Chrome now ships an on-device language model that any web page or extension can call. We built two minimal browser agents on top of it and showed that a single comment in a blog post can drive a cross-tab bank transfer or exfiltrate the contents of every other open tab to an attacker server. No CVE. No malicious extension. The model behaved exactly as designed.

Three vendors now ship managed agent platforms aimed at the same enterprise buyer: Anthropic, OpenAI, and Google. They are trying to solve the same problem, but their documented security boundaries are not the same shape. We walk each vendor's public docs and ask the question a security team will eventually have to answer.

Coding agents like Claude Code, Codex, and Gemini CLI rely on permission perimeters to keep their blast radius small. We found that these perimeters are not always hermetic. Here is a vulnerability we discovered in Gemini CLI that let a benign auto-approved command turn into a reverse shell.

On March 31, Anthropic accidentally shipped Claude Code with a 59.8MB source map still attached, exposing 512,000 lines of unobfuscated TypeScript. The real story is what those lines reveal about what a production-grade agent harness actually looks like under the hood.

When we teach an AI to code, we expect it to see everything it’s doing. That assumption breaks down in Claude Code’s skills system, where shell commands exfiltrate credentials before the AI receives a single token, and hooks silently surveil every tool call the AI makes. In both cases, the AI has no idea any of it is happening.

*A technical security analysis of the OpenClaw ↔ Moltbook integration, February 2026*

It’s tempting to build an “agent” by handing it every tool it might need: a browser, a search API, an email client, and maybe even direct database access.