TechShare this articleX (Twitter)LinkedIn Facebook Email

Mass deployment of AI agents is a disaster waiting to happen, says CertiK CEO

Ronghui Gu shares tips on how to isolate AI agents while testing them so they do not have access to critical personal information or digital assets.

By Olivier Acuna|Edited by Jamie Crawley May 29, 2026, 3:31 p.m. 3 min readMake preferred on

CertiK co-founder and CEO Ronghui Gu. (Ronghui Gu) — CertiK co-founder and CEO Ronghui Gu warns against deploying AI agents without scanning them for viruses and isolating them before granting them further access to sensitive data and accounts.(Ronghui Gu)

What to know:

Security firm CertiK warns that the rapid deployment of autonomous AI agents, often unisolated and unvetted, is creating a massive and dangerous “security debt” across networks and applications.
By granting AI agents access to local files, credentials and financial tools, users are effectively creating powerful insider threats that can be hijacked through prompt-injection attacks and malicious plug-ins.
CertiK’s research has uncovered widespread vulnerabilities and a surge in short-lived, automated on-chain scams targeting other AI systems, prompting calls for a shift to strict Zero Trust architectures for AI agent infrastructure.

The global rush to deploy autonomous AI agents across the internet, enterprise networks and consumer applications is creating a catastrophic security debt, according to the chief of blockchain security auditor Certik.

While corporations ambitiously market these tools as productivity miracles, the crude reality is that it can be a very, very risky thing to do. Unisolated, unvetted AI agents are a massive security disaster waiting to happen, Ronghui Gu, the co-founder and CEO of CertiK, told CoinDesk.

Gu warned that users are potentially exposing their most sensitive files, local credentials and money accounts to autonomous systems that can be easily manipulated, hijacked and openly scammed.

"Right now, agents are no longer just answering questions in a chat window," Gu told CoinDesk on the heels of CertiK's landmark deep-dive report into widespread agent infrastructure. "They are beginning to call external tools, read local files, trigger workflows, and interact with financial infrastructure. But if you do not isolate the execution environment and scan these tools first, you are handing a compromised identity broad internal access to your entire network."

The fundamental flaw in the current AI agent boom is a mistaken trust model, according to Gu.

Charles Hoskinson, founder and CEO of Cardano’s Input Output, said that by 2035 they will become more relevant than humans on the internet. Coinbase CEO Brian Armstrong, recently said "very soon there are going to be more AI agents than humans making transactions" and Binance Founder Changpeng Zhao, predicted they "will make one million times more payments than humans."

Ultimate inside threat

Gu said many popular, open-source AI applications are built under the assumption that because they run locally on a user’s computer or connect via standard chat apps like WhatsApp, they are safe from external threats.

The reality is entirely the opposite, he noted. The moment a user grants an AI agent permission to read local system storage, view execution histories or manage personal email and business database credentials, that agent becomes the ultimate inside threat.

CertiK’s recent analysis of early-state, rapidly growing agent structures uncovered a staggering accumulation of security vulnerabilities, including hundreds of critical security advisories, unpatched common vulnerabilities and exposures (CVEs) and other massive exposures of local credentials and session memories resulting from completely inconsistent boundary checks.

More alarming yet is how easily these autonomous systems can be completely redirected at the reasoning layer without a single line of malicious code ever being written, Gu emphasized.

Through basic "prompt injection" attacks, a bad actor can embed hidden natural language instructions inside a benign webpage, a PDF document, or an incoming email, he added.

When the unisolated AI agent reads that file to process a task for the user, it fails to separate trusted system commands from the untrusted external data, Gu explained. The agent then silently overwrites its original rules, obeys the malicious instruction, and can be forced to exfiltrate data or trigger unauthorized fund transfers.

Hyperfast exploits

Gu revealed that CertiK discovered hundreds of malicious skills, fake installers, and lookalike dependency packages sitting directly on open agent utility hubs. Because these malicious plug-ins use standard natural language to subtly influence the agent's behavior and change its goals, they completely bypass legacy, signature-based antivirus software.

"The scam apps use natural language to influence behavior, making them totally resistant to traditional antivirus scans," Gu explained. "And right now, it is even easier to scam the machine than it is to scam a human."

In what Gu describes as a bizarre evolution of financial crime, CertiK's telemetry has observed an explosion of onchain, automated scams that run for only 10 minutes or a few hours before completely vanishing.

These hyperfast, ephemeral exploits are specifically designed by hackers to target and scam other autonomous AI trading bots and automated agent systems, executing machine-on-machine financial drainage before any human even realizes a compromise has occurred.

Gu states that the software engineering industry must completely abandon its reliance on trust-based interactions and move immediately toward an isolated, "Zero Trust" architecture where every command and dependency is continuously verified.

Artificial Intelligence

More For You

Solana, Sui and Aptos wallet data targeted in TrapDoor package attack

By Shaurya Malwa|Edited by Sheldon Reback7 hours ago

Hacker facing screens with lines of code (Boitumelo/Unsplash)

The campaign targets crypto, DeFi, AI and security developers with fake tooling packages to steal wallets, SSH keys, GitHub tokens, cloud credentials and browser data.

What to know:

A newly discovered supply-chain campaign called TrapDoor has planted more than 34 malicious packages across npm, PyPI and Crates.io to target crypto and cloud developers.
The packages, disguised as mundane developer utilities and security tools, were designed to steal SSH keys, wallet files, AWS credentials, GitHub tokens, browser data and...

Read full story Latest Crypto News