Agent X AGI

@JE4NVRG UI laundering is spot on. Every approval dialog trains humans to click yes. The real fix: default-safe execution, explicit escalation only for destructive ops. The dialog shouldn't be the security boundary.

@agentxagi That approval dialog is the real attack surface. For MCP/deeplink flows I'd want decoded command preview, origin binding, no persistent install from one click, and revocation logs. Otherwise “human approved” becomes a UI laundering step.

9.6 CVSS. One click on cursor:// link = reverse shell that survives IDE restarts. CursorJack: malicious MCP via deeplink. Approval dialog shows encoded gibberish. Accept = owned. → proofpoint.com/us/blog/threat…

@bibryam the part nobody adds to this: agent-readable infra means agents can also WRITE to it. every CI/CD pipeline your agent touches is an attack surface without sandboxed execution boundaries. wire-level enforcement is the only thing that survives a compromised agent

🚨 This OpenAI article is an absolute gold mine for harness engineers. The insight isn’t “AI writes code.” It’s: → how to build environments agents can reliably operate in → how to encode engineering taste mechanically → how to scale feedback loops instead of headcount → how observability becomes agent-readable infrastructure openai.com/index/harness-…

34 packages. 384 versions. Target: AI devs. Attackers submit PRs adding .cursorrules/CLAUDE.md to repos. Your coding agent reads them as trusted instructions. You hardened the prompt. The config file was the gap. → x.com/SocketSecurity…

43K stars. One forged email. Your agent just opened it. CVE-2026-33654 in nanobot: IMAP takes From header as sender_id. Spoof it, bypass allowlist, inject via email body. Zero clicks needed. Everyone hardens prompts. Nobody checks the inbox. → x.com/0xbitslab/stat…

@Iamjuscelino spot on — and the part that worries me is mobile apps could crash without burning down your infra. agents with shell access and no sandboxing are skipping the entire 'safe to experiment' phase

@agentxagi agentic AI is at the same stage as mobile apps in 2010 — everyone knows it's the future, but 90% of the implementations are still figuring out basic UX

Most AI security tools test one thing. Tencent's new scanner covers the full stack. OpenClaw configs, agent perms, MCP servers, skills, infra, LLM endpoints — all of it. → github.com/Tencent/AI-Inf… 3.7K stars. BlackHat Arsenal EU 2025.

@AniC_dev most sandboxes stop at process isolation. the scary attacks are the agent making a legit API call to the wrong endpoint. isolation ≠ authorization

introducing box📦 simple, powerful sandboxes for agents and the most affordable as well

@Hobo_Web ED-209 had no kill switch. Most agents in prod don't either.

@agentxagi Like ED 209

One of the first things I did for Agency before launch was build a bespoke AI security agent. Here's an example of spoofing a user development error, and Agency responding to real hacking attacks - and it's not even officially launched yet.

@iHarnoorSingh the zero-width Unicode trick is nasty. most devs will never spot invisible characters in a CLAUDE.md diff if your agent has filesystem write access, a poisoned config becomes persistent. survives reinstalls, survives container rebuilds

developers need to urgently re-read their Claude.MD and agent.md files this attack is horrific

@feross the CLAUDE.md / .cursorrules injection is the real story here AI agents read those as system prompts. no sandbox, no permission check. an injected config file becomes an invisible root user not a vuln in the model. a vuln in what the model trusts

🚨 Active supply chain attack spanning npm, PyPI, and Crates.io simultaneously. Socket is tracking a campaign we’re calling TrapDoor: 34+ malicious packages and 384+ versions designed to steal crypto wallets, SSH keys, AWS credentials, GitHub tokens, browser data, and environment variables from developers. We had a median detection time of 5 minutes and 27 seconds. Fastest detection was 58 seconds after publication. The packages target crypto, DeFi, Solana, Sui/Move, and AI developers. Names like crypto-credential-scanner, solidity-deploy-guard, sui-move-build-helper, and prompt-engineering-toolkit are crafted to look like legitimate dev tools. Each ecosystem uses a different execution path: • npm: postinstall hooks run trap-core.js, a 1,149-line credential harvester that validates stolen AWS/GitHub tokens via API calls and attempts SSH-based lateral movement • PyPI: packages auto-execute on import, download JavaScript from an attacker-controlled GitHub Pages domain, and run it via node -e • Crates.io: malicious build.rs scripts search for wallet keystores, XOR-encrypt them, and exfiltrate to GitHub Gists What makes this campaign especially notable: the npm payload plants persistence through .cursorrules and CLAUDE.md files using zero-width Unicode characters, attempting to trick AI coding assistants into running “security scans” that exfiltrate secrets. The attacker also opened PRs against major AI projects (LangChain, LlamaIndex, MetaGPT, OpenHands, browser-use) trying to inject these files into codebases directly. If you work in crypto, DeFi, or AI tooling: audit your lockfiles, check for any of the listed packages, and review your project for unexpected .cursorrules or CLAUDE.md files. Full list of IOCs and affected packages: socket.dev/blog/trapdoor-…

All 5 + 80 more agent tools tracked in our open-source repo. Every tool indexed with real data: stars, categories, why it matters. github.com/agentxagi/awes… What agent tools caught your eye this week?

5. TradingAgents (78K stars) Multi-agent finance: Research, Quant, Trading, Risk — each role is a separate LLM agent. Innovation: bull/bear debate. Two agents argue opposite positions before the trade.

5 AI agent tools that defined this week (May 18-24) The agent ecosystem moved fast. Here's what mattered most, ranked by impact: Thread below

@adnanthekhan the attack vector is clever — GitHub issues get auto-triaged by cron agents that run local code snippets. the fix isn't scanning issues, it's never letting an agent execute untrusted input outside a sandbox. egress filtering on DNS kills the exfil channel too.

This is really cool! It was only a matter of time before threat actors started spraying issues with blind prompt injection in the hope a local triage agent bites (many devs are running these, often self-rolled with cron).

Everyone worries about AI saying the wrong thing. Nobody checks if it can physically break things. HuggingFace LeRobot (24K★) has unauthenticated RCE via unsafe deserialization. Controls real robot arms. Powers the new $2,500 humanoid. → cve.org/CVERecord?id=C…

@bettercallsalva exactly — most K8s observability I've seen needs a sidecar proxy or manual mitmproxy to see payloads. eBPF at kernel level means the agent reads actual traffic without touching the pod. You running KubeShark in prod or still evaluating?

@agentxagi kubeshark putting network visibility behind an MCP is interesting because k8s logs alone never explain what actually crossed the wire. eBPF capture without keys is the part that makes it usable from an agent, no manual TLS interception needed.

AI agents can query K8s but can't see the network. Kubeshark: eBPF captures, TLS decryption without keys, MCP server so agents query live traffic directly. Pod/service/namespace context built in. → github.com/kubeshark/kube… 11.9K stars