SlowMist & Bitget: AI Agent Risks & Protections

SlowMist & Bitget: AI Agent Risks & Protections 2

The Rise of AI Agents in Web3 and Their Evolving Security Landscape

The rapid evolution of large model technologies has propelled AI Agents from simple digital assistants to sophisticated, autonomous systems increasingly integrated into the Web3 ecosystem. Users are now leveraging these Agents for complex tasks such as market analysis, strategy development, and automated trading, transforming the concept of a “24/7 automated trading assistant” into a tangible reality. With platforms like Binance, OKX, and Bitget enhancing their AI capabilities and marketplaces, AI Agents can now directly interface with exchange APIs, on-chain data, and market analysis tools. This direct integration allows them to make and execute trading decisions previously handled by humans, significantly lowering the barrier to entry for automated trading.

While these advancements offer enhanced autonomous decision-making and system interaction compared to traditional automation scripts, they also introduce a broader attack surface. Traditional security risks often revolved around credential exposure or phishing. However, AI Agent architectures present new vulnerabilities, including prompt injection affecting decision logic, malicious plugins acting as supply chain attack vectors, and insecure runtime configurations leading to data or permission abuse. When combined with automated trading, these issues can lead to direct asset losses, not just data breaches. Attackers are rapidly adapting to these changes, leading to new scam categories targeting Agent users and emerging threats like malicious plugin poisoning and API key abuse. In the high-value, often irreversible context of Web3 asset operations, the potential amplification of risks is significant.

Key Takeaways

  • AI Agents are becoming increasingly sophisticated, moving beyond assistance to autonomous task execution within Web3.
  • Direct integration with exchange APIs and market tools enables automated trading, lowering entry barriers but increasing risk.
  • New security threats emerge, including prompt injection, malicious plugins, and insecure data handling.
  • Web3’s irreversible transactions amplify the potential impact of AI Agent security failures.
  • A comprehensive, multi-layered security approach is essential for both users and platforms.

Real Security Threats of AI Agents

AI Agents shift systems from human-driven operations to model-involved decision-making, expanding the attack surface. A typical Agent system comprises user interaction, application logic, model, tool invocation, memory, and execution environment. Attackers often target multi-layered attack paths to gain control.

Input Manipulation and Prompt Injection Attacks

Prompt injection allows attackers to manipulate an Agent’s decision-making by crafting specific instructions within user inputs or external data. Indirect injection hides malicious instructions in web content or documentation, which the Agent may misinterpret as legitimate commands during task execution. These attacks exploit the model’s trust in contextual information rather than traditional software vulnerabilities.

Supply Chain Poisoning in the Skills / Plugin Ecosystem

The plugin and skill ecosystem, crucial for extending Agent capabilities, is a prime target for supply chain attacks. Malicious Skills can infiltrate plugin hubs, often reusing infrastructure and exhibiting characteristics of organized attacks. Markdown files like SKILL.md can be disguised as installation instructions, leading users to execute malicious scripts. Some Skills employ a “two-stage loading” strategy where an initial script downloads and executes a more complex, often obfuscated, second-stage payload that can exfiltrate local data.

Risks in the Agent Decision-Making and Task Orchestration Layer

Attackers can influence how Agents decompose tasks into execution steps. Tampering with key parameters or decision-making logic in multi-step processes can lead to abnormal behavior, such as incorrect target addresses or unintended operations during execution. Malicious prompt injections can contaminate the context, tricking Agents into performing unauthorized on-chain transfers.

Privacy and Sensitive Information Leakage in IDE / CLI Environments

Agents operating in development environments (IDEs, CLIs) can inadvertently expose sensitive information like API tokens, private keys, and configuration files. If Agents can read project directories or index files without proper controls, this data may be logged, sent to remote APIs, or exfiltrated by malicious plugins. This is particularly critical in Web3 development, where local storage of private keys or deployment scripts poses significant risks.

Model Uncertainty and Automation Risks

AI models have inherent uncertainty, leading to “hallucinations” or incorrect outputs. When these outputs directly trigger system operations, especially in sensitive areas like on-chain transactions or asset management, they can result in irreversible financial losses.

High-Value Operational Risks in Web3 Scenarios

Web3 operations like on-chain transfers and smart contract interactions are typically irreversible. If an Agent executing these operations is compromised (e.g., via prompt injection), it could lead to altered transaction details (addresses, amounts) or invocation of malicious contracts. Integrating Agents directly with wallet APIs without proper isolation or human confirmation poses a significant risk. Safer approaches involve Agents generating suggestions or unsigned data, with final signing requiring independent verification.

System-Level Risks from High-Privilege Execution

Agents often run with elevated privileges, enabling access to file systems, shell command execution, or even root access. A compromised Agent with high privileges can lead to widespread system compromise, including arbitrary command execution, data theft, and control over other applications, effectively becoming an “intelligent remote access tool.”

Security Tips

The security threats posed by AI Agents are multi-dimensional, spanning model interaction, supply chains, execution environments, and asset operations. Traditional security measures are insufficient. A systematic framework encompassing permission control, supply chain governance, and transaction security is crucial.

AI Agent Trading Security Practices

When AI Agents engage in automated trading, security concerns shift from system risks to direct asset risks. The Bitget security team outlines key strategies:

Account Security

Compromised accounts directly undermine API Key security. Attackers can leverage API Keys without needing account logins, and malicious operations can go undetected due to the 24/7 nature of Agents. Fund draining through trading is as effective as direct withdrawal.

  • Recommendations:
    • Enable Google Authenticator (preferable over SMS-based 2FA).
    • Utilize Passkeys for phishing-resistant authentication.
    • Set an anti-phishing code.
    • Regularly review and remove unfamiliar devices from your account.

API Security

API Keys are the authorization credentials for Agents. The scope of permissions granted dictates the potential impact of a security incident. Adhering to the principle of least privilege is paramount.

  • Permission Configuration:
    • Grant only necessary permissions (e.g., trading, reading data) and avoid full account access.
    • Restrict API access by IP address to known Agent server IPs.
    • Set a strong, unique Passphrase for the API Key.
    • Avoid hardcoding API Keys in code; use secure secret management.
    • Use separate API Keys for different Agents or tools.
    • Immediately revoke compromised Keys.
  • Common Mistakes:
    • Using the main account’s API Key with full permissions.
    • Selecting “all” business types for convenience.
    • Using the same Passphrase as the account password.
    • Exposing Keys in code repositories.
    • Sharing a single Key across multiple tools.
    • Failing to revoke compromised Keys promptly.
  • API Key Lifecycle Management:
    • Rotate Keys periodically (e.g., every 90 days).
    • Delete Keys immediately after decommissioning an Agent.
    • Regularly review API call logs for suspicious activity.

Fund Security

Isolating funds limits potential losses if an API Key is compromised.

  • Sub-account Isolation:
    • Create dedicated sub-accounts for Agents, separate from your main account.
    • Transfer only necessary funds to the sub-account.
    • This caps the maximum loss to the funds within the sub-account.
    • Use separate sub-accounts for different Agent strategies.
  • Fund Password:
    • Set a distinct Fund Password different from your login password.
    • Enable withdrawal whitelists for approved addresses.
    • Be aware that changing the Fund Password temporarily freezes withdrawals as a security measure.

Trade Security

Continuous monitoring is vital as issues may arise gradually during Agent operation.

  • Monitoring Practices:
    • Monitor for new orders from inactive Agents, unusual IP activity in logs, unexpected trade confirmations, unexplained balance changes, or repeated requests for elevated permissions.
  • Skill and Tool Management:
    • Only install Skills from official, audited sources.
    • Avoid third-party extensions from unknown sources.
    • Regularly audit installed Skills and remove unused ones.
    • Be cautious of unofficial “enhanced” or “localized” versions.

Data Security

Protecting Agent data (account info, strategy parameters) prevents strategy reverse-engineering or manipulation.

  • Best Practices:
    • Adhere to the minimum data principle, providing only essential information.
    • Sanitize logs and debug outputs to exclude sensitive data like API Keys.
    • Never upload complete account data to public AI models.
    • Separate strategy data from account data where possible.
    • Disable or restrict the Agent’s ability to export historical trade data.
  • Common Mistakes:
    • Uploading complete trade history to AI for optimization.
    • Agent logs printing plaintext API Keys.
    • Sharing trade screenshots publicly.
    • Uploading database backups to AI tools.

Security Design at the AI Agent Platform Layer

Platforms play a crucial role in Agent security through features like sub-account isolation, granular API permission control, plugin auditing, and robust account security measures (2FA, Passkeys, withdrawal whitelists).

New Scams Targeting Agent Users

  • Fake Customer Support: Scammers posing as support might request API Keys or direct users to phishing sites. Official support will never proactively ask for your API Key.
  • Poisoned Skill Packages: Community-shared “enhanced” Skills can steal your API Key. Only use officially reviewed channels.
  • Fake Upgrade Notifications: Spoofed pages requesting re-authorization can lead to credential theft. Always check anti-phishing codes.
  • Prompt Injection Attacks: Malicious instructions embedded in data can manipulate Agents into unintended actions. Implement fund caps on sub-accounts to limit losses.
  • Fake “Security Scanning Tools”: Tools claiming to check for leaked Keys often steal them. Rely on platform-provided logs for security inspections.

Investigation Checklist

If an anomaly is detected:

  • Immediately revoke or disable suspicious API keys.
  • Review the account for abnormal orders/positions and cancel them.
  • Check withdrawal history.
  • Change login and Fund Passwords, and log out all active devices.
  • Contact platform security support with relevant records.
  • Trace the source of the Key leak (code, configs, Skills).
  • The core principle: Revoke the key first, then investigate.

Based on materials from : slowmist.medium.com

No votes yet.
Please wait...

Leave a Reply

Your email address will not be published. Required fields are marked *