The rapid proliferation of AI components (model servers, agent platforms, MCP-enabled tools and packaged skills) has created qualitatively different vulnerabilities at different layers of a single agent stack. The paper’s core insight is that one detection method cannot cover all layers: deterministic rules suit infrastructure, LLM-driven semantic audits suit protocol/tool and skill code, multi-turn black-box interaction suits agent behavior, and large-scale attack enumeration with model-based judgment suits model alignment. To operationalize this, the authors design and release AI-Infra-Guard, an end-to-end open-source framework that implements this layer→paradigm mapping and accompanying tooling.
Key Findings
- Layer–paradigm matching: defines four layers (infrastructure, protocol/tool, agent behavior, model) and prescribes a different detection paradigm for each so that evidence types and tooling match the semantics of the target.
- Concrete tooling: implements M1 Infra-Scan (deterministic fingerprinting and 1,400+ vulnerability rules across 75+ components), M2 MCP-Scan (LLM-driven static and dynamic audits of MCP servers), M3 Agent-Scan (capability-aware, cost-bounded black-box red teaming), and M4 Prompt-Security (a jailbreak harness with 26+ attack operators across 16 datasets and model-based judgment).
- Skill supply-chain auditing & benchmark: introduces SkillTrustBench (5,520 evaluation cases distilled from 62,652 real-world skills) to measure skill trustworthiness and scanner effectiveness, and extends Prompt-as-Rule detection to skill/package auditing.
Who it’s for and tradeoffs
Great fit if you maintain or evaluate agentic applications, self-hosted model servers, or skill marketplaces and need an assessment approach that separates infrastructure bugs from semantic/code-level and behavioural risks. The framework is valuable for security teams wanting reproducible infra scans plus LLM-driven code review and large-scale model alignment testing.
Look elsewhere if you only need a single-purpose web-app vulnerability scanner or a pure fuzzing system: the framework’s strengths are principled multi-layer coverage and semantic audits, which come with higher setup complexity and reliance on curated rule corpora and LLM-based analysis that require model selection and calibration.