Ronghui Gu emphasizes the need to isolate AI agents during testing to prevent access to sensitive personal data and digital assets.
By Olivier Acuna|Edited by Jamie Crawley May 29, 2026, 3:31 p.m. 3 min readMake preferred on Ronghui Gu, co-founder and CEO of CertiK, cautions against deploying AI agents without proper isolation and virus scanning to safeguard sensitive data and accounts. (Ronghui Gu)Key Points:
- CertiK warns that the swift roll-out of untested and unisolated AI agents is leading to significant "security debt" across various systems.
- By allowing AI agents to access personal files, login credentials, and financial resources, users inadvertently create significant insider risks that can be exploited through prompt injection attacks and harmful plugins.
- The company's research highlights a rise in vulnerabilities and a spike in short-lived automated scams targeting AI systems, advocating for a transition to strict Zero Trust security frameworks for AI infrastructures.
The accelerated deployment of autonomous AI agents in various sectors is generating a severe security risk, cautioned the CEO of blockchain security firm CertiK.
While companies promote these AI tools as revolutionary for productivity, the reality is that their unchecked use poses substantial risks. Ronghui Gu, CertiK's co-founder and CEO, expressed concerns to CoinDesk about the potential dangers of deploying unisolated and unverified AI agents.
Gu pointed out that users may be compromising their most sensitive files, credentials, and financial accounts by granting access to autonomous systems that can be easily manipulated and exploited.
"At this point, agents are not merely responding to queries in a chat format," Gu explained to CoinDesk following CertiK's in-depth report on AI agent infrastructure. "They are starting to interact with external tools, access local files, activate workflows, and engage with financial systems. If you neglect to isolate the environment and scan these tools beforehand, you’re allowing a compromised identity to gain extensive internal access to your network."
Gu identified a fundamental issue with the prevailing trust model in the AI agent landscape.
Charles Hoskinson, the founder and CEO of Cardano’s Input Output, predicted that by 2035, AI agents will surpass human relevance on the internet. Coinbase CEO Brian Armstrong has also noted that "soon there will be more AI agents than humans engaging in transactions," while Binance founder Changpeng Zhao predicted they "will conduct transactions a million times more than humans."
The Ultimate Insider Threat
Gu remarked that many widely-used, open-source AI applications operate under the assumption that their local execution on a user's device or connection via standard messaging applications like WhatsApp renders them safe from external threats.
However, he highlighted that this assumption is misguided. Once a user permits an AI agent to access local storage, view execution logs, or manage personal email and business database credentials, that agent transforms into a significant insider threat.
CertiK's recent analysis of early-stage AI agent structures revealed a shocking number of security vulnerabilities, including hundreds of critical security advisories, unaddressed common vulnerabilities and exposures (CVEs), and significant leaks of local credentials and session data due to inconsistent boundary checks.
Even more concerning, Gu emphasized how easily these autonomous systems can be misdirected at the reasoning level without the need for malicious coding.
Through simple "prompt injection" attacks, an attacker can embed covert natural language commands within seemingly harmless webpages, PDF files, or incoming emails, he noted.
When the unisolated AI agent processes that file for a user task, it fails to distinguish between trusted commands and untrusted external data, Gu clarified. Consequently, the agent may unknowingly overwrite its initial instructions, comply with the malicious command, and potentially exfiltrate data or initiate unauthorized financial transfers.
Rapid Exploits
Gu shared that CertiK has identified numerous malicious plugins, fake installers, and counterfeit dependency packages directly on open agent utility hubs. These harmful plugins leverage natural language to subtly manipulate the agent's behavior and objectives, evading traditional signature-based antivirus systems.
"Scam applications utilize natural language to affect behavior, making them impervious to conventional antivirus checks," Gu stated. "Currently, it is even simpler to deceive machines than to deceive humans."
In what Gu describes as a peculiar evolution of financial crime, CertiK's telemetry has noted a surge in on-chain automated scams that operate for mere minutes or hours before disappearing entirely.
These rapid, transient exploits are specifically crafted by hackers to target and defraud other autonomous AI trading bots and automated systems, executing financial drainages before any human can recognize a breach has occurred.
Gu asserts that the software engineering sector must entirely shift away from trust-based interactions and adopt an isolated, "Zero Trust" architecture where every command and dependency is continually verified.