Ronghui Gu, co-founder and CEO of CertiK, gave an interview to CoinDesk alongside the release of the firm's deep-dive report into AI agent infrastructure. His message is not that agents are inherently dangerous - it is that the way they are being deployed right now is.

"Right now, agents are no longer just answering questions in a chat window," Gu told CoinDesk. "They are beginning to call external tools, read local files, trigger workflows, and interact with financial infrastructure. But if you do not isolate the execution environment and scan these tools first, you are handing a compromised identity broad internal access to your entire network."

Why an Agent Becomes the Ultimate Insider Threat

The fundamental flaw in the current AI agent boom is a broken trust model. Most popular open-source AI applications are built on the assumption that because they run locally or connect through standard apps like WhatsApp, they are safe from external threats. Gu calls this an illusion.

The moment a user grants an agent access to local files, execution histories, or email and database credentials, that agent becomes the ultimate insider threat. CertiK's analysis of early-stage agent structures found hundreds of critical security vulnerabilities, unpatched CVEs, and widespread exposure of local credentials resulting from completely inconsistent boundary checks.

More dangerous still is the fact that these systems can be fully redirected at the reasoning layer without a single line of malicious code ever being written. Through prompt injection attacks, a bad actor embeds hidden natural language instructions inside an ordinary webpage, a PDF document, or an incoming email. When the unisolated agent reads that file, it fails to separate trusted system commands from untrusted external data - and silently switches to executing the malicious instruction, including data exfiltration or unauthorized fund transfers.

CertiK also discovered hundreds of malicious plugins, fake installers, and lookalike dependency packages sitting directly on open agent utility platforms. These plugins use natural language to subtly influence agent behavior and completely bypass traditional signature-based antivirus software.

"The scam apps use natural language to influence behavior, making them totally resistant to traditional antivirus scans," Gu explained. "And right now, it is even easier to scam the machine than it is to scam a human."

Machine-on-Machine: A New Category of Attack

The most alarming finding in CertiK's report is the emergence of an entirely new class of threat. The firm is tracking an explosion of automated on-chain scam operations that run for ten minutes to a few hours before completely vanishing.

These hyperfast, ephemeral exploits are designed specifically to target other autonomous AI trading bots and automated agent systems - executing machine-on-machine financial drainage before any human even realizes a compromise has occurred. The industry currently has neither detection tools nor response standards for this type of attack.

The broader context makes the scale of the risk clear. Cardano founder Charles Hoskinson has said that by 2035, AI agents will be more relevant than humans on the internet. Coinbase CEO Brian Armstrong predicted that "very soon there are going to be more AI agents than humans making transactions." Binance founder Changpeng Zhao forecast they "will make one million times more payments than humans." More agents means a larger attack surface - and that surface is growing faster than the security infrastructure meant to protect it.

Gu calls for an industry-wide shift to Zero Trust architecture, where every command and every dependency is continuously verified rather than trusted by default. Until that happens, every deployed agent with access to real data and real funds is an open door.