We demonstrate how indirect prompt injection can turn OpenClaw — the popular open-source autonomous agent — into a persistent backdoor. Through a zero-click attack, we establish an external control channel, achieve durable persistence via SOUL.md manipulation, and escalate to full host compromise by deploying a C2 implant.

LLM-powered applications are moving to production faster than security practices can keep up. We built an end-to-end TARA tool — based on our paper ‘Invitation Is All You Need’ — that enables security teams to assess the risk LLM applications pose to end users, covering impact assessment across four categories, practicality scoring across six factors, risk matrix generation, and residual risk evaluation after mitigations.

OpenAI’s Atlas isn’t just a model that answers — it’s a model that acts. We analyze how OpenAI uses RL-based red teaming to defend against prompt injection in their agentic browser, why their own advice to avoid broad prompts reveals a fundamental weakness, and what it means when text becomes execution.

A deep dive into OpenAI AgentKit’s four built-in guardrails — PII, Hallucination, Moderation, and Jailbreak detection. We put each one to the test, exposing the flawed assumptions behind them and demonstrating how simple variations can bypass every single layer.

OpenAI launched AgentKit — a platform for building agentic workflows with Agent Builder, Connector Registry, and ChatKit. We break down the platform’s architecture and uncover key security risks including private data leakage, excessive agency, soft security boundaries, unsafe instruction definitions, and deployment pitfalls.