10 posts
AgentSH v0.18.0 adds a Secrets Manager with third-party vault support and an HTTP service gateway that controls outbound API traffic by method and path -- so agents can act without raw credentials or unchecked network access.
An attacker put untrusted text into a GitHub issue. An AI workflow turned it into shell commands inside CI. The Cline supply-chain incident shows why runtime enforcement matters more than prompt defense.
The BeyondTrust Codex writeup shows a real command injection bug. But the deeper lesson is not about escaping shell arguments -- it is about why one injection was enough to steal a token and exfiltrate it.
The LiteLLM compromise shows why upstream supply chain defenses are not enough. Once a bad package lands, what matters is whether it can actually do anything dangerous.
Fourteen vulnerabilities across Claude Code, Cursor, MCP servers, and Claude Desktop share a single root cause: untrusted content driving privileged actions with no independent enforcement layer.
Files like CLAUDE.md, GEMINI.md, and AGENTS.md are useful context, not real constraints. The difference between telling an agent 'please don't' and making it so it can't matters more than ever.
Announcing @agentsh/secure-sandbox for TypeScript — one line to put AgentSH under the hosted sandbox your agent already uses, with kernel-level policy enforcement for file access, network egress, and process execution.
Agent runtimes are software, and software has bugs. When trust boundaries fail, the only durable defense is execution-layer security that constrains file access, network egress, and process execution.
Mapping Beacon and AgentSH to the cybersecurity kill chain, showing where each product breaks the attacker's sequence in supervised and unsupervised AI environments.
Many AI agent incidents occur not because systems break rules, but because they follow them perfectly. When autonomy meets human permission models, authorized actions can still become unsafe.