The Agent Layer

TLDR: I spent 20 minutes doing AI-assisted red team simulation with Claude Cowork against a live production SaaS. No purpose-built tooling. No prior knowledge of the target. I walked away with confirmed PII exposure — real names, email addresses, account identifiers — on a live system. The same capabilities that make AI agents useful for legitimate work make them highly capable recon tools. The gap between "helpful assistant" and "passive attacker" is smaller than most people think. I’m a QA analyst and secrets management practitioner — not a red teamer by primary specialization. I don’t have a toolkit of custom scripts for offensive security work. What I do have is a browser, Claude Cowork, and enough security fundamentals to know what I’m looking at. ...

TLDR: When an AI agent acts on injected instructions and causes real damage, nobody knows who's liable — not legally, not contractually, not yet. The platforms disclaim everything. The enterprise deployers aren't sure. The end users never understood the risk they accepted. The landmark case that answers this question hasn't been filed yet. The window to document the framework before it lands is open right now. AI agent tools work so reliably most of the time that users rationally stop supervising them. This isn’t negligence — it’s the correct behavioral adaptation to a system with a 95%+ success rate. You stop watching because watching has never mattered. ...

TLDR: Anthropic's new consumer AI agent can read your files, browse the web, and run commands on your machine — all on your behalf, all autonomously. When an AI acts on your behalf, anything it reads can act on your behalf too. No confirmed breach yet, but the same attack class already produced a supply chain compromise at Cline. The difference is this product is marketed to everyone at $20 a month. Claude Cowork is Anthropic’s general-purpose desktop agent — released to all Pro subscribers in early 2026. It reads your files, fetches web pages, runs terminal commands, and executes multi-step tasks on your behalf. That’s the product. That’s also the attack surface. ...

TLDR: Cline's own AI support bot was weaponized against them — an attacker fed it instructions through a public GitHub issue, it complied, and the result was malicious software shipped to over a million weekly users. They didn't breach the system. They gave the AI instructions through a public channel, and it executed them. The bot didn't have direct access to publishing credentials. It corrupted the infrastructure that did. Cline is one of the most popular AI coding tools in the world. Their GitHub repo runs an AI bot that automatically reads and responds to incoming issues — helpful for triage at scale. Someone figured out that if you craft the right issue title, the bot doesn’t just read it. It follows it. ...