The State of AI Instructions 2026 report has identified a serious problem in modern development: existing repository infrastructure is failing to keep pace with real-world workflows, where developers use an average of 2 to 4 AI tools simultaneously.
What Happened
According to the State of AI Instructions 2026 report, 78.7% of projects have configurations designed for only a single AI tool. This directly contradicts developer practices, which increasingly utilize multi-agent approaches. Furthermore, the study showed that 0% of tested repositories use digital signatures for instruction files, such as CLAUDE.md.
Context
The security issue was vividly demonstrated by the ClawHavoc incident, where attackers were able to carry out an attack via the poisoning of SKILL.md files. The lack of instruction verification mechanisms makes AI-native workflows vulnerable to malicious code injection through the manipulation of agent manifests.
Why It Matters for the Industry
For the industry, this signifies an urgent need for the standardization of agent protocols and the implementation of trust mechanisms, including digital signatures and instruction licensing. Without unified standards for files like CLAUDE.md or AGENTS.md, the ecosystem will continue to fragment, creating operational chaos and new cyberattack vectors.
Why It Matters for Users
Developers are advised to use symlinks to synchronize different instruction formats (e.g., CLAUDE.md and AGENTS.md) and to exercise increased caution when using skill files from unverified sources to avoid compromising their working environment.
Sources
Author
Look at AI, Editorial Staff