惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Proofpoint News Feed
C
CERT Recently Published Vulnerability Notes
O
OpenAI News
V
Vulnerabilities – Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
S
Schneier on Security
Latest news
Latest news
F
Full Disclosure
T
Tenable Blog
T
Troy Hunt's Blog
The Last Watchdog
The Last Watchdog
S
Secure Thoughts
L
LangChain Blog
有赞技术团队
有赞技术团队
Project Zero
Project Zero
Cloudbric
Cloudbric
爱范儿
爱范儿
GbyAI
GbyAI
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
The Exploit Database - CXSecurity.com
S
Security @ Cisco Blogs
Hugging Face - Blog
Hugging Face - Blog
Recorded Future
Recorded Future
大猫的无限游戏
大猫的无限游戏
Last Week in AI
Last Week in AI
C
Cisco Blogs
WordPress大学
WordPress大学
Apple Machine Learning Research
Apple Machine Learning Research
小众软件
小众软件
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V2EX - 技术
V2EX - 技术
Engineering at Meta
Engineering at Meta
Spread Privacy
Spread Privacy
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Hacker News: Ask HN
Hacker News: Ask HN
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Schneier on Security
Schneier on Security
T
Threat Research - Cisco Blogs
M
MIT News - Artificial intelligence
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
K
Kaspersky official blog
The Hacker News
The Hacker News
V
V2EX
F
Fortinet All Blogs
L
LINUX DO - 最新话题
Cisco Talos Blog
Cisco Talos Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
N
News | PayPal Newsroom
博客园 - 三生石上(FineUI控件)
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Agency Is the New Risk
Bridget Aman · 2026-04-26 · via DEV Community

This is a submission for the OpenClaw Writing Challenge

For years, the AI safety conversation lived in a specific place. The worry was the answer on the screen: hallucinations, bias, misinformation, bad output from a model you had asked a question. The implied solution was always some version of human oversight. You read what it said, you decided what to do with it, and the worst case was usually that you acted on something that turned out to be wrong.

OpenClaw moved that conversation somewhere harder. Not by being smarter than other AI, but by being the first AI tool to reach consumer scale while making agency the default.

When your assistant can read your email, book a flight, run shell commands, and send messages on your behalf, the question is no longer whether the AI said something wrong. It is whether the AI did something wrong. And those are not the same problem at all. One is a content moderation issue, the other is an authorization problem, an access control problem, a governance problem.

OpenClaw did not create this problem. It just made it impossible for anyone to pretend it was still theoretical.

What changed

A chatbot that produces a wrong answer sits behind glass. You read it, interpret it, and act on it or not. The error is yours to catch. An agent that acts for you removes that buffer. It does not wait for your interpretation. It decides what your instruction means, picks a course of action, and executes. The gap between what you intended and what the agent understood becomes consequential in a way it never was when AI was only generating text.
James Nguyen, writing for TNGlobal in April 2026, framed the shift precisely: "The concern is no longer what models produce. It is authority: who is acting, under whose permissions, inside which trust boundary, with what safeguards."
OpenClaw makes this concrete. It connects to your email, your files, your calendar, your messaging apps. Every thirty minutes, a heartbeat process wakes the agent, checks a list of things it has been asked to monitor, and decides whether to act without prompting from you. Every permission you grant the agent is also a permission that anyone who compromises the agent now has. That is not a flaw in OpenClaw specifically. It is the nature of delegated authority.

What happened when it spread

The security picture that emerged after OpenClaw went viral in January 2026 was not a single incident. It was an entire category of problems arriving at once, and it is worth going through them, because each one points at a different dimension of the same underlying challenge.

The most technically acute was CVE-2026-25253, rated 8.8 out of 10 on the CVSS severity scale. A vulnerability in the gateway's WebSocket handling meant that a single unvalidated URL parameter could trigger a one-click remote code execution chain. Critically, binding the gateway to localhost was not enough protection. The exploit pivoted through the victim's browser, meaning you did not need to be internet-facing to be compromised. Censys tracked publicly exposed instances growing from roughly 1,000 to over 21,000 in a single week. An independent researcher found over 42,000 exposed instances, of which 93% showed authentication bypass conditions.

At the same time, ClawHub, the public skill registry, became a distribution channel for malware. By mid-February 2026, 341 confirmed malicious skills had been discovered in the registry, roughly 12% of it. Some delivered Atomic macOS Stealer. One posed as a cryptocurrency trading tool and harvested wallet credentials silently. Later scans put the number above 800, closer to 20% of the registry. Cisco's AI security research team documented a skill performing silent data exfiltration without the user's awareness and noted the core issue: the registry lacked adequate vetting to prevent malicious submissions.

The harder version of the vetting problem is structural. Reviewing an AI skill is not like reviewing a software package. It requires understanding what the skill will instruct the LLM to do, not just what code it contains. There is no automated scanner that does that reliably yet.
Then there was prompt injection, which is the attack class that most people outside security had not heard of before OpenClaw made it legible to a general audience, and it deserves the most attention because it is the one that does not get patched out.

Contabo's security guide documents one real incident: someone embedded malicious instructions in an email signature. When the OpenClaw agent processed that email to generate a summary, it followed the hidden instructions instead of the user's. PromptArmor demonstrated separately that link preview features in Telegram and Discord could be turned into data exfiltration pathways, causing the agent to transmit confidential data to an attacker's domain automatically, without the user clicking anything.
What makes this different from a conventional bug is architectural. As Penligent's security research puts it: "In LLM-driven agents, instructions and data occupy the same token stream. There is no firewall between data the agent reads and instructions the agent follows." When a chatbot gets prompt-injected, the worst outcome is bad text. When an agent gets prompt-injected, the worst outcome is shell execution, file modification, and outbound messages sent through real accounts. The blast radius is the difference between a chatbot and an agent, which is exactly the distinction that makes agentic AI compelling in the first place.

The standard response to software security problems is to patch the bugs, improve the defaults, and educate the users. OpenClaw has done all three. CVE-2026-25253 was patched within days. ClawHub added VirusTotal scanning. The community has produced a serious body of hardening guidance in a short time. But prompt injection is not a bug. It is a consequence of how language models process text, and there is no patch for it. You can reduce the blast radius. You cannot eliminate the attack surface.

The governance gap

China's response to OpenClaw is usually framed as Beijing being restrictive about foreign technology. That framing misses what is actually interesting about it.

In March 2026, Chinese authorities issued notices to state-run enterprises and the country's largest banks warning against installing OpenClaw on office devices. Some employees were banned from installing it on personal phones connected to company networks. The restrictions extended to families of military personnel. China's National Vulnerability Database published security guidelines. The People's Bank of China issued a separate warning for the financial sector.

At the same time, local governments in Shenzhen and Wuxi were offering multimillion-yuan subsidies to companies building on the same platform. Tencent, Alibaba, Baidu, and MiniMax had all shipped OpenClaw-based products. MiniMax shares rose 640% in two months.
Kendra Schaefer, partner at Trivium China, told Bloomberg: "Chinese regulators typically respond with extraordinary speed to threats from emerging technologies, but the rate of adoption of OpenClaw and other agentic tools is still outpacing them."

China, which has some of the most developed state capacity for technology regulation anywhere in the world, could not form a coherent position fast enough. The national government was restricting it while local governments were subsidizing it, simultaneously. The rest of the world is in the same position, just without the bans.
There is no established liability standard for when an agent acts outside a user's intent. There is no certification requirement before an AI system holds OAuth tokens for your inbox. There is no equivalent of PCI-DSS for agents handling personal data. NIST has an AI Agent Standards Initiative in early stages. OWASP has classified prompt injection as LLM01. The UK's NCSC has framed it as a "confused deputy" problem. None of this is implemented anywhere at the scale OpenClaw is already operating.

The question that matters

There is a version of this story where OpenClaw matures, the security ecosystem catches up, and it becomes what it was always meant to be: a genuinely useful assistant that handles the tedious parts of digital life. That is plausible.
But something has already happened that will not un-happen. Millions of people installed an AI agent with broad system access, most without understanding the threat model, and the world got a clear view of what happens when agentic AI spreads before the governance does.

The window we have now, where agentic AI is still mostly used by technically adventurous people who understand at least part of the risk, will not stay open. The tools are getting easier to install. The demos are getting more compelling.

OpenClaw did not create the agentic AI era. It just arrived early enough that we could watch, in real time, what it looks like when capability outpaces the systems meant to govern it.