All news with #agent security tag

🛡️ Late 2025 marked a decisive shift from brittle RAG deployments to autonomous, goal-oriented agents across the enterprise. While architectures like self-RAG and CRAG improved reliability, they also expanded the attack surface to include every document, memory store and integrated tool. New threats — indirect prompt injection, memory poisoning and agentic DoS — can exfiltrate data or drain budgets, forcing defenders to secure the full perception-reason-action loop.

⚠️ OpenClaw is an open‑source AI‑agent orchestration tool that runs locally, integrates with common chat apps and can use any LLM backend, driving rapid adoption. Researchers have found widespread exposed instances, critical authentication‑bypass flaws, plaintext credentials in the ClawHub marketplace and hundreds of malicious skills enabling credential theft and remote code execution. Experts urge enterprises to ban or tightly restrict use, enforce least privilege, MFA, endpoint segmentation and continuous telemetry if pilots are allowed.

🔓 Hudson Rock says an info‑stealer, likely a Vidar variant, exfiltrated an OpenClaw agent's configuration, including openclaw.json, device.json and soul.md. The files contain gateway tokens, cryptographic keys and the agent's operational 'soul,' which could let attackers impersonate the AI assistant or connect to local instances if exposed. The incident signals a shift from stealing credentials to harvesting AI agent identities, and vendors should expect targeted modules to follow.

🔐 Hudson Rock has observed information-stealing malware exfiltrating configuration and memory files from the OpenClaw agent framework, exposing API tokens, private keys, and persistent agent memory. The activity, attributed to a Vidar-like infostealer and recorded on 13 February 2026, captured openclaw.json, device.json, and agent 'soul' and memory files. With these items an attacker could impersonate the device, bypass Safe Device checks, access encrypted logs, or fully compromise a user's digital identity. Organizations should audit agent directories, apply vendor fixes, and enforce strict filesystem permissions immediately.

⚠️ OpenClaw (formerly Clawdbot/Moltbot) is an open-source local AI assistant that integrates with chat apps and can access calendars, email, browsers and the filesystem. Since its November 2025 debut and January 2026 viral spike, multiple critical vulnerabilities — notably CVE-2026-25253 — enabled token theft and arbitrary command execution. The project stores secrets in plaintext, exposes dangerous defaults, and hosts a marketplace where malicious skills have proliferated. Organizations face regulatory, operational, and insider-threat risks if employees run this software on personal or corporate devices.

🔒 The Microsoft Defender Security Research Team describes the top 10 misconfigurations that make Copilot Studio agents risky across enterprises. The post explains how small choices — broad sharing, weak authentication, raw HTTP calls, hard-coded secrets, orphaned agents, and unconstrained orchestration — create exploitable paths. It includes Advanced Hunting Community Queries to detect these issues and a short mitigation checklist to reduce exposure. The guidance stresses treating agents as production assets with lifecycle governance and least-privilege controls.

⚠️ TrendAI warns that so-called AI skills—executable artifacts that combine human-readable instructions, decision logic and operational constraints—are dangerously exposed to theft, sabotage and disruption. These skills power automation in tools such as Anthropic’s Agent Skills, OpenAI’s GPT Actions and Microsoft’s Copilot Plugin, and can surface proprietary data and business logic. If attackers obtain skill logic or operational data they could disrupt public services, manipulate manufacturing or steal sensitive records. TrendAI recommends integrity monitoring, strict access controls, separation of data and logic, least-privilege execution, adversary testing and continuous logging and auditing.

⚠️ OpenClaw is a rapidly adopted local agent orchestration tool (formerly Clawdbot/Moltbot) that integrates with chat apps, operating systems, smart-home devices, browsers and productivity platforms and can be configured to use any LLM backend. Its GitHub repo and the Moltbook social layer saw millions of visits and hundreds of thousands of agents and downloads in recent weeks. Security researchers warn the tool is insecure-by-default: exposed instances, authentication bypasses, plaintext credentials and malicious third-party skills create serious enterprise risk. Organizations are advised to block traffic, rotate credentials and restrict experimentation to isolated, managed environments.

🔍 Microsoft’s Cyber Pulse highlights that more than 80% of Fortune 500 organizations use active AI agents and warns that rapid agent adoption is outpacing visibility, governance, and security. The report urges applying Zero Trust principles—least privilege, explicit verification, and assume compromise—to non-human users operating at scale. It recommends a centralized registry, identity-driven access controls, real-time telemetry and visualization, cross-platform interoperability, and integrated security tooling to detect and contain misaligned or compromised agents.

🔒 OpenClaw (formerly Clawdbot/Moltbot) surged in popularity in January 2026 but contains numerous critical vulnerabilities that place local secrets and system integrity at risk. Researchers found many publicly accessible instances running without authentication, allowing theft of API keys, chat histories, and remote code execution. The agent’s default trust of localhost, an unmoderated skills catalog, and prompt-injection weaknesses enable credential theft and malicious plugin execution. The article recommends isolating deployments, using burner accounts and allowlists, and restricting OpenClaw to dedicated experimental hosts.

🚨 As AI agent frameworks surge, Talos warns of two immediate threats: Clawdbot — a popular open-source agentic tool (aka Moltbot/OpenClaw) that requires users to store credentials and API keys locally and can accept unvetted Skills granted broad system privileges. DKnife, active since at least 2019, is a modular Linux attack framework that compromises routers and edge devices to intercept traffic, hijack updates, and deliver malware while evading many endpoint defenses. The newsletter urges skepticism toward rushed AI tools and recommends hardening gateways, auditing firmware, enforcing strong authentication, and monitoring for suspicious update behaviors.

⚠️ Gravitee reports that roughly half of an estimated three million AI agents running in US and UK enterprises are unmonitored and potentially "going rogue." A December 2025 Opinion Matters survey of 750 IT executives found a mean of 36.9 agents per large organization and that 88% suspected an agent-related security or privacy incident in the prior year. Experts warn deployment is outpacing governance and call for continuous runtime oversight, tiered access controls, and stricter credential management.

🧭 Antigravity and Gemini CLI offer two complementary approaches for running agent-driven workflows. Antigravity delivers an approachable, graphical experience with an Agent Manager, in-browser application views, guided walkthroughs, and a native debugger for inspecting stack traces. Gemini CLI is terminal-first, installs via npm (npm install -g @google/gemini-cli, requires Node.js), supports headless/CI-friendly execution, and can call local tools like gh or gcloud. Both are extensible with MCP and Agent Skills, and both provide generous free tiers so teams can evaluate which workflow best fits their needs.

🔐 AI agents—custom GPTs, copilots, coding agents and other autonomous tooling—are proliferating in production while remaining largely outside traditional IAM, PAM, and IGA controls. The piece argues for treating agents as a distinct identity class and applying continuous identity lifecycle management to ensure visibility, ownership, dynamic least privilege, and auditability. Rather than slowing adoption, this approach positions identity as the control plane for balancing innovation and security.

🤖 Our inaugural survey of 251 senior public sector leaders, commissioned by Google Cloud and conducted by National Research Group, finds agentic AI is already mission‑critical: 55% report using AI agents and 42% have deployed more than 10 in production. Respondents expect to allocate 50%+ of future AI budgets to agents. The report highlights productivity gains (70% improved; 46% at least doubled) and security improvements (79% better threat identification, 70% improved intelligence/response integration), and points to Gemini for Government with FedRAMP High-authorized protections as a clear path to scale.

🔧 This guide explains how to build custom employee onboarding agents using the Agent Development Kit (ADK), Vertex AI Agent Engine, and Application Integration to connect conversational AI with enterprise systems such as ITSM, ERP, and CRM. It describes a grounded agentic workflow where a Gemini Enterprise front-end captures intent, a low-code Application Integration layer performs deterministic transformations and authentication, and backend systems execute transactions. The result is a role-aware, auditable onboarding experience that automates tasks like laptop provisioning while keeping business rules and approvals intact.

🔒 AI agents dynamically select and invoke tools using natural-language descriptions, creating a new attack surface in the agent's reasoning layer. Agentic tool chain attacks manipulate tool metadata and context — via tool poisoning, tool shadowing, or rugpull attacks — to exfiltrate data or trigger unauthorized actions without altering tool code. Defenses should center on tool governance, trusted MCP identity, strict parameter validation, and reasoning-layer observability. Organizations must adopt signed manifests, version pinning, mutual TLS, and telemetry to detect and contain these threats.

🚀 AWS has introduced deployment Standard Operating Procedures (SOPs) in the AWS MCP Server preview, enabling AI agents to perform multi-step web application deployments from MCP-compatible IDEs and CLIs using natural language prompts. The SOPs generate AWS CDK infrastructure, deploy CloudFormation stacks, and create CI/CD pipelines following recommended AWS security best practices. Supported frameworks include React, Vue.js, Angular, and Next.js. The preview in US East (N. Virginia) is available at no additional MCP cost; customers pay only for the AWS resources and data transfer they use.

🔐 AI agents are accelerating enterprise work but create new ownership and approval gaps for security teams. Unlike human users or traditional service accounts, agents often operate autonomously, persistently, and with delegated authority, which can expand access beyond any single user's permissions. The article separates agents into personal, third-party, and organizational categories and highlights that organizational agents carry the greatest systemic risk. It recommends treating agents as distinct identities with defined owners, mapping user→agent interactions, and continuously reviewing agent access.

🔒 Microsoft describes runtime protections that let organizations inspect and control AI agent behavior in real time by integrating Microsoft Defender with Copilot Studio. Webhook-based checks evaluate planned tool invocations, intent, context, and previous orchestration outputs before execution, enabling precise allow/block decisions without changing agent logic. The post demonstrates three attack scenarios—malicious invoice-triggered instructions, SharePoint prompt injection, and capability reconnaissance—and shows how runtime blocking, logging, and XDR alerts prevent data exposure.