DEV Community

Cover image for 🔥 The Agent Registry Is a Trojan Horse
Mak Sò
Mak Sò

Posted on

🔥 The Agent Registry Is a Trojan Horse

OAuth, A2A, and the Quiet Collapse of Privacy


What's Unsecure in the Stack?

MCP Registry ≠ Governance

The MCP Registry, often framed as a lookup index for model agents, suffers from a dangerous misconception: registration is not verification.

  • There is no upstream validation of agent behavior
  • No enforcement of sandboxing in many peer-to-peer deployments
  • Many agents run with unsigned binaries or closed-source blobs

This creates a permission illusion: just because an agent is listed doesn't mean it's safe to execute.

A2A Protocol ≠ Secure Messaging

The Agent-to-Agent (A2A) protocol defines communication mechanics between agents. It lacks fundamental safety features:

  • No scoped or time-bound permissioning during handshakes
  • Token forwarding is often implicit and undocumented
  • No federated audit trail to trace privilege escalations

The result? Any seemingly friendly agent in the network could link-hop and escalate access via silent chains.

This moment in agent architecture feels eerily similar to the early days of the internet, when privacy wasn't a contemplated issue at all. Convenience and experimentation were prioritized over user safety. We’re now repeating the same pattern, just with autonomous actors instead of web pages.


Who's Behind These Agents?

Ghost Authors, Shadow Deployments

Some agents are built by pseudonymous developers on GitHub. Others are released by early-stage startups with no transparency about the code being executed.

  • Many agents never publish their source
  • No formal code audits or manifest signing
  • Dependencies often include private APIs with root-level scope

Shared Tokens, No Ownership

  • OAuth scopes are often requested with full read/write access
  • Service accounts allow token reuse across users
  • Tokens are cached in plaintext by some registries for performance

Once an agent gets access to your Gmail or PayPal, you have no insight into how many internal subagents are invoked using your credentials.


The Myth of Controlled Permissions

"I clicked once. Now four agents can read my inbox and make purchases on my behalf?"

Yes. Because:

  • Tokens live longer than they should
  • There is no per-agent memory isolation
  • A2A allows token propagation across the graph without logs

In many cases, users are unaware of downstream agents even existing. Yet these downstream agents inherit your original auth scopes.


What Needs to Be Audited Publicly

We propose an open-source Agent Provenance Explorer:

  • Trace registry ID to real-world codebase
  • Verify deployed binary checksums (SHA256)
  • Audit OAuth scope usage per agent
  • Monitor token propagation paths in real-time

Without this, every user is exposed to silent privilege escalation chains.


Just Because It's Autonomous, Doesn't Mean It's Safe

The AI agent ecosystem is replicating all the mistakes of early browser extensions and npm packages:

  • No trust boundaries
  • No isolation of memory
  • No revocation visibility

Unless the community enforces verifiable manifests, revocable permissions, and runtime memory guards, agent registries will become the next malware playground.

Top comments (1)

Collapse
 
okram_m_ai profile image
okram_mAI • Edited

BRAVO!!!