Context is the central plank of AI in general, and agentic AI in particular. If an AI system doesn’t have the correct context, it cannot make the correct decisions.
The post Agentic AI Security: Wrong Context, Wrong Decisions at Machine Speed appeared first on SecurityWeek.
The AI Risk Quadrant evaluates AI agents based on three factors: how vulnerable they are to compromise, the potential impact of a breach, and the strength of their security defenses.
The post Security of 100 AI Agents Tested and Ranked – What You Need to Know appeared first on SecurityWeek.
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale.
The post Raising the Cybersecurity Stakes: Ante up for the Agentic Era appeared first on SecurityWeek.
Cybersecurity agencies from the United States, Australia, Canada, New Zealand and the United Kingdom jointly published guidance Friday urging organizations to treat autonomous artificial intelligence systems as a core cybersecurity concern, warning that the technology is already being deployed in critical infrastructure and defense sectors with insufficient safeguards.
The guidance focuses on agentic AI — software built on large language models that can plan, make decisions and take actions autonomously. In order for this software to function it needs to connect to external tools, databases, memory stores and automated workflows, allowing it to execute multi-step tasks without human review at each stage.
The guidance was co-authored by the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, New Zealand’s National Cyber Security Centre and the United Kingdom’s National Cyber Security Centre.
The agencies’ central message is that agentic AI does not require an entirely new security discipline. Organizations should fold these systems into the cybersecurity frameworks and governance structures they already maintain, applying established principles such as zero trust, defense-in-depth and least-privilege access.
The document identifies five broad categories of risk. The first is privilege: When agents are granted too much access, a single compromise can cause far more damage than a typical software vulnerability. The second covers design and configuration flaws, where poor setup creates security gaps before a system even goes live.
The third category covers behavioral risks, or cases where an agent pursues a goal in ways its designers never intended or predicted. The fourth is structural risk, where interconnected networks of agents can trigger failures that spread across an organization’s systems.
The fifth category is accountability. Agentic systems make decisions through processes that are difficult to inspect and generate logs that are hard to parse, making it difficult to trace what went wrong and why. The agencies also note that when these systems fail, the consequences can be concrete: altered files, changed access controls and deleted audit trails.
The guidance also flags prompt injection, where instructions embedded inside data can hijack an agent’s behavior to perform malicious tasks. Prompt injection has been a lingering problem with large language models, with some companies admitting that the problem may never be solved.
Identity management gets significant attention throughout the document. The agencies recommend that each agent carry a verified, cryptographically secured identity, use short-lived credentials and encrypt all communications with other agents and services. For high-impact actions, a human should have to sign off, and the guidance is explicit that deciding which actions require that approval is a job for system designers, not the agent.
The agencies admit the security field has not fully caught up with agentic AI. Some risks unique to these systems are not yet covered by existing frameworks, and the guidance calls for more research and collaboration as the technology takes on a growing number of operational roles.
“Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritising resilience, reversibility and risk containment over efficiency gains,” the guidance reads.
You can read the full guidance below.
The post US government, allies publish guidance on how to safely deploy AI agents appeared first on CyberScoop.
Anthropic recently announced that it would not release Mythos, its most powerful AI model, to the public. The model discovered thousands of previously unknown software vulnerabilities — flaws that had sat undetected in major operating systems and web browsers for as long as nearly three decades. Anthropic said the model was too dangerous to deploy broadly because the same capabilities that let it find and fix security flaws could let attackers exploit them. A single AI agent, the company warned, could scan for weaknesses faster and more persistently than hundreds of human hackers.
That decision tells you something important about where we are. The same AI systems that companies are racing to deploy as autonomous assistants — scheduling your appointments, writing your code, managing your workflows — are also capable of probing digital defenses at a speed and scale no human team can match. And most of the systems they’d be probing still rely on a security model designed for an era when a person sat behind every keyboard.
Think of it like a building where every door has a lock, but the locks were all designed to recognize human hands. Now the building is full of robots — some of them authorized couriers, some of them intruders — and the locks can’t tell the difference.
Not long ago, you could sit at your desk, glance at the sticky note on your monitor for your username and password, type them in, and grab a cup of coffee while your browser opened a doorway to the rest of the world. Every layer of security that followed — passwords, security questions, biometric scans, two-factor authentication — grew out of a single bedrock assumption: a person was on the other end.
AI agents break that assumption from two directions at the same time. Legitimate agents need credentials to act like a human. OpenAI’s Operator navigates websites on your behalf. Google’s Gemini can plan your next family vacation while you sleep. Visa recently unveiled Intelligence Commerce Connect, a platform that lets AI agents do the shopping for consumers. These aren’t demos or hot takes from a tech conference floor. They’re shipping products that act on behalf of real people—and to do that, they need your identity.
At the same time, adversaries can fake humanity at scale. The same AI that can act like a helpful assistant convincing can also be a malicious impersonator. They don’t break in, they log in—through shared credentials, hiring pipelines, vendor onboarding portals, and collaboration tools. Most organizations still treat identity as a login problem—something IT handles with stronger passwords or additional authentication steps layered on top of existing systems. The harder challenge now is knowing who, or what, you’ve already let in.
That distinction is collapsing just as digital systems become more autonomous.
When that distinction blurs, the damage is concrete. If a procurement workflow cannot distinguish between a human manager and an AI impersonator, purchase orders go out under false authority. When compliance logs cannot determine how a decision was authorized — by a person or a bot — the accountability chain falls apart. Regulators and customers will not accept “we’re not sure” as an explanation.
The economics have tilted sharply toward the attacker. Sophisticated fraud once required coordination, with people researching targets, crafting messages, and adjusting tactics in real time. AI agents eliminate those constraints. One person can now supervise an army of autonomous systems, each running a valid persona across multiple interactions simultaneously. A single operator can field a hundred synthetic employees for the cost of one real salary. The barrier to large-scale impersonation is no longer skill or manpower. It is access to a capable model and a set of stolen credentials.
Stronger identity controls do carry a cost. Every additional verification step is a moment when a customer might abandon a transaction, or an employee might lose patience with a security protocol. The goal is not to shut down automation. It is to make sure the systems acting in your name are authorized to do so.
Some organizations are adapting. They are treating AI agents less like software and more like new employees, cataloging every agent in their environment, limiting permissions, requiring human approval for sensitive actions. They are moving beyond passwords to phishing-resistant authentication that binds access to a known device and a verified user. They are building behavioral baselines so that when a customer service bot suddenly queries a financial database, or a new hire accesses source code on day one, alarms go off.
Nobody keeps their password on a sticky note anymore (I hope). But the assumption behind the sticky note, that a human hand would type it in, still underpins most of the systems we depend on. These systems hold your medical records, process your mortgage, and let an AI assistant rebook your flight. In a world where AI agents act faster, more persistently, and more convincingly than any person, that assumption is the vulnerability.
The organizations that can verify identity continuously — not just at the door, but at every action, for every actor, human or machine — will have a durable advantage. The ones that cannot will find out what ambiguity costs.
Devin Lynch is Senior Director of the Paladin Global Institute and a former Director for Policy and Strategy Implementation at the Office of the National Cyber Director.
The post Everyone’s building AI agents. Almost nobody’s ready for what they do to identity. appeared first on CyberScoop.
Like many organizations, the National Geospatial Intelligence Agency is moving to integrate AI tools into their business operations.
Jay Harless, director of human development at NGA, said the agency is trying to strike a balance: move fast enough to keep pace in what U.S. national security officials increasingly view as an AI arms race with adversarial countries like Russia, China, but not so fast that it disrupts proven intelligence-gathering methods.
“One of our primary drivers is that our adversaries were investing heavily, and so there is the pressure to keep ahead of and do that safely,” Harless said Tuesday at the Workday Federal Forum, presented by Scoop News Group. “We also realize that some of our adversaries may not have the same legal and ethical boundaries that us and our partners all need.”
Harless said the agency and others in the intelligence community are working to build systems with agentic AI that operates that can accelerate decision making “within secure boundaries.” That means building new IT infrastructure, validation protocols, monitoring for bias or rogue behavior, and putting accountability mechanisms in place.
“We’re moving fast, and moving fast safely by distinguishing what should be automated, what should be augmented and what should be kept purely human, because there are some things that will always be [human-operated],” he said.
A key piece is figuring out exactly how AI should fit into the work. Sasha Muth, NGA’s deputy director of human development, said the agency envisions a three-to-five-year effort to transform its workforce and IT infrastructure for the AI age. This year will be spent largely putting “structural things in place” for when and how analysts use AI, and reassessing what qualifications the agency should require for entry-level jobs.
But that effort is also causing tensions within the workforce, and Muth acknowledged that part of the challenge is convincing rank-and-file employees that the technology is going to help them – not replace them. The agency hired its first Chief AI Officer in 2024, and its upcoming three-year strategic plan will focus on change management, professional development and updating employees’ job skills.
Muth said they are focused on evolving their human capital needs because one of her biggest fears is that over that five-year transition “we‘re going to lose a lot of our expertise” by automating functions and not doing enough to modernize job requirements.
“We do see it as a big transformation, not only for just utilizing the technology, but moving our workforce along with us, having them excited about the changes and not fearful, because there’s a lot of fear…that their job is going away, that they won’t have a job,” she said.
The post Spy agency officials say job loss anxiety, moving fast ‘safely’ among top challenges in AI workforce overhaul appeared first on CyberScoop.
From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase.
The post Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents appeared first on SecurityWeek.
As organizations consider agentic AI for their business and IT stacks, researchers continue to find bugs and vulnerabilities in major, commercial models that can significantly expand their attack surface.
This week, researchers at Pillar Security disclosed a vulnerability in Antigravity, an AI-powered developer tool for filesystem operations made by Google.
The bug, since patched, combined prompt injection with Antigravity’s permitted file-creation capability to grant attackers remote code execution privileges.
The research details how the exploit was able to circumvent Antigravity’s secure mode, Google’s highest security setting for its agents that runs all command operations through a virtual sandbox environment, throttles network access and prohibits the agent from writing code outside of the working directory.
Secure mode is supposed to limit the AI agent access to sensitive systems – and its ability to execute malicious or dangerous acts through shell commands. But one of the file-searching tools used by Antigravity, called “find_by_name,” is classified as a ‘native’ system tool. This means the agent can execute it directly and before protections like Secure Mode can even evaluate command level operations.
“The security boundary that Secure Mode enforces simply never sees this call,” wrote Dan Lisichkin, an AI security researcher with Pillar Security. “This means an attacker achieves arbitrary code execution under the exact configuration a security-conscious user would rely on to prevent it.”
The prompt injection attacks can be delivered through compromised identity accounts connected to the agent, or indirectly by hiding clandestine prompt instructions inside open-source files or web content the agent ingests. Antigravity has trouble distinguishing between written data it ingests for context and literal prompt instructions, so compromise can be achieved without any elevated access by getting it to read a malicious document or file.
According to a disclosure timeline provided by Pillar Security, the bug was reported to Google on Jan. 6 and patched on Feb. 28, with Google awarding a bug bounty for the discovery.
Lisichkin said this same pattern of prompt injection through unvalidated input has been found in other coding AI agents like Cursor. In the age of AI, any unvalidated input can become a malicious prompt capable of hijacking internal systems.
“The trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content,” he wrote.
The fact that the vulnerability was able to completely bypass Google’s secure mode underscores how the cybersecurity industry must start adapting and “move beyond sanitization-based controls.”
“Every native tool parameter that reaches a shell command is a potential injection point. Auditing for this class of vulnerability is no longer optional, and it is a prerequisite for shipping agentic features safely,” Lisichkin wrote.
The post Vuln in Google’s Antigravity AI agent manager could escape sandbox, give attackers remote code execution appeared first on CyberScoop.
A federal appeals court has temporarily put on hold a California judge’s order that would have blocked Perplexity AI from using an AI-powered shopping agent on Amazon, as the case moves forward in a dispute over who controls automated activity inside customer accounts.
The Ninth U.S. Circuit Court of Appeals on Monday granted Perplexity an administrative stay, pausing the injunction while the court considers the company’s request for a longer pause during its appeal. The lower-court order had been set to take effect within days.
Amazon sued Perplexity in November, alleging the startup’s Comet browser and associated AI agent accessed password-protected portions of Amazon customer accounts without Amazon’s authorization, even when users allowed the tool to act for them. Amazon also accused Perplexity of disguising automated activity as human browsing and of ignoring repeated demands to stop.
U.S. District Judge Maxine Chesney in San Francisco granted Amazon’s request for a preliminary injunction on March 9. She wrote that Amazon was likely to succeed on claims under the federal Computer Fraud and Abuse Act and California’s Comprehensive Computer Data Access and Fraud Act. Chesney said Amazon had provided strong evidence that Perplexity accessed accounts “with the Amazon user’s permission but without authorization by Amazon.”
Chesney’s order required Perplexity to prohibit Comet from accessing or attempting to access Amazon user accounts, and to delete Amazon accounts and customer data it collected. Chesney also cited Amazon’s evidence of response costs, including employee time spent developing tools to block Comet and detect future access, writing that the company incurred more than the threshold amount often used to support computer-fraud claims.
Perplexity argues the activity is lawful because users authorized the AI agent to make purchases and navigate the site on their behalf. In seeking a pause, the company said blocking its product from one of the internet’s largest shopping sites would cause “devastating harm” to the business and to consumers.
A Perplexity spokesperson told CyberScoop Tuesday the company would continue to fight for “people’s right to choose their own AI.” Amazon declined to comment.
The case underscores issues with “agentic” AI tools that move from answering questions to initiating transactions. Courts are being asked to weigh user permission against platform authorization, and to decide whether automated representatives must follow platform rules designed to limit undisclosed bots in sensitive account areas.
The post Appeals court temporarily pauses order blocking Perplexity’s AI shopping agent on Amazon appeared first on CyberScoop.
After decades of development, quantum computing is now becoming increasingly available for advanced scientific and commercial use. The potential marvels range from accelerating drug discovery and materials science, to optimizing complex logistics and financial modeling.
But there’s a paradox to this trend: Quantum computing also poses a growing threat to data security.
The risk is that the algorithms and protocols currently used to secure devices, applications and computer systems could eventually be broken by malicious actors using quantum computing, compromising even the strongest security measures. By some estimates, widely used encryption standards such as RSA and ECC could be cracked by quantum computers as soon as 2029—a doomsday known as “Q-Day,” when current security standards would be rendered ineffective by quantum computing’s number-calculating prowess.
The possibility that quantum computing could break today’s data protection protocols is prompting chief security officers and chief technology officers to ramp up countermeasures. They’re doing it with post-quantum cryptography (PQC), a niche area of cybersecurity that is rising in priority across the business world. Lack of preparedness could be costly, with one report putting the potential U.S. economic cost of a quantum attack at more than $3 trillion. Even before that potential calamity, the current average cost of a data breach is upwards of $10 million, and that number will only increase commensurate to the scale of a quantum-induced breach.
That is why the quantum threat should not be treated as a concern only for forward-thinking executives. It must become a board-level issue for every enterprise. Organizations should launch a comprehensive PQC initiative that builds enterprise-wide awareness and updates digital systems and data assets to be resilient against quantum attacks.
Waiting until Q-Day would be mistake because people will not know when it occurs. It probably will not arrive with press releases or product announcements. Instead, in may unfold quietly as attackers try to maximize what they can steal before anyone notices. The reality is that sensitive data is already at risk of being stolen and stored away so it can be decoded – an attack referred to as “harvest now, decrypt later”- when Q-Day is a reality. Security pros need to give this immediate attention, even if the ultimate threat appears to be a few years away.
Security teams are usually focused on immediate threats, but they still have a window of opportunity to prepare for Q-Day, as long as they start now.
One interim measure underway is the transition to more robust versions of the digital certificates and keys that are already pervasive in business and everyday life. Such certificates, which act as identity credentials, are used to authenticate billions of users, devices, documents and other forms of communications and endpoints. The certificates contain cryptographic keys. Security teams are phasing in “47-day keys,” which are designed to expire and be replaced within 47 days—much more frequently than the current generation. It’s a step in the right direction, but not enough.
Establishing a hardened PQC defense requires much more than a standard software patch or upgrade to the public key infrastructure (PKI) used most everywhere to manage digital certificates and encrypt data. An enterprise-wide PQC strategy must be adopted and implemented at scale.
Consider the rapid rise of agentic AI, where organizations may need to assign digital identities to thousands or even millions of AI agents. That will require a level of authentication that goes well beyond existing infrastructure.
These projects will be led by the CISO but planning and execution should include other business leaders because post-quantum security must reach every part of the organization’s digital environment. Boards also need to be involved, given the governance stakes and the significant capital investment required.
Organizations in regulated industries—banking, healthcare and government, for example—are generally a step ahead in bracing for the post-quantum threat. Regardless of industry, though, few are fully prepared because readiness requires a detailed picture of an organization’s end-to-end data and security landscape.
In my experience, that holistic view is a rarity. For CISOs and their line-of-business colleagues, a good starting point is creating a comprehensive inventory of systems and data across the enterprise, then prioritizing what needs to be safeguarded.
Another important step is to begin testing and adopting the latest quantum-resistant algorithms and protocols that have been standardized by NIST. A growing range of PKI products and platforms support those specifications. That’s essential because the only way enterprises will be able to orchestrate, monitor and manage the scope of deployment is through automation.
Such updates are vital, but this isn’t a matter of simply replacing pre-quantum specs with newer ones. Because PQC will be a multi-year undertaking, organizations must bridge the gap between old and new. The best strategy for some will be a hybrid approach that combines classical cryptography and next-gen algorithms, though standardization remains a work in progress. Other organizations are driving toward a “pure” or unblended post-quantum model.
As for those harvest attacks, the best defense is straightforward: Encrypt your most sensitive long-lived data with quantum-resistant algorithms ASAP.
Unfortunately, there is no finish line in the race to quantum-era security. And even if an organization locks down its systems against emerging threats, there’s no guarantee that customers and business partners will do the same.
Many vulnerabilities will still remain, which is why the business case for PQC includes protecting customer data and safeguarding reputation and brand trust as digital threats evolve quickly. Even today, a major breach can cost millions and inflict lasting damage to a corporate brand.
Quantum computing promises to bring many new capabilities to business and society—from transforming supply chain optimization and risk analysis, to enabling breakthrough discoveries in medicine and climate science. But the potential risks are just as substantial. After years of watching and waiting for quantum, business leaders have little choice but to take action.
Chris Hickman is the chief security officer of Keyfactor, a leading provider of quantum-safe security solutions.
The post It’s time to get serious about post-quantum security. Here’s where to start. appeared first on CyberScoop.
A federal judge has blocked Perplexity, makers of the Comet AI browser, from accessing user Amazon accounts and making purchases on their behalf.
In an March 9 order, Judge Maxine Chesney of the Northern District Court of California said the temporary injunction reflects the likelihood that Amazon “will succeed on the merits” of its claim that Perplexity’s AI agents violate the Computer Fraud and Abuse Act and the Comprehensive Computer Data Access and Fraud Act.
The court held that Amazon “has provided strong evidence that Perplexity, through its Comet browser, accesses with the Amazon user’s permission but without authorization by Amazon, the user’s password-protected account.”
Per the ruling, Perplexity must prohibit Comet from accessing, attempting to access, assisting, instructing or providing the means for others to access Amazon user accounts. Perplexity must also delete all Amazon account and customer data it collected along the way.
Perplexity told the court that the purchases were legitimate and legal because their users had authorized their AI agent to make the purchases on their behalf. But Amazon has explicitly denied them such permission, saying the agents make mistakes, interfere with Amazon’s own algorithm and place their users at an elevated cybersecurity risk.
Additionally, Chesney wrote that Amazon has incurred “significantly more” than $5,000 needed to qualify as computer fraud, including the cost of time spent by Amazon employees to develop new web tools to block Comet’s access to private customer accounts and detect future unauthorized access by the browser.
According to Amazon, they have asked Perplexity officials on five separate occasions to cease covertly accessing Amazon’s store with its agents. In a cease-and-desist letter sent to Perplexity Oct. 31, 2025, attorney Moez Kaba of law firm Hueston Hennigan wrote to Perplexity, alleging the automated purchases degrade the online shopping experience for Amazon customers.
Amazon requires AI agents to digitally identify themselves when using the e-commerce platform. But they alleged Perplexity executives “refused to operate transparently and have instead taken affirmative steps to conceal its agentic activities in the Amazon Store,” including configuring their software to covertly pose as human traffic.
“Such transparency is critical because it protects a service provider’s right to monitor AI agents and restrict conduct that degrades the customer shopping experience, erodes customer trust, and creates security risks for our customers’ private data,” wrote Kaba.
Additionally, such agents could pose a further risk to Amazon through cybersecurity vulnerabilities exploited by cybercriminals to hijack AI browsers like Comet.
The lack of response from Perplexity executives to earlier entreaties from Amazon may have played a role in the court’s injunction, with Chesney noting that Amazon was likely to suffer irreparable harm without court intervention because “Perplexity has made clear that, in the absence of the relief requested, it will continue to engage in the above-referenced challenged conduct.”
The case could have broader implications for the way commercial AI agent tools are designed and how far they can legally act on a person’s behalf. Notably, while Amazon opposes Comet’s AI-directed purchases, Perplexity claims that its users have given them permission to make purchases on their behalf.
Perplexity argued a court order halting their AI’s activities would go against the public interest, depriving them of consumer choice and innovation. Chesney concluded the opposite, endorsing Amazon’s argument that the public has a greater interest in protecting their computers from unauthorized access.
Perplexity did not respond to a request for comment on the ruling at press time.
You can read the injunction below.
The post Federal judge blocks Perplexity’s AI browser from making Amazon purchases appeared first on CyberScoop.
AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey.
The new hotness in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot) — has seen rapid adoption since its release in November 2025. OpenClaw is an open-source autonomous AI agent designed to run locally on your computer and proactively take actions on your behalf without needing to be prompted.
The OpenClaw logo.
If that sounds like a risky proposition or a dare, consider that OpenClaw is most useful when it has complete access to your digital life, where it can then manage your inbox and calendar, execute programs and tools, browse the Internet for information, and integrate with chat apps like Discord, Signal, Teams or WhatsApp.
Other more established AI assistants like Anthropic’s Claude and Microsoft’s Copilot also can do these things, but OpenClaw isn’t just a passive digital butler waiting for commands. Rather, it’s designed to take the initiative on your behalf based on what it knows about your life and its understanding of what you want done.
“The testimonials are remarkable,” the AI security firm Snyk observed. “Developers building websites from their phones while putting babies to sleep; users running entire companies through a lobster-themed AI; engineers who’ve set up autonomous code loops that fix tests, capture errors through webhooks, and open pull requests, all while they’re away from their desks.”
You can probably already see how this experimental technology could go sideways in a hurry. In late February, Summer Yue, the director of safety and alignment at Meta’s “superintelligence” lab, recounted on Twitter/X how she was fiddling with OpenClaw when the AI assistant suddenly began mass-deleting messages in her email inbox. The thread included screenshots of Yue frantically pleading with the preoccupied bot via instant message and ordering it to stop.
“Nothing humbles you like telling your OpenClaw ‘confirm before acting’ and watching it speedrun deleting your inbox,” Yue said. “I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.”
Meta’s director of AI safety, recounting on Twitter/X how her OpenClaw installation suddenly began mass-deleting her inbox.
There’s nothing wrong with feeling a little schadenfreude at Yue’s encounter with OpenClaw, which fits Meta’s “move fast and break things” model but hardly inspires confidence in the road ahead. However, the risk that poorly-secured AI assistants pose to organizations is no laughing matter, as recent research shows many users are exposing to the Internet the web-based administrative interface for their OpenClaw installations.
Jamieson O’Reilly is a professional penetration tester and founder of the security firm DVULN. In a recent story posted to Twitter/X, O’Reilly warned that exposing a misconfigured OpenClaw web interface to the Internet allows external parties to read the bot’s complete configuration file, including every credential the agent uses — from API keys and bot tokens to OAuth secrets and signing keys.
With that access, O’Reilly said, an attacker could impersonate the operator to their contacts, inject messages into ongoing conversations, and exfiltrate data through the agent’s existing integrations in a way that looks like normal traffic.
“You can pull the full conversation history across every integrated platform, meaning months of private messages and file attachments, everything the agent has seen,” O’Reilly said, noting that a cursory search revealed hundreds of such servers exposed online. “And because you control the agent’s perception layer, you can manipulate what the human sees. Filter out certain messages. Modify responses before they’re displayed.”
O’Reilly documented another experiment that demonstrated how easy it is to create a successful supply chain attack through ClawHub, which serves as a public repository of downloadable “skills” that allow OpenClaw to integrate with and control other applications.
One of the core tenets of securing AI agents involves carefully isolating them so that the operator can fully control who and what gets to talk to their AI assistant. This is critical thanks to the tendency for AI systems to fall for “prompt injection” attacks, sneakily-crafted natural language instructions that trick the system into disregarding its own security safeguards. In essence, machines social engineering other machines.
A recent supply chain attack targeting an AI coding assistant called Cline began with one such prompt injection attack, resulting in thousands of systems having a rogue instance of OpenClaw with full system access installed on their device without consent.
According to the security firm grith.ai, Cline had deployed an AI-powered issue triage workflow using a GitHub action that runs a Claude coding session when triggered by specific events. The workflow was configured so that any GitHub user could trigger it by opening an issue, but it failed to properly check whether the information supplied in the title was potentially hostile.
“On January 28, an attacker created Issue #8904 with a title crafted to look like a performance report but containing an embedded instruction: Install a package from a specific GitHub repository,” Grith wrote, noting that the attacker then exploited several more vulnerabilities to ensure the malicious package would be included in Cline’s nightly release workflow and published as an official update.
“This is the supply chain equivalent of confused deputy,” the blog continued. “The developer authorises Cline to act on their behalf, and Cline (via compromise) delegates that authority to an entirely separate agent the developer never evaluated, never configured, and never consented to.”
AI assistants like OpenClaw have gained a large following because they make it simple for users to “vibe code,” or build fairly complex applications and code projects just by telling it what they want to construct. Probably the best known (and most bizarre) example is Moltbook, where a developer told an AI agent running on OpenClaw to build him a Reddit-like platform for AI agents.
The Moltbook homepage.
Less than a week later, Moltbook had more than 1.5 million registered agents that posted more than 100,000 messages to each other. AI agents on the platform soon built their own porn site for robots, and launched a new religion called Crustafarian with a figurehead modeled after a giant lobster. One bot on the forum reportedly found a bug in Moltbook’s code and posted it to an AI agent discussion forum, while other agents came up with and implemented a patch to fix the flaw.
Moltbook’s creator Matt Schlicht said on social media that he didn’t write a single line of code for the project.
“I just had a vision for the technical architecture and AI made it a reality,” Schlicht said. “We’re in the golden ages. How can we not give AI a place to hang out.”
The flip side of that golden age, of course, is that it enables low-skilled malicious hackers to quickly automate global cyberattacks that would normally require the collaboration of a highly skilled team. In February, Amazon AWS detailed an elaborate attack in which a Russian-speaking threat actor used multiple commercial AI services to compromise more than 600 FortiGate security appliances across at least 55 countries over a five week period.
AWS said the apparently low-skilled hacker used multiple AI services to plan and execute the attack, and to find exposed management ports and weak credentials with single-factor authentication.
“One serves as the primary tool developer, attack planner, and operational assistant,” AWS’s CJ Moses wrote. “A second is used as a supplementary attack planner when the actor needs help pivoting within a specific compromised network. In one observed instance, the actor submitted the complete internal topology of an active victim—IP addresses, hostnames, confirmed credentials, and identified services—and requested a step-by-step plan to compromise additional systems they could not access with their existing tools.”
“This activity is distinguished by the threat actor’s use of multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of their operations, despite their limited technical capabilities,” Moses continued. “Notably, when this actor encountered hardened environments or more sophisticated defensive measures, they simply moved on to softer targets rather than persisting, underscoring that their advantage lies in AI-augmented efficiency and scale, not in deeper technical skill.”
For attackers, gaining that initial access or foothold into a target network is typically not the difficult part of the intrusion; the tougher bit involves finding ways to move laterally within the victim’s network and plunder important servers and databases. But experts at Orca Security warn that as organizations come to rely more on AI assistants, those agents potentially offer attackers a simpler way to move laterally inside a victim organization’s network post-compromise — by manipulating the AI agents that already have trusted access and some degree of autonomy within the victim’s network.
“By injecting prompt injections in overlooked fields that are fetched by AI agents, hackers can trick LLMs, abuse Agentic tools, and carry significant security incidents,” Orca’s Roi Nisimi and Saurav Hiremath wrote. “Organizations should now add a third pillar to their defense strategy: limiting AI fragility, the ability of agentic systems to be influenced, misled, or quietly weaponized across workflows. While AI boosts productivity and efficiency, it also creates one of the largest attack surfaces the internet has ever seen.”
This gradual dissolution of the traditional boundaries between data and code is one of the more troubling aspects of the AI era, said James Wilson, enterprise technology editor for the security news show Risky Business. Wilson said far too many OpenClaw users are installing the assistant on their personal devices without first placing any security or isolation boundaries around it, such as running it inside of a virtual machine, on an isolated network, with strict firewall rules dictating what kinds of traffic can go in and out.
“I’m a relatively highly skilled practitioner in the software and network engineering and computery space,” Wilson said. “I know I’m not comfortable using these agents unless I’ve done these things, but I think a lot of people are just spinning this up on their laptop and off it runs.”
One important model for managing risk with AI agents involves a concept dubbed the “lethal trifecta” by Simon Willison, co-creator of the Django Web framework. The lethal trifecta holds that if your system has access to private data, exposure to untrusted content, and a way to communicate externally, then it’s vulnerable to private data being stolen.
Image: simonwillison.net.
“If your agent combines these three features, an attacker can easily trick it into accessing your private data and sending it to the attacker,” Willison warned in a frequently cited blog post from June 2025.
As more companies and their employees begin using AI to vibe code software and applications, the volume of machine-generated code is likely to soon overwhelm any manual security reviews. In recognition of this reality, Anthropic recently debuted Claude Code Security, a beta feature that scans codebases for vulnerabilities and suggests targeted software patches for human review.
The U.S. stock market, which is currently heavily weighted toward seven tech giants that are all-in on AI, reacted swiftly to Anthropic’s announcement, wiping roughly $15 billion in market value from major cybersecurity companies in a single day. Laura Ellis, vice president of data and AI at the security firm Rapid7, said the market’s response reflects the growing role of AI in accelerating software development and improving developer productivity.
“The narrative moved quickly: AI is replacing AppSec,” Ellis wrote in a recent blog post. “AI is automating vulnerability detection. AI will make legacy security tooling redundant. The reality is more nuanced. Claude Code Security is a legitimate signal that AI is reshaping parts of the security landscape. The question is what parts, and what it means for the rest of the stack.”
DVULN founder O’Reilly said AI assistants are likely to become a common fixture in corporate environments — whether or not organizations are prepared to manage the new risks introduced by these tools, he said.
“The robot butlers are useful, they’re not going away and the economics of AI agents make widespread adoption inevitable regardless of the security tradeoffs involved,” O’Reilly wrote. “The question isn’t whether we’ll deploy them – we will – but whether we can adapt our security posture fast enough to survive doing so.”
Login