instruction that decides which tool gets used.
