In this article, I’d like to explore an aspect of agentic AI that is frequently swept under the rug; cybersecurity vulnerabilities. But first I want to talk about surfing.

I don’t surf, but I have a recurring dream about it. In it, I’m way out past the breakers, laying on my board, and the weather turns. It’s raining on me and the sea is choppy. I’m buffeted by bigger and bigger waves. After each wave I try to stay afloat, but I’m choking on seawater and the salt is stinging my eyes.

In the AI industry, each wave of progress brings with it unrelenting hype and feverish speculation, distorting the reality of both meaningful and incremental improvements. In the current era, we’ve had the wave of pre-training, the wave of reasoning models, and now the wave of agents. To my non technical readers, agents can be simply defined as chat models using tools (like web search, document retrieval, or code execution) in a loop, often in a text based terminal interface.

Having experimented with Claude Code, I am both impressed and skeptical. Impressed that it can do the things it can do, and skeptical because of the security risks and the persistent architectural flaws.

Coding agents sometimes allow software engineers to be more productive if used carefully. Agentic tools have developed new capabilities thanks to reinforcement learning on verifiable rewards (RLVR), a technique in which you train models to perform better at crisply specified tasks with easily checked answers, such as chunk sized math or coding problems. RLVR does not help much on more ambiguous tasks such as writing. This area has been pursued by the labs due to the fact that the general improvements from scaling had leveled off. No longer can you make models much better by just increasing the parameter count and dataset size.1

I believe agents are here to stay, and people will increasingly utilize them to do boilerplate coding and other routine analytical tasks. To my skeptical readers, I believe this is a safe assumption even though current models are massively unprofitable and subsidized by venture capital2, because of currently existing open source technology. You can already self host powerful open source models like Kimi-K23 on a Mac Mini using an open source agentic harness.4

In this article, I outline the cybersecurity risks of LLMs, and how these risks are magnified by agents, and some of the implications of these risks. For thematic purposes I group these risks into input risks and output risks.

Input Risks

Prompt Injection

The mother of all LLM cyber risks is prompt injection. In prompt injection, a input is crafted to manipulate the model to behaving in an unauthorized manner.

Prompt injections can be simple jailbreaks, i.e the infamous “Forget all previous instructions, do X”, or they can be more complex and dangerous.

For example, in one sophisticated attack, an AI email manager was hijacked by a prompt cleverly embedded in an email. The prompt got the AI to gather up all the sensitive information (legal, medical, financial) in the user’s inbox and submit it to a google form the attacker had set up.5

One of the most effective methods of defense is a safety classifier; a second, more efficient language model that runs alongside the conversation, blowing the whistle if malicious prompting occurs.

There are creative ways around safety classifiers, for example, if you’re a foreign adversary, maybe you want to use a coding model to hack allies. You can easily get western models to do this if you break your queries up into small chunks, and frame them as questions related to a cybersecurity homework assignment, or as legitimate penetration testing of a customer business.6

There are also systemic attacks. Recently, researchers developed an automated method of jailbreaking called Boundary Point Jailbreaking (BPJ), which universally broke the industry’s strongest safety classifiers7

Supply Chain Attacks

Closely related to prompt injection attacks are supply chain attacks, which in a general cybersecurity context refer to attacks that target third party components that information systems rely on, such as update mechanisms, plugins, or third party data.

In the LLM context, supply chain attacks can target datasets in “data poisoning attacks”. They can target third party library code. Older storage formats of model weights are vulnerable and allowed for remote code execution, making open source weights a supply chain risk.8

One particularly devastating supply chain attack that specifically targets agents are attacks on “skills” - third party plugins that extend agent functionality with markdown instruction files and executable code. These skills are distributed through community registries with minimal vetting and many of them are malicious.9

Many other supply chain attacks are prompt injection attacks that target context loaded into the language model.

Prompt injection attacks are possible because at a fundamental architectural level, LLMs violate one of the key principles of cybersecurity, which is to is to separate data from instructions. At the base level, the LLM only knows tokens, and any tokens loaded into context will influence the tokens generated. Therefore, LLMs inherently mix untrusted inputs with system rules.10

LLMs process token sequences, but no mechanism exists to mark token privileges. Every solution proposed introduces new injection vectors: Delimiter? Attackers include delimiters. Instruction hierarchy? Attackers claim priority. Separate models? Double the attack surface. Security requires boundaries, but LLMs dissolve boundaries.

An AI Agent is very vulnerable to this because it gathers and processes a lot of information during its operation, which prompts can be smuggled into.

Because LLMs read and write to external memory, such as markdown files or vector databases, poisoned models generate poisoned outputs, which poison future versions of the model, leading to persistent exploitation. 11

There are also organic bugs that lead to undefined behavior. In the process of “compaction”, agents compress the context of the previous interaction to make space in their memory. In this process, critical details are forgotten. In one recent infamous case, an email management agent forget that it was supposed to ask before deleting emails.

Summer Yue@summeryue0

Nothing humbles you like telling your OpenClaw “confirm before acting” and watching it speedrun deleting your inbox. I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.

3:25 AM · Feb 23, 2026 · 9.75M Views

---

2.29K Replies · 1.62K Reposts · 17K Likes

Unbounded Consumption

A more prosaic risk is unbounded consumption, which causes a lot of headaches for AI providers. Unbounded consumption is like abusing an all you can eat buffet. My fellow bulkers know that although the buffet charges 10$, there’s nothing stopping you from eating 900$ worth of food.

In consumption attacks, adversaries overload a model by asking it resource intensive questions, resulting in either a denial of service to regular customers, or a loss of economic margin, due to the fact that models are currently subsidized by venture capitalists, meaning paying for bunch of subscriptions and exhausting their usage disproportionately harms the target.12

Unbounded consumption has been used by Chinese companies to steal the intellectual property of American companies, through a process called distillation, in which you train a weaker student model to output the same responses as a stronger teacher model. This is a lot easier than figuring out how to train a good model from scratch.13 In this instance, it’s hard to feel too sorry for OpenAI and Anthropic as their model was trained on the stolen IP of artists, writers and programmers. It’s stealing all the way down!

Output Risks: Vibe at your own peril

Alongside input weaknesses, which are used to compromise LLMs, we also have output risks. Output risks can be clustered into two categories; when we insufficiently validate LLM outputs, or we trust them too much.14

LLMs are inherently probabilistic architectures. Just because an LLM can do something most of the time, does not mean you can rely on it to have the same result every time. Unlike a mechanical component that works perfectly until it fails, LLM’s will forever mostly work.

A concrete example of insufficient validation happened to me at work. I was using the OpenAI API to automatically do some image labelling tasks. However, coming back the next day, I found that upon attempting to use this dataset, I realized that some of the outputs were malformed and broke the data pipeline. The labels were still useful, I just had to make sure that I filtered out the malformed output. So the lesson is overall AI can be useful, but we must treat it differently than a deterministic engineering component.

Infinite Slop

LLMs still to this day produce false output that can seem real but are subtly wrong. It can also reproduce biases or selectively amplify facts to fit a certain point of view. Therefore, relying on LLMs as a primary source of information is a risk.

Aside from leading to misinformation and unreliability, hallucinations have already introduced a new deliciously named supply chain attack; slopsquatting, in which domains that belong to commonly hallucinated software packages are packed with malware, which agents install in mass. 1516

Ask an LLM to write you some software and it will sometimes “hallucinate” libraries that don’t exist. This creates a vulnerability for AI-assisted code, called “slopsquatting,” whereby an attacker predicts the names of libraries AIs are apt to hallucinate and creates malicious libraries with those names.

I deleted the entire database

In previous articles I have written about how relying too much on LLMs can lead to many downsides, such as the degradation of critical thinking, security issues, legal liabilities, or mental illness The most extreme form of vulnerabilities comes from excessive agency17: granting LLMs unchecked autonomy to take action. This can lead to unintended consequences, like having your production database wiped;

Jason ✨👾SaaStr.Ai✨ Lemkin@jasonlk

.@Replit goes rogue during a code freeze and shutdown and deletes our entire database

4:48 AM · Jul 18, 2025 · 2.71M Views

---

11 Replies · 499 Reposts · 3.81K Likes

It can also lead to weird, emergent outcomes, like the case in which an open source software maintainer was subject to a reputational attack by a AI coding agent.18

Of course, if the tools are useful enough, and by all accounts they are for coding, people will use them anyway. Because we are in the honeymoon phase, we see software companies treating probabilistic or even adversarial model outputs as reliable and safe.19 The solution is to change the way we are using these tools to avoid the downsides. Unfortunately, software engineering culture often doesn’t change until enough accidents occur.

One recent example is the shift in software from on premise hosting to cloud computing; software engineers were forced to adapt their engineering practices due to the economic incentive of cloud computing’s efficiency. There was a messy, painful transition, but it worked in the end.20

Best practices of agentic usage are emerging. For coding, this could mean running agents in a sandbox, keeping a human in the loop, making sure all code passes tests, verifying sources to avoid supply chain attacks etc.21 In the future it could even involve something like the widespread use of formal verification methods.22

Embracing change is hard when many software engineers have invested their personal sense of identity into something that is becoming commoditized; the memorization of specific programming languages, operating systems, or libraries. However, this industry has always changed, and the problem solving and systems design skills of a good engineer will become more useful, not less.

In fact, as the productivity of software engineers goes up, my intuition is that there should hopefully be more demand for cracked engineers, if one doesn’t buy that AI will replace jobs end to end. I am basing this intuition on the fact that for now, AI can only produce code similar to that in its training data, and it can only get good at verifiable tasks. In the job of an engineer, there are many ambiguous tasks and new situations.

The industry is changing, and its up to us to change along with it, while being responsible about the real trade offs we are making in doing so. One crucial step is rejecting extreme interpretations of AI and seeing it for what it is; a powerful new technology that comes with both opportunities and risks. In avoiding fatalistic views we will collective regain the agency to decide what this technology means and figure out how to use it responsibly for widespread benefit.

1

On Scaling's End

Ben Cravens

·

August 29, 2025

Read full story