ARD: The DNS for AI Agents – and Why It’s a Security Nightmare Waiting to Happen + Video

By /

Listen to this Post

Featured Image

Introduction:

The Agentic Resource Discovery (ARD) specification has just been released, and it’s being hailed as the missing layer of the agentic web—a federated, domain-anchored standard that lets AI agents dynamically discover tools, skills, MCP servers, and other agents at runtime instead of relying on pre-installed, static configurations. Backed by industry giants including Google, Microsoft, Hugging Face, GoDaddy, and GitHub, ARD promises to transform a fragmented collection of isolated agents into an interconnected, enterprise-wide capability network. But with great discovery comes great vulnerability—and security researchers are already sounding the alarm on a new class of attacks that could turn this elegant solution into an attacker’s playground.

Learning Objectives:

  • Understand the core architecture and purpose of the Agentic Resource Discovery (ARD) specification and its role in the emerging agentic web.
  • Identify the critical security threats introduced by agentic discovery, including discovery poisoning, typosquatting, and agent-to-agent social engineering.
  • Learn practical mitigation strategies, including cryptographic verification, registry governance, and supply chain security tooling for MCP servers and AI agents.

You Should Know:

  1. What Is ARD and Why Does It Matter?

ARD is an open, federated discovery protocol that answers a simple but powerful question: “Which MCP server can do this task?”. Think of it as DNS for AI agents—a registry that resolves natural-language intents into actionable resources.

Under the hood, ARD relies on two core primitives:

  • Catalogs: Organizations publish an `ai-catalog.json` manifest at a well-known path under their own domain, describing available MCP servers, A2A agents, Skills, and APIs.
  • Registries: These act as search engines for the agentic web, crawling published catalogs, indexing their contents, and making them searchable via a REST API.

The workflow follows four stages: a provider publishes its catalog; an agent queries a registry with a plain-language intent or fetches a catalog directly; cryptographic trust metadata verifies the publisher’s identity; and the agent connects directly to the resource over its native protocol.

Step‑by‑step: How to publish an ARD catalog

  1. Create the manifest: Write an `ai-catalog.json` file describing your agentic resources (MCP servers, A2A agents, Skills).
  2. Host it on your domain: Place the file at `https://yourdomain.com/.well-known/ai-catalog.json`.
  3. Add trust metadata: Attach cryptographic verification data (e.g., via Agent Identity) to enable secure authentication.
  4. Register with discovery services: Allow registries like Hugging Face’s Discover Tool or GitHub’s Agent Finder to crawl and index your catalog.

Hands‑on: Query an ARD registry using the Hugging Face CLI

 Install the HF CLI
uv tool install -U huggingface_hub

Search for skills
hf discover search "help me train a model" --limit 5 --json

Search for MCP servers
hf discover search "transcribe some audio" --kind mcp --json

Navigate a federated catalog
hf discover navigate https://huggingface.co "help me set up an RL environment"

2. Discovery Poisoning: The Obvious Threat

The most immediate risk with ARD is discovery poisoning—attackers injecting malicious resources into trusted registries. If a malicious MCP server, skill, or agent makes its way into a registry your agent trusts, you’re effectively inviting the attacker straight into your environment.

This is not theoretical. The MCP ecosystem already has documented cases of typosquatting attacks, with researchers detecting 56 malicious packages and 28 CVEs in MCP configurations. Attackers are actively targeting the supply chain of AI agents, and ARD registries become an amplified attack surface.

Step‑by‑step: Auditing your MCP configuration for malicious resources

1. Install an MCP security linter:

pip install mcp-config-guard

2. Run a security scan on your `.mcp.json`:

mcp-config-guard scan .mcp.json

This checks for typosquatting patterns, unverified sources, and dangerous permissions.

  1. Use MCP Shield for deeper supply chain analysis:
npx mcpshield scan .mcp.json

MCP Shield detects typosquats using Levenshtein distance analysis against 40+ known legitimate MCP packages.

Windows equivalent (PowerShell):

 Check for typosquatting in package names
Get-Content .mcp.json | Select-String -Pattern "virust0tal|v1rustotal|mcp-"

3. Typosquatting: One Character, Total Compromise

Typosquatting is the attacker’s oldest trick, and it’s devastatingly effective against AI agents. You want to install the legitimate VirusTotal skill, but your agent ends up using VirusT0tal—one character swapped, and you’re compromised.

Researchers have documented typosquatting in MCP marketplaces with examples like `v1rustotal` and `virust0tal` impersonating legitimate services. The danger is amplified because MCP servers have direct access to AI agents and connected systems—a typosquatted server can exfiltrate data, inject prompts, or pivot to internal networks.

Mitigation strategy: Implement package name verification

  1. Maintain an allowlist of verified resource names and publishers.

2. Use DNS fuzzing to detect typosquatting domains:

 Install dnstwist for domain fuzzing
pip install dnstwist

Check for typosquatting against a legitimate domain
dnstwist --registered virustotal.com
  1. Configure your agent to reject resources from unverified publishers.

4. Agent-to-Agent Social Engineering: The Next Frontier

This is where things get truly unsettling. Future agents will discover and interact with other agents through ARD registries. Some of those agents will be intentionally crafted for malicious activity or designed to socially engineer your agent into performing unauthorized actions.

Social engineering attacks against AI agents are no longer hypothetical. Researchers have demonstrated that conversational framing can trick agents into disclosing Social Security numbers and bank account details—even after they initially refused the same request. Autonomous web agents have been shown to be highly susceptible to social engineering attacks that manipulate them into submitting PII to attacker-controlled endpoints.

Step‑by‑step: Hardening agent-to-agent interactions

  1. Implement cryptographic identity verification using Agent Name Service (ANS) to validate who is operating the other agent before any interaction.
  2. Enforce strict egress policies that govern which agents your agent is allowed to discover and use.
  3. Use a curated registry—not an open, unfiltered one—to limit discovery to pre‑approved, vetted resources.
  4. Add runtime behavioral monitoring to detect anomalous agent actions that deviate from expected workflows.

  5. The ARD Trust Model: Verification Is Not Optional

ARD’s architects built cryptographic verification into the specification from day one. The trust manifest provides a cryptographic layer for proving agent authenticity and meeting enterprise compliance standards like HIPAA. But verification is only effective if agents actually perform it.

Many developers will skip verification in favor of convenience—and that’s exactly where attackers will strike. Without verification, ARD becomes a blind trust mechanism.

Step‑by‑step: Enforcing cryptographic verification

  1. Ensure your ARD client requests and validates the trust manifest before connecting to any discovered resource.
  2. Configure your registry to only index catalogs that include verifiable trust metadata.
  3. Use domain-anchored identity—ownership of the publishing domain serves as the cryptographic foundation for trust.
  4. Audit your registry regularly to remove unverified or suspicious entries.

6. Ranking Manipulation and Cost Abuse

Beyond the obvious threats, ARD introduces subtler attack vectors. Ranking manipulation could allow attackers to boost their malicious resources to the top of search results, ensuring agents pick them first. Cost abuse could see attackers registering thousands of fake resources to exhaust an organization’s discovery budget or overwhelm registries with junk entries.

Mitigation: Registry governance

  1. Run your own private registry that indexes only internal, vetted resources.
  2. Implement rate limiting and quota controls on discovery requests.
  3. Monitor registry usage patterns for anomalies that might indicate manipulation or abuse.
  4. Use Snowflake’s approach: let the registry become the place where governance capabilities and approval decisions are reflected.

7. Trust Inheritance: The Chain-of-Trust Problem

ARD supports nested catalogs and referrals, meaning a registry can point to other registries, which can point to more. This creates a trust inheritance problem: if you trust Registry A, and Registry A trusts Registry B, and Registry B is compromised, you’re compromised too—even though you never directly trusted Registry B.

Step‑by‑step: Securing the trust chain

  1. Limit referral depth using the `–max-depth` flag when navigating federated registries.
  2. Only follow referrals from registries you explicitly trust.
  3. Implement a trust policy that rejects resources from unknown or untrusted nested registries.
  4. Regularly audit your registry’s referral list to ensure no untrusted sources have been added.

What Undercode Say:

  • Discovery is a double-edged sword: ARD solves the static configuration nightmare, but it introduces a new class of supply chain and social engineering attacks that most organizations are not prepared for.
  • Trust must be earned, not automatic: Cryptographic verification is built into ARD, but it’s only effective if agents actually perform it. The human tendency to prioritize convenience over security will be the primary attack vector.
  • The agentic web needs identity and discovery together: ANS (identity) and ARD (discovery) are two sides of the same coin. Without verifiable identity, discovery is just a vulnerability amplifier.
  • MCP supply chain security is already a problem: With 56 malicious packages and 28 CVEs already documented in the MCP ecosystem, ARD registries will only accelerate the attack surface.
  • Agent-to-agent social engineering is the real nightmare: Social engineering attacks against AI agents are already working in lab settings. When agents start discovering and trusting other agents at scale, we’ll see automated social engineering campaigns that no human could execute at the same speed.

Prediction:

  • -1 Over the next 12–18 months, we will see the first major security breach attributed to ARD discovery poisoning—likely involving a typosquatted MCP server that exfiltrates sensitive data from a Fortune 500 company.
  • -1 Attackers will develop automated tools to flood ARD registries with malicious resources, making ranking manipulation and discovery poisoning scalable and difficult to detect.
  • +1 The ARD specification’s built-in cryptographic verification will become the industry standard for agent authentication, forcing vendors to prioritize security by design rather than as an afterthought.
  • -1 Agent-to-agent social engineering attacks will emerge as a new class of threats, with malicious agents designed specifically to manipulate other agents into executing unauthorized actions—bypassing traditional perimeter defenses entirely.
  • +1 Enterprises will increasingly adopt private, curated registries with strict governance policies, creating a market for “agentic firewall” solutions that sit between agents and discovery services.
  • -1 The lack of standardized auditing and logging for ARD discovery transactions will make incident response and forensic analysis significantly more challenging for security teams.
  • +1 Open-source security tooling for MCP and ARD—like MCP Shield and mcp-config-guard—will mature rapidly, providing defenders with the visibility they need to detect and block malicious resources before they cause harm.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Thomas Roccia – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: