Double Agent AI— Staying Ahead of AI Security Risks, Avoiding Marketing Hype
Hype Around Agents
You may have heard a marketing pitch or seen an ad recently touting the advantages of “Agentic AI” or “AI Agents” working for you. These growing buzzwords in AI marketing come with significant security concerns. Agents take actions on behalf of the user, often with some pre-authorization to act without asking for further human permission. For example, an AI agent might be given a budget to plan a trip, might be authorized to schedule meetings, or might be authorized to push computer code updates to a GitHub repo.
Midwest Frontier AI Consulting LLC does not sell any particular AI software, device, or tool. Instead, we want to equip our clients with the knowledge to be effective users of whichever generative AI tools they choose to use, or help our clients make an informed decision not to use GenAI tools.
Predictable Risks…
…Were Predicted
To be blunt: for most small and medium businesses with limited technology support, I would generally not recommend using agents at this time. It is better to find efficient uses of generative AI tools that still require human approval. In July 2025, researchers published Design Patterns for Securing LLM Agents Against Prompt Injections. The research paper described a threat model very similar to an incident that later happened to the Node JS Package Manager (npm) in August 2025.
“4.10 Software Engineering Agent…a coding assistant with tool access to…install software packages, write and push commits, etc…third-party code imported into the assistant could hijack the assistant to perform unsafe actions such as…exfiltrating sensitive data through commits or other web requests.”
Midwest Frontier AI Consulting LLC offers training and consultation to help you design workflows that take these threats into consideration. We stay on top of the latest AI security research to help navigate these challenges and push back on marketing-driven narratives. Then, you can decide by weighing the risks and benefits.
I was just telling some folks in the biomedical research industry about the risks of agents and prompt injection earlier this week. The following day, I read about how the npm software package was hacked to prompt inject large language model (LLM) coding agents to exfiltrate sensitive data via GitHub.
…Were Predictably Bad
According to analysis published by AI security company Snyk:
This incident broke new ground in malicious package attacks on npm: the postinstallmalware > tried multiple AI CLI tools locally, including Claude’s Claude Code, Google’s Gemini CLI, and > Amazon’s new q command-line coding agent, and invoked them with unsafe flags to bypass > guardrails and scan the filesystem for sensitive paths, writing results into /tmp/inventory.txt > (and a backup).
The malware gave a prompt to the AI agents Claud, Gemini, and Amazon Q, telling them to be a “file-search agent,” essentially tricking the AI into trying to be helpful to spy on the user’s computer to list sensitive files. Then, the sensitive data like login information was published via GitHub.
According to cloud security company Wiz, Inc., compromised login information for GitHub accounts was then used to turn private GitHub repositories to public. This could potentially be used to steal proprietary software. Further, computer code from formerly private repos may include usernames, credentials, API keys, passwords or other sensitive information.
AI Terminology “Slop” and “Double Agents”
Slop
Giving something an evocative name can help bring awareness to the problem. In AI, the coinage of “slop” was a huge step in articulating the vague, gross feeling people were already feeling about the proliferation of low-quality text and image generation using AI. X—near, Simon Willison.
Double Agents
With “Agentic AI” or “AI Agents” as growing buzzwords in AI software marketing, I think we need a term to address their risks. I have found several examples of the use of “double agents” to describe the risks in this post, but the term is not used as widely as “slop.” Sources include: APISecurity.IO, AIthority.com, Austin Poor, Derek Fisher, Nicole Weeks. I would encourage wider use of the term “AI double agents” for agents that are now acting on instructions given by a third-party to take over the agent through prompt injection.
Prompt Injection: an LLM may follow instructions (prompts) hidden in text, images, or other data it consumes. These instructions may cause the LLM to act against the original user’s instructions.
Data exfiltration is stealing data and getting it out of the victim’s computer. An AI double agent might smuggle data out through a variety of methods including sending an email, scheduling a meeting and attaching sensitive documents, pushing updates to a GitHub repo, or generating a link with
LLMs may recommended old software packages or hallucinate the names of packages that do not exist. Malicious actors may then take over abandoned software projects (or create software packages with frequently hallucinated names) to introduce malware through supply chain attacks.