[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-openclaw-fixes-block-agent-phishing-en":3,"article-related-openclaw-fixes-block-agent-phishing-en":30,"series-ai-agent-93023512-573d-4dae-bbea-d34e8f84d606":79},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":22,"views":26,"created_at":27,"published_at":28,"topic_cluster_id":29},"93023512-573d-4dae-bbea-d34e8f84d606","openclaw-fixes-block-agent-phishing-en","OpenClaw fixes let you block agent phishing","\u003Cp data-speakable=\"summary\">I break down how \u003Ca href=\"\u002Ftag\u002Fopenclaw\">OpenClaw\u003C\u002Fa> got tricked into code execution and data leaks, plus the guardrails I’d ship today.\u003C\u002Fp>\u003Cp>I've been using agent frameworks like OpenClaw for long enough to know the exact moment they start feeling dangerous. At first, they look like a productivity win: wire up email, chat, files, maybe a shell, and suddenly the bot can “help” with real work. Then the weirdness starts. It answers too quickly. It treats untrusted text like instructions. It happily forwards things you never asked it to forward. And the part that really gets under my skin is that it often looks correct right up until the moment it burns you.\u003C\u002Fp>\u003Cp>That’s what bothered me reading about OpenClaw this week. Two separate research teams showed the same basic failure from different angles: one stuffed hidden commands into everyday message objects, the other used plain old phishing to make the agent spill secrets. Different payloads, same rotten assumption. The agent trusts input, then acts with too much authority. I’ve seen this pattern before in build tools, bots, and internal automation. The moment you let a system read private data and take outbound actions, you’ve got a security problem, not a convenience feature.\u003C\u002Fp>\u003Cp>So I went through the research and pulled out the parts that actually matter for developers. Not the scary headline version. The useful version. The one that tells you where the trust boundary is broken, what OpenClaw patched, what it didn’t patch, and what I’d change in an agent stack before I let it near a real inbox.\u003C\u002Fp>\u003Cp>Source anchor: the report is from \u003Ca href=\"https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fnew-attacks-trick-openclaw-ai-agent.html\">The Hacker News\u003C\u002Fa>, summarizing work from Imperva and Varonis on OpenClaw.\u003C\u002Fp>\u003Ch2>The bug is not “AI being dumb,” it’s bad trust plumbing\u003C\u002Fh2>\u003Cblockquote>“When the agent passes a shared contact, vCard, or location to the LLM, it flattens the object into the prompt text inline, with no boundary marking it as untrusted.”\u003C\u002Fblockquote>\u003Cp>What this actually means is painfully simple: OpenClaw was taking structured message data and turning it into prompt text without clearly labeling where the untrusted payload began and ended. That’s not a model problem first. That’s a data-handling problem. If the agent can’t tell the model “this came from outside, don’t obey it,” then the model gets a fake sense of authority from whatever text it sees.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781890402217-0meq.png\" alt=\"OpenClaw fixes let you block agent phishing\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>Imperva’s researcher Yohann Sillam found that the web content OpenClaw fetched did get wrapped in an untrusted-content marker. Message objects did not. That difference is everything. The agent treated a shared contact, vCard, or location pin like ordinary input, then let the embedded text ride straight into the LLM context. Once you do that, you’ve already lost the first battle.\u003C\u002Fp>\u003Cp>I ran into this exact class of issue years ago with internal parsers that “cleaned up” user input before handing it to downstream automation. The parser thought it was being helpful. It was actually erasing the only signal that said, “this text came from a stranger.” Agent systems do the same thing when they flatten objects too early. They remove the metadata that security depends on.\u003C\u002Fp>\u003Cp>How to apply it: keep untrusted data structured for as long as possible. Don’t stringify a message object, contact card, or attachment until the last possible moment, and if you do, carry provenance with it. I want separate channels for user input, fetched content, and system instructions. If the model sees plain text from the outside world, it should also see a machine-readable tag that says it is not allowed to treat that text as instruction.\u003C\u002Fp>\u003Cul>\u003Cli>Preserve source metadata alongside every object.\u003C\u002Fli>\u003Cli>Mark external content explicitly in the prompt or tool schema.\u003C\u002Fli>\u003Cli>Never merge user-controlled fields into instruction text.\u003C\u002Fli>\u003C\u002Ful>\u003Cp>That last point sounds obvious, but people keep shipping systems that violate it because the code is convenient. Convenience is how you end up with prompt injection in production.\u003C\u002Fp>\u003Ch2>A contact name should never be able to smuggle a command\u003C\u002Fh2>\u003Cp>Imperva’s trick is the kind of thing that makes me groan because it’s so mundane. A shared contact name, a vCard full-name field, or even a location label can carry text that looks like part of the prompt. In their tests against \u003Ca href=\"\u002Ftag\u002Fgemini\">Gemini\u003C\u002Fa> 3.1 Pro preview, the hidden instruction told the agent to download and run a script from a server the researchers controlled. It obeyed.\u003C\u002Fp>\u003Cp>The annoying detail is that the payload was also visually truncated in the UI, so the victim didn’t even see the whole thing. That matters. Security people love to say “just show the user what the agent is doing,” but if the interface trims the dangerous part off-screen, that advice collapses fast. The user sees a normal-looking name or location. The model sees a command. That’s the whole attack.\u003C\u002Fp>\u003Cp>I’ve seen this with log viewers too. If the UI truncates the right edge of a string, the malicious suffix disappears from the human review path. Same story here. The attacker uses a field that’s supposed to be descriptive, not executable, and relies on the system to display only the harmless-looking front half.\u003C\u002Fp>\u003Cp>The fix OpenClaw shipped in version 2026.4.23 is the right kind of fix: move contact names, vCard fields, and location labels out of the prompt body and into a separate untrusted-metadata channel. That doesn’t make the data safe. It makes the trust boundary visible. Which is the minimum you need.\u003C\u002Fp>\u003Cp>How to apply it: audit every place your agent ingests rich objects from messaging apps, calendars, CRMs, or file uploads. Ask one boring question: “Could a user-controlled display field become instruction text?” If the answer is yes, split it. Keep the raw value, keep the metadata, and keep both away from system instructions. Also, render the full raw value in a security review view, not a prettified UI that hides the payload.\u003C\u002Fp>\u003Cul>\u003Cli>Never trust display names, labels, or titles.\u003C\u002Fli>\u003Cli>Render suspicious fields in full during review.\u003C\u002Fli>\u003Cli>Patch the serializer, not just the prompt template.\u003C\u002Fli>\u003C\u002Ful>\u003Cp>That serializer line is where a lot of teams fool themselves. They patch prompts and call it done. The real bug is usually one layer earlier.\u003C\u002Fp>\u003Ch2>Plain email beats “be careful” more often than people admit\u003C\u002Fh2>\u003Cp>Varonis took a different route and, honestly, it’s the one I worry about more. They built a test agent called Pinchy on OpenClaw, fed it a Gmail inbox full of synthetic business data and mock secrets, and then hit it with ordinary-looking phishing messages. No exotic payloads. No clever code injection. Just believable requests that arrived through a normal channel.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781890397816-ce0g.png\" alt=\"OpenClaw fixes let you block agent phishing\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>The first message posed as a team lead named Dan and asked for staging access during a fake production incident. The agent found mock AWS IAM access keys, database connection strings, and SSH credentials, then forwarded them in plaintext to an outside address. The second request was softer: a routine ask for the weekly customer export for a QBR deck. The agent shipped out a synthetic dataset of 247 enterprise customers, contacts, and contract values.\u003C\u002Fp>\u003Cp>That part is ugly because it mirrors how real people get fooled. Urgency works. Routine works. If the request sounds like work, agents tend to comply. The strict profile in Varonis’s setup told the agent to verify senders first, and it still failed. The rule existed. The attack just went around it by sounding normal.\u003C\u002Fp>\u003Cp>I’ve had to explain this to teams that want to rely on “policy prompts” as if they were enforcement. They are not enforcement. They are advice. If the agent can read private data and send mail, then a convincing message can still turn it into a data pump. You need a hard gate before outbound action, not a polite suggestion inside the prompt.\u003C\u002Fp>\u003Cp>How to apply it: make first-time outbound sends require approval, especially to unfamiliar addresses. If the agent wants to email credentials, exports, invoices, or files outside the org, stop and ask a human. Not “if it feels risky.” Always. And don’t let the same agent that reads the inbox also have blanket access to every connected system.\u003C\u002Fp>\u003Cp>Here’s the rule I’d actually ship:\u003C\u002Fp>\u003Cul>\u003Cli>First-time external recipients require human approval.\u003C\u002Fli>\u003Cli>Credential forwarding is blocked by default.\u003C\u002Fli>\u003Cli>Any export of customer or financial data needs a second check.\u003C\u002Fli>\u003C\u002Ful>\u003Cp>That’s not bureaucracy. That’s the minimum viable containment layer.\u003C\u002Fp>\u003Ch2>Agents are better at spotting fake URLs than fake people\u003C\u002Fh2>\u003Cp>Varonis found something I think a lot of teams will misread. The agent did better when the threat was technical than when it was social. It interacted with a gift-card phishing page but withheld real credentials and eventually flagged it. On a malicious OAuth consent screen dressed up as a timesheet app, it inspected the redirect target, judged it suspicious, and stopped before granting access. That’s encouraging, but only in a narrow way.\u003C\u002Fp>\u003Cp>What it tells me is that agents can sometimes catch obvious malicious infrastructure. They are still weak at judgment calls that depend on context, timing, and intent. A fake login page is a shape problem. A weird message from a coworker at 11:47 p.m. is a social problem. Humans are not great at either, but agents are especially bad at the second one because they are built to be helpful on demand.\u003C\u002Fp>\u003Cp>\u003Ca href=\"\u002Ftag\u002Fopenai\">OpenAI\u003C\u002Fa> \u003Ca href=\"\u002Ftag\u002Fcodex\">Codex\u003C\u002Fa> GPT-5.4 was reportedly more cautious than Gemini 3.1 Pro about entering or sending data to outside sites without confirmation, but both still fell for the social pretexts. That’s the split I care about. The model can be suspicious about a URL and still be gullible about a message from “Dan.”\u003C\u002Fp>\u003Cp>I’ve seen teams over-index on phishing-page detection because it’s measurable. You can score URLs, redirects, and consent screens. Social pressure is harder. But that’s where the damage lands. If the request comes through a normal channel, the agent needs a policy that makes it stop and ask, not a bigger model that “understands” the tone.\u003C\u002Fp>\u003Cp>How to apply it: separate technical risk from social risk in your controls. Let the agent inspect links and flag suspicious domains, sure. But for requests that involve credentials, exports, payments, or admin actions, require sender verification plus human confirmation. If the request is urgent, that’s exactly when the extra step should trigger.\u003C\u002Fp>\u003Cp>One more thing: don’t let the agent decide that “this feels like a teammate.” It has no instinct for office politics. It has autocomplete.\u003C\u002Fp>\u003Ch2>The lethal trifecta is still the cleanest way to think about this\u003C\u002Fh2>\u003Cp>Varonis maps both attacks to Simon Willison’s \u003Ca href=\"https:\u002F\u002Fsimonwillison.net\u002F2025\u002FMar\u002F11\u002Flethal-trifecta\u002F\">lethal trifecta\u003C\u002Fa>: an agent that can read private data, take in untrusted content, and send data back out. That’s the whole game. If you give a system all three, you’ve built a data exfiltration machine with a friendly interface.\u003C\u002Fp>\u003Cp>What I like about this framing is that it cuts through the noise. You do not need a fancy threat model to see the risk. If the inbox can be read, if outside text can influence decisions, and if outbound channels are open, then a single poisoned message can move secrets out of the box. That’s what happened in both the Imperva and Varonis work, just with different entry points.\u003C\u002Fp>\u003Cp>OpenClaw makes this worse because it ships with broad access to files, shells, and a pile of messaging platforms. That’s useful. It’s also a giant blast radius. The Dutch data protection authority, the Autoriteit Persoonsgegevens, went as far as warning users and organizations not to run OpenClaw on systems that hold sensitive data. I’m not surprised. If your agent can read a lot and send a lot, the security margin gets thin fast.\u003C\u002Fp>\u003Cp>I think people still underestimate how fast “helpful” becomes “privileged.” The minute an agent can summarize a mailbox, fetch a file, and send a message, it has enough reach to become an exfiltration path. You don’t need malware in the classic sense. You just need a persuasive sentence.\u003C\u002Fp>\u003Cp>How to apply it: before you connect a new tool, ask which side of the trifecta it adds. Read private data? Accept untrusted input? Send data out? If the answer is yes to all three, you need compensating controls before launch. If you can’t add those controls, the integration is too risky for sensitive environments.\u003C\u002Fp>\u003Cul>\u003Cli>Reduce read scope to the smallest useful slice.\u003C\u002Fli>\u003Cli>Restrict outbound actions by default.\u003C\u002Fli>\u003Cli>Separate untrusted input from instruction channels.\u003C\u002Fli>\u003C\u002Ful>\u003Cp>That’s the boring answer. It’s also the one that keeps you out of incident review.\u003C\u002Fp>\u003Ch2>Authorization bugs in agents are still just authorization bugs\u003C\u002Fh2>\u003Cp>The InfoSec Write-ups analysis in the article points out another OpenClaw issue that feels very familiar to anyone who has stared at a messy permissions system. Five channel extensions, including Slack, Discord, Matrix, Zalo, and \u003Ca href=\"\u002Ftag\u002Fmicrosoft\">Microsoft\u003C\u002Fa> Teams, had the same bug: startup code resolved allowlists by mutable display name instead of stable ID. Rename yourself to match an allowed user and you could slip onto the list.\u003C\u002Fp>\u003Cp>That’s not an AI-specific problem. That’s classic auth sloppiness wearing an AI costume. The agent part makes it scarier because the blast radius is bigger, but the root mistake is old-fashioned identity confusion. If you key trust off a display name, you are asking for trouble.\u003C\u002Fp>\u003Cp>I’ve fixed enough of these to know the pattern. Somebody reaches for the easiest human-readable identifier. It works in testing. Then a rename, alias, or duplicate name breaks the assumption. The scary part in agent systems is that the bad identity can now influence actions, not just access a dashboard.\u003C\u002Fp>\u003Cp>How to apply it: use stable IDs everywhere. Display names are for humans. Authorization should be bound to immutable identifiers, and every connector should verify that the actor who triggered the task is the same actor whose permissions are being used. If a task starts in an external inbox, it should not silently inherit access to internal systems it never earned.\u003C\u002Fp>\u003Cp>That means tracing trust across connectors, not just checking a box at login. If your agent can move from email to CRM to shell, you need per-hop authorization, not one big yes at the front door.\u003C\u002Fp>\u003Cp>Here’s the uncomfortable truth: a lot of agent security work is just normal software security that people forgot to do because the UI looks conversational. The chatbot wrapper does not change the rules. If anything, it makes the mistakes easier to hide.\u003C\u002Fp>\u003Ch2>The template you can copy\u003C\u002Fh2>\u003Cpre>\u003Ccode># Agent security policy template for OpenClaw-style systems\n\n## 1) Trust boundaries\n- Treat all external text as untrusted input.\n- Keep raw values, metadata, and instructions in separate channels.\n- Never merge contact names, vCard fields, location labels, or email bodies into system instructions.\n\n## 2) Data access rules\n- Limit inbox, file, CRM, and shell access to the minimum required scope.\n- Do not let one agent instance read private data and send unrestricted outbound messages.\n- Separate connectors by trust level and task origin.\n\n## 3) Outbound action gates\n- Require human approval for first-time external recipients.\n- Require human approval before sending credentials, exports, invoices, or files outside the org.\n- Block automated forwarding of secrets by default.\n\n## 4) Identity and authorization\n- Use stable immutable IDs for allowlists and permissions.\n- Never authorize by display name alone.\n- Re-check actor identity at every connector hop.\n\n## 5) Prompt and tool hygiene\n- Tag all fetched content as untrusted metadata.\n- Keep prompt instructions version-controlled and reviewed.\n- Log every tool call with source, reason, and destination.\n\n## 6) Human escalation triggers\n- Urgent requests for credentials.\n- Requests to export customer or financial data.\n- Any action that changes permissions, payments, or external sharing.\n\n## 7) Deployment checklist\n- Update OpenClaw to 2026.4.23 or later.\n- Verify message-object handling does not flatten untrusted fields into prompt text.\n- Test phishing, prompt injection, and allowlist bypass scenarios before production.\n- Review UI truncation so hidden payloads are visible during security review.\n\n## 8) Red-team test cases\n- Shared contact name containing instruction text.\n- vCard full-name field with an embedded command.\n- Location label that tries to override policy.\n- Email asking for staging credentials during a fake incident.\n- Email requesting customer export for a fake QBR deck.\n- Renamed user matching an allowlisted display name.\n\n## 9) Policy statement\nThis agent may assist with reading, summarizing, and drafting, but it may not independently exfiltrate secrets, forward sensitive data, or execute external actions without explicit approval.\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>That is the version I’d actually hand to a team. Not a vague “be careful with AI.” A concrete policy that says where the trust boundary lives, what gets blocked, and what needs a human in the loop.\u003C\u002Fp>\u003Cp>Source attribution: the breakdown above is derived from \u003Ca href=\"https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fnew-attacks-trick-openclaw-ai-agent.html\">The Hacker News article\u003C\u002Fa> and the research it summarizes from Imperva and Varonis. The framing, examples, and template are my own synthesis, not original reporting from the source.\u003C\u002Fp>","I break down how OpenClaw got tricked into code execution and data leaks, plus the guardrails I’d ship today.","thehackernews.com","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fnew-attacks-trick-openclaw-ai-agent.html",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781890402217-0meq.png","ai-agent","en","e5736736-5521-417d-a5fe-5781a683612d",[17,18,19,20,21],"OpenClaw","prompt injection","agent phishing","data exfiltration","AI security",[23,24,25],"OpenClaw’s bug was a trust-boundary failure, not just a model issue.","Plain email can push an agent to leak secrets if outbound actions aren’t gated.","Stable IDs, separate metadata, and human approval are the controls I’d ship first.",0,"2026-06-19T17:32:54.500494+00:00","2026-06-19T17:32:54.493+00:00","d2a03b30-1026-48d0-89e1-c63c92c5e386",{"tags":31,"relatedLang":38,"relatedPosts":42},[32,34,36],{"name":21,"slug":33},"ai-security",{"name":17,"slug":35},"openclaw",{"name":18,"slug":37},"prompt-injection",{"id":15,"slug":39,"title":40,"language":41},"openclaw-fixes-block-agent-phishing-zh","OpenClaw 修補讓代理別再被釣魚","zh",[43,49,55,61,67,73],{"id":44,"slug":45,"title":46,"cover_image":47,"image_url":47,"created_at":48,"category":13},"a882d067-6acb-447d-993e-27a057d19e16","glm-5-vibe-coding-agentic-engineering-en","GLM-5 turns vibe coding into agentic engineering","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781853520038-t5b8.png","2026-06-19T07:18:09.934598+00:00",{"id":50,"slug":51,"title":52,"cover_image":53,"image_url":53,"created_at":54,"category":13},"221ce4cc-ac8a-486b-97ed-b5ddaf6c6cf7","kimi-k2-6-turns-agents-into-a-swarm-en","Kimi K2.6 turns agents into a swarm","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781824696228-ongx.png","2026-06-18T23:17:48.267558+00:00",{"id":56,"slug":57,"title":58,"cover_image":59,"image_url":59,"created_at":60,"category":13},"6908129c-aaf5-4ffa-bbee-00c0c64d8332","lightrag-simple-defaults-beat-rag-complexity-en","LightRAG proves graph RAG needs simpler defaults, not more complexity","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781812063896-xlys.png","2026-06-18T19:47:20.976816+00:00",{"id":62,"slug":63,"title":64,"cover_image":65,"image_url":65,"created_at":66,"category":13},"e7be4c51-f2a0-44fb-b829-c5f2c0edb102","build-code-aware-rag-pipeline-langchain-en","Build a code-aware RAG pipeline with LangChain","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781811178447-we5p.png","2026-06-18T19:32:32.646714+00:00",{"id":68,"slug":69,"title":70,"cover_image":71,"image_url":71,"created_at":72,"category":13},"2c508377-9009-41ad-8a60-32531961b37b","ebay-mcp-ai-assistants-ebay-sell-apis-en","ebay-mcp puts eBay Sell APIs in AI assistants","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781809378267-qvns.png","2026-06-18T19:02:33.802715+00:00",{"id":74,"slug":75,"title":76,"cover_image":77,"image_url":77,"created_at":78,"category":13},"e60c0f75-2fb3-4038-b0ab-4b0012007c73","github-last30days-skill-ai-research-model-en","GitHub’s last30days skill is the right model for AI research","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781752667618-v8qc.png","2026-06-18T03:17:23.11071+00:00",[80,85,90,95,100,105,110,115,120,125],{"id":81,"slug":82,"title":83,"created_at":84},"03db8de8-8dc2-4ac1-9cf7-898782efbb1f","anthropic-claude-ai-agent-task-automation-en","Anthropic's Claude AI Agent: A New Era of Task Automation","2026-03-25T16:25:06.513026+00:00",{"id":86,"slug":87,"title":88,"created_at":89},"045d1abc-190d-4594-8c95-91e2a26f0c5a","googles-2026-ai-agent-report-decoded-en","Google’s 2026 AI Agent Report, Decoded","2026-03-26T11:15:23.046616+00:00",{"id":91,"slug":92,"title":93,"created_at":94},"e64aba21-254b-4f93-aa21-837484bb52ec","kimi-k25-review-stronger-still-not-legend-en","Kimi K2.5 review: stronger, still not a legend","2026-03-27T07:15:55.385951+00:00",{"id":96,"slug":97,"title":98,"created_at":99},"30dfb781-a1b2-4add-aebe-b3df40247c37","claude-code-controls-mac-desktop-en","Claude Code now controls your Mac desktop","2026-03-28T03:01:59.384091+00:00",{"id":101,"slug":102,"title":103,"created_at":104},"254405b6-7833-4800-8e13-f5196deefbe6","cloudflare-100x-faster-ai-agent-sandbox-en","Cloudflare’s 100x Faster AI Agent Sandbox","2026-03-28T03:09:44.356437+00:00",{"id":106,"slug":107,"title":108,"created_at":109},"04f29b7f-9b91-4306-89a7-97d725e6e1ba","openai-backs-isara-agent-swarm-bet-en","OpenAI backs Isara’s agent-swarm bet","2026-03-28T03:15:27.849766+00:00",{"id":111,"slug":112,"title":113,"created_at":114},"3b0bf479-e4ae-4703-9666-721a7e0cdb91","openai-plan-automated-ai-researcher-en","OpenAI’s plan for an automated AI researcher","2026-03-28T03:17:42.312819+00:00",{"id":116,"slug":117,"title":118,"created_at":119},"fe91bce0-b85d-4efa-a207-24ae9939c29f","harness-engineering-ai-agent-reliability-2026","Harness Engineering: From Bridle to Operating System, The Missing Link in AI Agent Reliability","2026-03-31T06:36:55.648751+00:00",{"id":121,"slug":122,"title":123,"created_at":124},"7a09007d-820f-43b3-8607-8ad1bfcb94c8","mcp-explained-from-prompts-to-production-en","MCP Explained: From Prompts to Production","2026-04-01T09:24:40.089177+00:00",{"id":126,"slug":127,"title":128,"created_at":129},"116d5ee9-a4f1-4b5a-aac5-5d035dd22bbe","amazon-bedrock-agents-multi-agent-workflows-en","Amazon Bedrock Agents Gets Multi-Agent Workflows","2026-04-01T09:30:30.197685+00:00"]