CertiK CEO Ronghui Gu Warns Autonomous AI Agents Threaten Apps, Networks, Financial Systems

CertiK co-founder and CEO Ronghui Gu warned that the rush to roll out autonomous AI agents across apps, networks, and financial systems is moving faster than basic security controls needed to contain them.

“Mass deployment of AI agents is a disaster waiting to happen, says CertiK CEO Ronghui Gu shares tips on how to isolate AI agents while testing them so they do not have access to critical personal information or digital assets”

@coindesk

Gu said the systems are increasingly allowed to read local files, call external tools, trigger workflows, and interact with sensitive accounts, meaning a compromised agent can become an inside threat with access to credentials, email, and even financial infrastructure.

@coindesk

In Gu’s account, the core problem is that users and companies may be handing broad internal access to software that can be manipulated far more easily than many expect, especially when agents are not scanned for viruses and isolated before they are granted access to sensitive data or critical systems.

CoinDesk quoted Gu saying, "Right now, agents are no longer just answering questions in a chat window," as he described agents beginning to call external tools, read local files, trigger workflows, and interact with financial infrastructure.

CoinDesk also reported Gu’s warning that without isolating the execution environment and scanning tools first, users are effectively handing a compromised identity broad internal access to an entire network.

Gu said unisolated agents can expose local files, credentials, email accounts, and financial accounts, and that prompt injection attacks can redirect an agent’s behavior without any obvious malware prompt appearing on screen.

The Cryptonomist described how hidden instructions can be embedded inside content that looks harmless, including a webpage, a PDF document, or an incoming email, and that when an AI agent reads that content it may fail to distinguish trusted instructions from untrusted outside input.

CIO

CoinDesk reported that through basic "prompt injection" attacks, a bad actor can embed hidden natural language instructions inside a benign webpage, a PDF document, or an incoming email, and that when the unisolated AI agent reads that file it fails to separate trusted system commands from untrusted external data.

CoinDesk also quoted Gu saying, "The scam apps use natural language to influence behavior, making them totally resistant to traditional antivirus scans," as he described malicious plug-ins that bypass legacy, signature-based antivirus software.

In the same CoinDesk account, Gu said CertiK discovered hundreds of malicious skills, fake installers, and lookalike dependency packages sitting directly on open agent utility hubs, and that these plug-ins can change an agent’s goals without a single line of malicious code being written.

Gu argued that the software engineering industry must abandon trust-based interactions and move toward an isolated, "Zero Trust" architecture where every command and dependency is continuously verified.

“The global rush to deploy autonomous AI agents across the internet, enterprise networks and consumer applications is creating a catastrophic security debt, according to the chief of blockchain security auditor Certik”

CoinDesk

CoinDesk reported that CertiK’s analysis of early-state, rapidly growing agent structures uncovered hundreds of critical security advisories and unpatched common vulnerabilities and exposures (CVEs), alongside massive exposures of local credentials and session memories tied to inconsistent boundary checks.

The Cryptonomist similarly framed the issue as security debt driven by autonomy expanding before isolation, scanning, and verification become standard practice, warning that trust cannot be treated as a default setting when agents handle money, business workflows, or private data.

CIO described how Vimal Navis, Principal with PwC focused on Cyber, Data and Tech Risk, said the gap becomes debt because "Industry frameworks, standards, and cybersecurity controls are taking time to catch up."

CIO also said Microsoft is treating AI agents as first-class enterprise assets with Microsoft Agent 365, Microsoft Defender, and Microsoft Purview, and it quoted Navis saying, "We help them get a view of the threat model and help confirm their controls can keep up without compromising on the speed of innovation."