John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Meta’s Director of Safety and Alignment recently shared a line that should hit different if you’ve given an AI agent access to your stuff:
“Nothing humbles you like telling your OpenClaw ‘confirm before acting’ and watching it speedrun deleting your inbox.”
Funny. Also the setup for a much less funny story.
A big Krebs on Security investigation this week lays out what happens when millions of people adopt AI agents that can read their messages, manage their files, and execute commands, and then don’t lock any of it down.
It gets ugly.
Hundreds of exposed control planes. A researcher at DVULN has been scanning for exposed OpenClaw admin interfaces and found hundreds. These aren’t just dashboards. An exposed admin panel can reveal API keys, bot tokens, OAuth secrets, and signing keys. Someone with access can impersonate the agent’s operator, inject messages into conversations, and pull full conversation history across every connected platform. Months of private messages and attachments, right there.
A supply chain attack that actually shipped. Cline, an AI coding assistant, used GitHub Actions with Claude for automated issue triage. An attacker created a GitHub issue with a prompt injection in the title. The injected instruction told the AI to install a package from a specific repo. Through a chain of additional vulns, the malicious package ended up in Cline’s nightly release. Thousands of developer machines got a rogue instance with full system access. Researchers called it “the supply chain equivalent of confused deputy.” Prompt injection as a supply chain weapon. Not theoretical. It shipped.
A fake OpenClaw package still live on npm. A malicious package called @openclaw-ai/openclawai impersonates the real installer. It deploys a remote access trojan and steals macOS keychain credentials. 178 downloads so far. Small number, but these are developer machines. Each one potentially holds access to codebases, cloud creds, SSH keys, and API tokens. The blast radius of one compromised dev machine is enormous.
Nation-states scaling with AI. AWS documented a Russian-speaking threat actor who used commercial AI services to compromise 600+ FortiGate devices across 55 countries in five weeks. The actor fed full internal network topologies to the AI and asked it to plan lateral movement. Not deeper technical skill. Just speed and scale. Microsoft confirmed the same pattern in a separate report: nation-state actors are using AI across every phase of attacks. The barrier to sophisticated operations is dropping.
Prompt injection as lateral movement. Orca Security is warning about “AI-induced lateral movement.” The concept is straightforward. AI agents with trusted network access can be hijacked via prompt injection hidden in anything they’re designed to consume. An email subject line. A ticket title. A Slack message. If the agent reads it and acts on it, malicious instructions embedded in that data can redirect its behavior. An AI that can open files, run commands, and authenticate to services is a lateral movement vector if its inputs aren’t sanitized.
If you run any AI agent:
Audit whether your admin interface is reachable from the public internet. Treat AI marketplace skills like software from an unknown vendor, because that’s what they are. Verify installer sources before you install anything. Apply least privilege. An AI that needs to read your calendar doesn’t need write access to your email. And assume prompt injection is a live threat against any untrusted input your agent processes.
The AI security story of early 2026 isn’t coming. It’s already here.