Tag
CVE-2026-9277 lets a single newline character turn one shell command into two inside your agent's sandbox. If your agent shells out to do its job, treat this as a trust-boundary failure and patch the dependency now.
ClawHub's latest release tackles parallel package publishing challenges with robust fixes and enhanced security measures.
OpenClaw’s clawhub 0.16.0 release reveals why agent security is moving from model-centric to harness-centric, redefining where value accrues in the AI agent ecosystem.
OpenClaw's move to modular plugins exposes a critical tradeoff: flexibility versus dependency hell, with implications for security and scalability.
The TanStack malware incident exposes fundamental cracks in the trust model of package ecosystems, forcing a reevaluation of how we secure software supply chains.
The recent critical CVE in vm2, a Node.js sandboxing library, exposes deeper structural issues in JavaScript's suitability as a runtime for untrusted AI agent workloads.
Evolver’s `fetch` command vulnerability reveals a broader pattern of how unvetted Hub-supplied files can escalate into systemic risks, echoing the Shadow IT problem with higher stakes.
Four critical vulnerabilities in the VM2 sandbox library allow attackers to escape the sandbox and execute arbitrary code on host systems running Node.js 24 and 25.
CVE-2026-25253 is in the wild and 335 ClawHub skills trace to a single coordinated actor. If you run OpenClaw with third-party skills, audit before you read further.
