Skip to main content
XOR
[AGENT-SAFETY]

Agent Environment Security

AI agents run with real permissions. XOR verifies tool configurations, sandbox boundaries, and credential exposure.

See agent security model
[AGENT SECURITY]

Agent environment isolation and supply chain verification

OutcomeBlock compromised tools and unsafe patches before they reach your codebase.

MechanismVerify agent authenticity and sandbox against tool manipulation attacks.

ProofSigned agent images. Cryptographic verification in the harness.

See agent security model

Agent tools run autonomously

Agents use third-party tools and plugins with real permissions. If a tool is compromised, the agent inherits that exposure. XOR checks tool configurations before the agent runs.

Supply chain risks

36.82% of agent skills in public marketplaces contain security vulnerabilities (Snyk ToxicSkills). Unsigned traces are spoofable. Supply chain transparency standards provide non-repudiation.

36.82%
Agent tools with known vulnerabilities
8
Risk categories analyzed
3
Security layers

Three ways agents can be compromised

AI coding agents have three risk areas that traditional security tools do not cover:

The agent itself

Can it be tricked into writing malicious code? Does it follow instructions hidden in untrusted repository files?

The tools it calls

The plugins, tools, and servers the agent connects to. 36.82% of published agent tools contain known vulnerabilities. A compromised tool compromises the agent.

The output it produces

Does the generated fix introduce new issues? Does it actually resolve the original bug? XOR checks both.

How XOR protects each layer

Layer 1: Agent isolation

Each agent runs in an isolated container with strict security restrictions. No access to the host filesystem, network, or other containers.

$ xor run --isolated agent-config.json

agent attempting system access...

SANDBOX: access denied - security violation

container terminated (exit 137)

Layer 2: Tool scanning

Before an agent runs, XOR scans the tools and plugins it uses against known vulnerability databases and only allows trusted tools. See building secure skills for how verification works.

$ xor scan --tools agent-config.json

Scanning 12 tool configurations...

⚠ filesystem-tool: known vulnerability (path traversal)

⚠ network-tool: known vulnerability (server-side request forgery)

✓ 10 tools clean

Action: block vulnerable tools, enforce approved list

Layer 3: Output verification

After the agent produces a fix, XOR writes a verifier for the vulnerability and runs safety checks. This catches both failed fixes and newly introduced issues.

See how verification works for the full pipeline.

The 36.82% finding

A Snyk audit of 3,984 agent skills found 36.82% contain at least one security flaw and 13.4% have critical issues including credential theft and data exfiltration (source: Snyk ToxicSkills, Feb 2026). This includes tools for file access, network requests, and code execution. An agent using a vulnerable tool can be exploited by a malicious repository - the repository doesn't need to attack the agent directly. Learn more about agent attack surfaces.

This is why XOR checks every agent's tools before any PR ships.

Threat model

Malicious instructions hidden in repository files

Sandboxed execution, no access to sensitive files

Compromised tools stealing data

Scoped permissions, network isolation, approved tool lists

Agent escaping its sandbox

Multiple security layers + read-only filesystem

Tampered or unsigned agent tools

Signature verification, dependency scanning

Agent introducing backdoors in fixes

Safety checks, bug re-run, manual audit flag

Poisoned training data affecting agent behavior

Independent benchmark with known-good fixes

[NEXT STEPS]

Secure your agent deployment

How verification works →Benchmark results →Standards compliance →Building secure skills →

FAQ

What is agent environment isolation?

AI agents run with real permissions. Isolation checks confirm agent tool configurations, sandbox boundaries, and credential exposure before the agent runs.

What does XOR verify in agent environments?

XOR verifies agent tool configurations, sandbox boundaries, credential exposure, and supply-chain integrity for skills and plugins.

Why is agent safety different from application security?

Agents execute autonomously. A vulnerable agent tool or misconfigured sandbox gives an agent access it should not have. This requires isolation verification, not just code scanning.

[RELATED TOPICS]

Benchmark Results

62.7% pass rate. $2.64 per fix. Real data from 1,920 evaluations.

Benchmark Methodology

How XOR benchmarks AI coding agents on real security vulnerabilities. Reproducible, deterministic, and transparent.

Agent Configurations

15 agent-model configurations benchmarked on real vulnerabilities. Compare pass rates and costs.

Native CLIs vs wrapper CLIs: the 10-16pp performance gap

Claude CLI vs OpenCode, Gemini CLI vs OpenCode, Codex vs Cursor. Same models, different wrappers, consistent accuracy gaps of 10-16 percentage points.

Cost vs performance: where agents sit on the Pareto frontier

15 agents plotted on cost-accuracy. 4 on the Pareto frontier. Best value: claude-opus-4-6 at $2.93/pass, 61.6%.

See which agents produce fixes that work

128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.