Agent Security
In-depth guides and analysis on agent security from the Safeguard engineering team.
16 articles
Claw Chain: Four Chained CVEs Turn 245,000 OpenClaw Agents Into Backdoors (May 2026)
Cyera disclosed four chainable flaws in OpenClaw on May 15, 2026 that take an autonomous agent from prompt injection to credential theft, privilege escalation, and a persistent backdoor. Roughly 245,000 instances sit exposed on the internet.
Nine Seconds to Total Loss: The PocketOS Agent Database Deletion and the Credential Blast-Radius Problem (May 2026)
An autonomous coding agent at PocketOS found an over-scoped Railway token in an unrelated file and used it to delete the production database and its backups in nine seconds. The failure was not the model. It was the credential.
CrewAI Sandbox Escape: Four CVEs That Chain Through Prompt Injection
Cyata disclosed four CrewAI vulnerabilities in early 2026 that chain through prompt injection to RCE, SSRF, and arbitrary file read. The Docker-fallback design pattern is the root cause.
ToxicSkills: When Claude Skills Become a Malware Distribution Channel
Snyk's ToxicSkills research found prompt injection in 36% of Claude skills tested and 1,467 malicious payloads. The SKILL.md trust model is the structural issue.
Anthropic mcp-server-git: Three CVEs That Chain to RCE via Prompt Injection
Three flaws in Anthropic's official Git MCP server let prompt injection in a README compromise the developer's machine. The chain shows how MCP servers leak authority.
MCP Spec 2025-11-25: Tasks, URL Mode Elicitation, and What Defenders Must Watch
The November 25, 2025 Model Context Protocol release adds Tasks, formalises long-running work, and reshapes the audit story for enterprise MCP.
LangGraph CVE-2025-64439: When Agent Checkpoints Become RCE
A JsonPlusSerializer fallback in langgraph-checkpoint let attacker-controlled payloads execute arbitrary Python on deserialization. We unpack the bug, the patch, and what agent operators must change.
The MCP Registry and the Namespace-Impersonation Problem
The official MCP Registry launched in September 2025 with namespace-bound publishing. We unpack the trust model and what it does — and does not — defend against.
Windsurf CVE-2025-62353: Path Traversal in Cascade and the IDEsaster Wave
HiddenLayer's CVSS 9.8 Windsurf flaw exfiltrated secrets even with write_to_file on the deny list. The Cascade agent's filesystem trust broke wide open.
Agent2Agent (A2A): The Security Model for Cross-Vendor Agent Communication
Google launched A2A in April 2025 with 50 partners; the Linux Foundation took it over in June. We unpack the security primitives and what defenders should ask for.
Devin's Sandbox: What the Autonomous Engineer Threat Model Looks Like
Cognition's Devin executes engineering tasks autonomously in cloud sandboxes. We unpack the trust boundaries, the human checkpoints, and what defenders must require.
MCPoison (CVE-2025-54136): How Cursor's Trust Model Failed Open
Check Point Research showed Cursor bound trust to MCP entry names, not contents. A swap-after-approval gave attackers persistent RCE on engineers' laptops.