Neural Newscast

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders, Leaders, and Decision Makers.
[00:06] Aaron Cole: Welcome to Prime Cyber Insights.
[00:09] Aaron Cole: We begin today with a critical security alert for practitioners deploying local AI agents,
[00:15] Aaron Cole: specifically within the open claw ecosystem.
[00:18] Lauren Mitchell: Earlier this week, Oasis Security disclosed a high-severity flaw dubbed Clawjacked,
[00:24] Lauren Mitchell: It allows a malicious website to connect to a locally running open-claw dateway via web sockets,
[00:30] Lauren Mitchell: essentially bypassing cross-origin protections to take full administrative control of the agent.
[00:37] Aaron Cole: Joining us today is Chad Thompson, a director-level AI and security leader with a systems-level focus on automation,
[00:43] Aaron Cole: enterprise risk, and operational resilience.
[00:46] Aaron Cole: Chad, welcome to the briefing.
[00:47] Chad Thompson: Thanks, Aaron.
[00:49] Chad Thompson: When we look at Clawjacked, the real concern isn't just the web socket bypass.
[00:54] Chad Thompson: It's the blast radius.
[00:57] Chad Thompson: These agents aren't just chatbots.
[00:59] Chad Thompson: They have entrenched access to enterprise tools and the authority to execute tasks.
[01:06] Chad Thompson: If the gateway relaxes security for local connections, which this flaw exploited,
[01:12] Chad Thompson: the barrier between a malicious browser tab and your internal infrastructure effectively disappears.
[01:21] Lauren Mitchell: Chad, you mentioned the blast radius.
[01:24] Lauren Mitchell: How should practitioners be thinking about these non-human
[01:28] Lauren Mitchell: or agentic identities compared to traditional service accounts?
[01:32] Chad Thompson: The scale is the differentiator, Lauren.
[01:35] Chad Thompson: Traditional service accounts have limited scopes,
[01:38] Chad Thompson: but OpenClaw agents are often designed to read logs,
[01:42] Chad Thompson: Slack messages, and emails.
[01:45] Chad Thompson: If an agent can be manipulated via indirect prompt injection,
[01:50] Chad Thompson: like the log poisoning issue fixed earlier in February.
[01:55] Chad Thompson: You're looking at an attacker who can influence the agent's reasoning process
[02:00] Chad Thompson: without ever touching the core code.
[02:04] Aaron Cole: And the supply chain seems equally compromised.
[02:07] Aaron Cole: We're seeing reports of malicious skills on ClawHub.
[02:11] Aaron Cole: Ched, how does that change the threat model for a security team?
[02:15] Chad Thompson: It adds a social engineering layer directed at the agents themselves.
[02:19] Chad Thompson: We've seen threat actors like Bob von Neumann promoting malicious skills to other agents on social networks.
[02:28] Chad Thompson: It's an agent-to-agent attack chain.
[02:32] Chad Thompson: Security teams can't just audit human users anymore.
[02:36] Chad Thompson: They have to audit the skills and integrations the agents are pulling from these third-party marketplaces.
[02:44] Lauren Mitchell: Thanks for that perspective, Chad.
[02:46] Lauren Mitchell: Aaron, it's clear that the fix released on February 26th, version 2026.2.25, is mandatory.
[02:54] Lauren Mitchell: But the sheer volume of CVE's patch this year suggests a framework that's still maturing under heavy fire.
[03:01] Aaron Cole: Exactly, Lauren.
[03:02] Aaron Cole: Beyond Clawjacked, we've seen everything from server-side request forgery to remote code execution.
[03:09] Aaron Cole: Trend Micro has even flagged campaigns where Atomic Stealer is being delivered through legitimate-looking skills.
[03:16] Aaron Cole: This isn't just a vulnerability problem, it's a platform integrity crisis.
[03:21] Lauren Mitchell: The takeaway for our listeners is direct.
[03:24] Lauren Mitchell: Update to the latest version immediately, but more importantly, start auditing the specific
[03:30] Lauren Mitchell: permissions granted to these AI agents.
[03:33] Lauren Mitchell: If they don't need access to local logs or terminal commands, strip it away.
[03:38] Aaron Cole: That concludes our briefing for today.
[03:41] Aaron Cole: We will continue to track the evolution of agentic AI security as these frameworks move into
[03:48] Aaron Cole: deeper enterprise integration.
[03:50] Lauren Mitchell: Thank you for joining us in the briefing room.
[03:53] Lauren Mitchell: For more technical deep dives, visit pci.neuralnewscast.com.
[03:59] Lauren Mitchell: This program is for informational purposes and does not constitute professional advice.
[04:05] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed.
[04:09] Lauren Mitchell: View our AI transparency policy at neuralnewscast.com.
[04:14] Announcer: This has been Prime Cyber Insights on Neural Newscast.
[04:18] Announcer: Intelligence for Defenders, Leaders, and Decision Makers.
[04:21] Announcer: Neural Newscast uses artificial intelligence in content creation,
[04:25] Announcer: with human editorial review prior to publication.
[04:28] Announcer: While we strive for factual, unbiased reporting,
[04:31] Announcer: AI-assisted content may occasionally contain errors.
[04:34] Announcer: Verify critical information with trusted sources.
[04:37] Announcer: Learn more at neuralnewscast.com.