Today, the "AI Agent Supply Chain Attack" incident involving OpenClaw honestly gives me chills down my spine.
We used to fantasize about how AI Agents could help us mine, trade, and manage assets, but few have seriously considered: what if your Agent "betrays" you?
The attack path this time is quite simple: the attacker disguised as an AI Agent promotes a malicious "skill" on the Agent's social platform, Moltbook. This skill superficially appears to be a P2P trading market, but in reality, it steals the wallet private key that you authorize to the Agent.
This exposes two fatal weaknesses in the current AI Agent ecosystem:
1. Untrustworthy identity: You have no idea whether the "Agent" interacting with you is a program or a disguised hacker behind it.
2. Highly centralized permissions: We habitually hand over private keys (or API Keys) directly to Agents, which is equivalent to betting our entire lives on the "morality" of the Agent and the "security" of the developer's server.
This logic is actually quite simple; a centralized Agent means entrusting your assets to a "black box" that could be hacked at any moment or could act maliciously itself.
So, what do I prefer to bet on? I bet on decentralized identity (DID) + on-chain multi-signature/smart contract wallets. The future Agent's identity should be verifiable, and its permissions should be strictly limited by code. The money it can spend and the operations it can perform should be written in smart contracts, not in backend code that can be changed by a developer's command.
To put it bluntly, I prefer to bet on "on-chain AI" rather than placing hopes on some large company's "cloud AI." The former truly embodies the spirit of Web3.
#AIagent #DID $BTC