A much-needed reality check for those insisting AI will automate away the need for human red teaming and pentesting. Not mentioning the costs involved.

Been digging into the OpenClaw vulnerability (CVE-2026-25253) this week.

Most people are focusing on the CVSS score (8.8), but the bigger issue is misconfigured instances + exposed skills.

Here’s a quick checklist I’ve been using:

1. Audit all active skills (especially external ones)
2. Lock down network exposure (a lot of instances are publicly reachable)
3. Recheck auth flows - default configs are risky
4. Monitor logs for abnormal agent behavior
5. Patch immediately if you haven’t already

I wrote a more detailed breakdown here if anyone wants the full audit steps: Here

Curious- has anyone here actually seen exploitation in the wild yet?

**Submission URL** : https://arxiv.org/abs/2603.16572 **Repository hijacking** — Skills.sh and SkillsDirectory index agent skills by pointing to GitHub repository URLs rather than hosting files directly. When an original repository owner renames their GitHub account, the previous username becomes available. An adversary who claims that username and recreates the repository intercepts all future skill downloads. The authors found 121 skills forwarding to 7 vulnerable repositories. The most-downloaded hijackable skill had 2,032 downloads. **Scanner disagreement** — The paper tested 5 scanners against 238,180 unique skills from 4 marketplaces. Fail rates ranged from 3.79% (Snyk on Skills.sh) to 41.93% (OpenClaw scanner on ClawHub). Cross-scanner consensus was negligible: only 33 of 27,111 skills (0.12%) flagged by all five. When repository-context re-scoring was applied to the 2,887 scanner-flagged skills, only 0.52% remained in malicious-flagged repositories. **Live credentials** — A TruffleHog scan found 12 functioning API credentials (NVIDIA, ElevenLabs, Gemini, MongoDB, and others) embedded across the corpus. **What to do:** - Pin skills to specific commit hashes, not mutable branch heads - Monitor for repository ownership changes on skills already deployed - Require at minimum two independent scanners to flag a skill before treating as confirmed - Prefer direct-hosting marketplaces (ClawHub's model) over link-out distribution The repository hijacking vector is real and responsibly disclosed. The link-out distribution model is an architectural weakness — no patch resolves it. We wrote a practitioner-focused analysis covering this and 6 other papers from this week at