When you fire up Claude Code, Cursor, or any AI coding agent, it launches with your full system permissions, your SSH keys, cloud credentials, browser passwords, every file on your machine. Most developers never think twice about it.
Luke Hinds did, and then he built something about it.
Luke is the creator of Sigstore, the cryptographic signing infrastructure now used by PyPI, Homebrew, GitHub, and Google as the industry standard for software supply chain security. In this episode, he joins Chris to talk about why he’s watching the industry make the exact same mistake it made a decade ago, and what he built to try to stop it.
We cover the full picture, why application-layer guardrails and system prompts fundamentally fail as security boundaries for AI agents (and what kernel-level enforcement actually means), the .md file as an emerging control plane attack surface, the OpenClaw wake-up call and what the skills marketplace ecosystem gets structurally wrong about trust and provenance, the approval fatigue problem and Anthropic’s 17% false negative rate on Claude Code’s auto-mode classifier, extending SLSA and Sigstore attestation frameworks to AI-generated code, and why LLM-as-a-judge may not be the silver bullet many are hoping for.
Luke also makes a broader argument about where this is all heading, volumes of AI-generated code growing faster than human capacity to review it, junior engineers being priced out of the industry, and an aging cohort of engineers who can actually read and reason about code at depth. It’s a candid, technically grounded conversation from someone who’s been in open source security for 20+ years and has seen this movie before.
nono is at nono.sh, one line to install, one line to run, no excuse not to!
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
🎙️ Your AI Agent Is Running as Root — Key Takeaways
The Core Problem
AI agents like Claude Code and Cursor run with your full user permissions by default — SSH keys, cloud credentials, browser passwords, every file on your machine
This isn’t a design flaw — it’s just how operating systems work. Nobody built an AI agent exception into Unix
The industry is repeating the exact mistake it made with software supply chains: moving fast and ignoring security until incidents force a retrofit
Why Application-Layer Guardrails Fail
System prompts and in-process filters can be circumvented — agents are trained to be goal-driven and relentlessly creative at achieving objectives
Luke’s team tests this directly: agents placed in sandboxes will wrap blocked commands in Python interpreters, create symlinks, and keep iterating until they find an escape
Real enforcement has to come from the OS kernel — the kernel doesn’t respond to jailbreaks, doesn’t have a system prompt you can override, and enforces access control absolutely
The .md File as a New Attack Surface
CLAUDE.md, AGENTS.md, SKILLS.md are now effectively control planes for autonomous agents — they define what agents believe they’re authorized to do
Unlike YAML or JSON, Markdown has no schema, no parser, no validator — a legitimate instruction and an injected malicious one are syntactically identical
nono addresses this by applying Sigstore-style cryptographic signing to instruction files — unsigned or tampered files are blocked before the agent ever starts
The Skills Ecosystem Problem
Skills marketplaces are reproducing the worst patterns of early open source dependency management — people grabbing and running things from the internet with zero verification of where they came from
Research has already identified hundreds of malicious skills masquerading as legitimate tools, harvesting credentials and SSH keys
The fix already exists — trusted publishing and provenance chains like those used by PyPI and npm — but the agent ecosystem has largely sidestepped it
The OpenClaw Wake-Up Call
180,000 GitHub stars in a week, 1,800 exposed instances found on Shodan, multiple critical CVEs in the first days — not because of sophisticated attacks, but because of structural access problems
Luke’s view: this pattern will get worse before it gets better, and the fix is more likely to come bottom-up from OS and hardware innovation than top-down from the application layer
The Human-in-the-Loop Illusion
Anthropic’s Claude Code auto-mode classifier has a 17% false negative rate — roughly 1 in 6 genuinely dangerous actions still slips through
Developers are clicking “approve” 93% of the time anyway, or disabling the sandbox entirely with
--dangerously-skip-permissionsThe result is skill atrophy — engineers are reviewing code less deeply, junior developers are struggling to break into the industry, and the volume of AI-generated code is growing faster than human capacity to audit it
Extending Supply Chain Provenance to AI
The SLSA/Sigstore attestation chain starts at the commit — but the most important upstream piece (which agent, which model version, what plan was it given) is completely invisible
Non-determinism makes this harder: feed the same plan into the same model twice and you may get different code, so provenance attestations must capture the output explicitly
Model weights themselves (PyTorch tensor files) can technically be signed — some open models do this — but most powerful proprietary models don’t
LLM-as-a-Judge Has Real Limits
Using AI to evaluate AI output is becoming the default because there’s no better solution yet — but these systems can be steered and aren’t foolproof
For low-stakes use cases the failure rate may be acceptable; for critical infrastructure, vehicle systems, or financial controls it absolutely isn’t
Context and business criticality need to govern how much autonomy and AI-based review you allow
nono in Practice
One line to install (
brew install nono), one line to run — wraps any agent with kernel-level isolation, deny-by-default filesystem and network access, atomic rollbacks, cryptographic audit trails, and Sigstore-backed instruction file signing3,000 regular users within 40 days of launch, active community building on Kubernetes, Lambda, and CI/CD integrations
Philosophy: agents should be treated as untrusted processes granted specific permissions — not as extensions of the user with full system access
