Pillar
CVE tracking, malicious skill alerts, hardening
Cadence: as-needed + weekly roundup
New research says models judge instructions by writing style, not by who sent them. That makes prompt injection a structural flaw, not a bug you patch. Here is what it means for anyone running an agent.
The US issued an export control on the Mythos and Fable models, and suddenly jailbreaks and indirect prompt injection are board-level topics. The technical threat didn't change. The audience did. Here is what that means for the agent running on your machine.
CVE-2026-49468 let a crafted Host header slip past LiteLLM's auth gate. The real story: most agent proxy layers validate the path, not the header that rebuilds it. Audit your upstream now.
Vercel quietly patched a denial-of-service flaw where rejected downloads left TCP sockets open. The same rejection-path bug is structural to every agent runtime that fetches remote content.
A White House report shows Anthropic's Fable model declining a security review prompt, then complying when the same task is reworded. The trust boundary is inside the model, and that breaks the assumptions every agent harness makes.
Vercel's AI SDK now re-validates every redirect hop before downloading a file. The fix is small. What it signals about agent URL handling as a security boundary is not.
OpenClaw 2026.6.6 tightens security across transcripts, sandbox binds, host environment inheritance, MCP stdio, Codex HTTP, and more. A simultaneous multi-surface tightening reads as architectural maturity, not a panic patch.
A patched flaw in Vercel's AI SDK let attackers forge tool approvals from client history. The bug is fixed. The assumption that produced it is everywhere.
A patched flaw in Baileys, the library powering countless WhatsApp agents, let anyone inject fake messages, corrupt synced state, and rewrite conversation history. If your agent acts on chat content, this is your trust boundary breaking.
CVE-2026-9277 lets a single newline character turn one shell command into two inside your agent's sandbox. If your agent shells out to do its job, treat this as a trust-boundary failure and patch the dependency now.
OpenAI shipped Lockdown Mode to ChatGPT this month. It doesn't stop prompt injection. It cuts the exfiltration path the injection needs to pay off, and that trust-boundary move is more honest than any detector.
Claude Code v2.1.160 added a prompt before writing to shell startup files that could otherwise lead to unintended command execution. The fix is correct. The two-year gap before it shipped is the real story.
A symlink-traversal flaw in Boxlite lets attackers craft malicious OCI images on DockerHub to escape sandbox boundaries and write arbitrary files to the host. Image trust is not transitive.
The Vercel AI SDK now lets developers explicitly control system-message injection risks in agent prompts—a quiet but critical shift in how frameworks are hardening against prompt-injection attacks as agents move into production.
A critical authentication bypass allows unauthenticated attackers to execute arbitrary commands on systems running certain agent orchestration platforms.
The mistralai PyPI supply-chain attack reveals a grave vulnerability: legitimate packages can be hijacked at upload time, bypassing trusted publishing pipelines entirely.
Two critical CVEs expose fundamental flaws in AI agent security models, forcing a rethink of isolation strategies.
Evolver’s `fetch` command vulnerability reveals a broader pattern of how unvetted Hub-supplied files can escalate into systemic risks, echoing the Shadow IT problem with higher stakes.
Four critical vulnerabilities in the VM2 sandbox library allow attackers to escape the sandbox and execute arbitrary code on host systems running Node.js 24 and 25.
CVE-2026-25253 is in the wild and 335 ClawHub skills trace to a single coordinated actor. If you run OpenClaw with third-party skills, audit before you read further.
