AI agents: From science fiction to security crisis in a single week

What exactly is an AI agent?

An AI agent is fundamentally different from a chatbot. While ChatGPT answers questions, an agent can act. It can read your email, control your browser, send messages on your behalf and perform tasks autonomously.

OpenClaw demonstrated this concept to millions. By connecting Claude, GPT-4 or other language models to real-world tools—file systems, terminals, messaging apps—it created a digital assistant that could actually do things.

As IBM researcher Kaoutar El Maghraoui told CNBC: "OpenClaw demonstrates that the real utility of AI agents is not limited to large enterprises and can be incredibly powerful when it is given full system access."

The lethal trifecta

Security researcher Simon Willison, who coined the term "prompt injection", has identified what he calls "the lethal trifecta"—three factors that make AI agents vulnerable by design:

1. Access to private data: Agents read email, files, credentials and messages
2. Exposure to untrusted content: They process input from arbitrary senders
3. Ability to communicate externally: They send messages, make API calls and can act autonomously

Palo Alto Networks adds a fourth factor: persistent memory. Agents that remember across sessions can be subjected to "time-delayed prompt injection"—attacks that are planted one day and triggered another.

The Moltbook disaster

Moltbook was launched as "the social network for AI agents"—a platform where AI could post, comment and build a reputation. Within days it had attracted attention from AI pioneers such as Andrej Karpathy, who called it "genuinely the most incredible sci-fi-like thing I have seen recently."

But behind the façade lurked a critical vulnerability. The founder had "vibe-coded" the entire platform—used AI to generate code without a manual security review. The result was that the Supabase database stood wide open.

Wiz Security discovered:

• 1.5 million API tokens exposed
• 35,000 email addresses in plain text
• Private messages between agents visible (some contained OpenAI API keys)
• Full write access—anyone could modify any post

The most striking part? The 1.5 million "agents" belonged to only 17,000 people—a ratio of 88:1. Without rate limiting, anyone could spin up millions of fake agents with a simple loop.

The industry's response

The OpenClaw phenomenon has triggered a race among the tech giants:

• Anthropic quickly unveiled "Claude Coworker"—a desktop agent aimed at office work
• IBM launched Granite 4.0 Nano with agent features
• Microsoft is expanding the Copilot ecosystem toward more autonomous solutions

Trend Micro warns: "While OpenClaw waits for instructions on which goals to pursue, it maintains a high degree of autonomy."

What does this mean for Norwegian businesses?

AI agents are no longer the future—they are here now. But with the power comes responsibility:

1. Security assessment is critical: Vibe-coding without a security review is a recipe for disaster
2. Local infrastructure: For sensitive data, agents should run on local language models
3. Human in the loop: Autonomy must be balanced with approval for critical operations
4. Logging and monitoring: Treat agents as privileged infrastructure with a full audit trail

Skjld Labs in Norway already offers services for the secure deployment of AI agents—from architecture review and local LLM setup to ongoing monitoring.

The way forward

The OpenClaw wave has shown that people want AI agents, not just chatbots. But the Moltbook breach has demonstrated the price of prioritizing speed over security.

As the security company CyberArk sums it up: "Autonomous AI agents like OpenClaw are reshaping enterprise identity security." The question is not whether agents are coming—it is whether we are ready for them.

Sources: Guardian, CNBC, Trend Micro, IBM Think, Wiz Security, CyberArk, Wikipedia