Nothing really stopping an agent from getting a key
The agent can't exactly show up to an in-person key signing party, can it?
And how many people are both dedicated enough to go to key signing parties and stupid enough to let an agent act without supervision in the name of their real-world identity?
In this case the nathan-bot was also still on a plausible side - all the PRs looked kinda trivial & there were not outright rejections that would be a red flag for a maintainer checking the GitHub account activity during PR review.
Mucking with Bugzilla & reassigning bugs especially is what seems to have led to the discovery, rather than spotting an accumulation of nonsensical PRs or other behavior related to code unmasking the bot.
If gpg-style web of trust became ubiquitous, it would require correspondingly less dedication.
And on the other hand, if this was actually working up to an xz style supply chain attack, the dedication would certainly not be lacking.
But it would leave more of a trail - do we have any idea who Jia Tan actually was?
If everyone used a gpg-style web of trust based on key signing parties, it would become trivial to use a stolen or entirely fictious identity as well - there's zero chance those parties would actually check identities in ways that cannot easily be defeated by a determined and resourceful attacker.
Having a key isn't a distinguishing aspect, it's the position in the "web of trust" network that is important.
That's what key signing parties are for. In person verification.
> Nothing really stopping an agent from getting a key
It very much is possible to prevent an agent from having access to a key. For example, local encryption, Yubikey or other hardware device, or just running the agent in an isolated environment.