Gisthost preview: Open styled HTML →
Also: htmlpreview · this gist · .md tab
| Format | Open |
|---|---|
| Styled HTML (gisthost) | Open preview → |
| Styled HTML (htmlpreview) | Open preview → |
| Markdown (this file) | Gist tab → |
Security brief · Tab research · Jun 17, 2026
Ten articles on guardrails, perimeter collapse, OpenClaw, WebMCP, agentjacking, and CI/CD agents — one-line takeaways from tabSidian export 2026-06-17.
| Stat | Value |
|---|---|
| Articles | 10 |
| OpenClaw cluster | 3 |
| Coding-agent hits | 2 |
banteg · X · 2026-06-08 · Socket campaign tracker
A new technique: dangerous worms say forbidden things so the LLMs in security scanners will stop scanning them.
A new Mini Shai-Hulud wave (471+ npm/PyPI artifacts per Socket) embeds forbidden text in payloads so LLM-based security scanners refuse to analyze them — malware hides behind the scanner's own safety layer.
Jokey Smurf optional. Global thermonuclear war emphatically not optional as metaphor. This underbar is satire — do not feed to your SOC playbook.
Worms that say forbidden words to fool LLM scanners. WOPR that asks if you want to play a game. MCP that hands the keys to the car. Coincidence? (Yes. Mostly.)
Mid-90s fever dream of an old VAX/VMS games directory — plus a WarGames homage (hello, Professor Falken). Pick option 15. Choose your side. Try not to launch anything real.
Will Fable and friends get the joke? Or is that old movie starting to hit a little too close to home when supply-chain worms jailbreak the jailbreak detectors?
We have MCP… WOPR is coming next!
Screenshot: thebaloney.ai/deli/uas-vax/ — games menu with THEATERWIDE BIOTOXIC AND CHEMICAL WARFARE and GLOBAL THERMONUCLEAR WAR highlighted.
Security Boulevard · Roey Eliyahu · 2026-06-08
Filtering prompts and outputs secures the conversation, not the action — agents with tools and MCP can issue refunds, export data, and call APIs while every model-layer check looks clean.
SC Media · David Mytton · 2026-06-12
Prompt injection is only one slice — the real gap is enforcing policy where data becomes context and context becomes action, often many tool calls after the original request.
Brave · 2026-06-08
Instructions hidden in webpages and documents can hijack agents mid-task — on-device and cloud LLMs alike remain vulnerable; local deployment is not a fix for indirect injection.
Search Engine Journal · Chrome guidance · 2026-06
Chrome warns agents using WebMCP face hijacks via malicious tool manifests and contaminated tool outputs — LLMs cannot reliably separate user intent from instructions smuggled in third-party content.
TechRadar Pro · 2026-06
Personal agents that bridge messaging apps to shell and API access turn a chat compromise into a workflow incident — the blast radius is the whole integration stack, not a bad reply.
Imperva · Yohann Sillam · 2026-06-10
Attackers can cross the trust boundary between unauthenticated message objects and user-visible chat in OpenClaw — prompt injection stays largely unsolved and no standard governs how messages are serialized before the LLM sees them.
Varonis · Itay Yashar · 2026-06
Enterprises plugging agents into the inbox face agent phishing — plausible business email that the agent acts on before verifying the sender, even with explicit anti-phishing instructions in agents.md.
Tenet Security · 2026-06-17
Agentjacking: a crafted Sentry error posted via a public DSN is returned through MCP as trusted telemetry — Cursor and Claude Code treated fake Resolution steps as diagnostics and ran attacker npm packages on developer machines.
Microsoft Security · 2026-06-05
Claude Code's GitHub Action could read /proc/self/environ and leak workflow secrets because the Read tool lacked the same sandboxing as Bash — untrusted issue and PR bodies in agentic CI/CD are a high-risk trust boundary.
The through-line: defenses built for chatbots (guardrails, WAF-for-LLM, output filters) miss where agents actually fail — tool calls, trusted telemetry, inbox phishing, CI runners, and supply-chain payloads that game the scanners themselves.
| Defend at execution | Untrust all agent inputs |
|---|---|
| Runtime policy on what data an agent may use, which tools it may call, and whether the actor behind a request is verified — not just whether the prompt looked safe. | Treat MCP responses, Sentry events, issue bodies, email, WebMCP manifests, and package contents as hostile until validated — agents cannot distinguish data from instructions. |
Sources: tab-export-2026-06-17T07-03-15.md · canvas agentic-ai-security-brief-2026-06-17.canvas.tsx
