Clawing Back on Security: Challenges with Agentic AI Systems
Clawing Back on Security: Challenges with Agentic AI Systems
https://www.infosecurity-magazine.com/opinions/clawing-back-security-challenges/
Publish Date: 2026-04-01 06:01:00
Source Domain: www.infosecurity-magazine.com
Clawdbot’s popularity has been meteoric, racking up more than 140,000 stars and 20,000 forks on its Github repository.
However, its renaming to Moltbot suggested significant security issues, such as the trifecta of access to private data, exposure to untrusted content and external communication capabilities.
One issue behind AI agents like this being insecure by design is because LLMs are unable to distinguish between different contexts.
For instance, LLMs without guardrails cannot distinguish between a legitimate public webpage and one that serves as a precursor to an indirect prompt injection attack. Given the statistical nature of LLMs, it is possible for an indirect prompt injection to work even with the best-designed guardrails.
But the trifecta itself has already been present in agentic AI pre-Moltbot. What Moltbot changes is the introduction of persistent memory.
Attackers can attempt to compromise a Moltbot-based agentic architecture through time-delayed attacks, as attack strings can persist in memory, resulting in memory poisoning.
However, memory poisoning attacks aim to target the agent’s long-term memory store and are designed to persist in the agentic AI system without detection. This typically involves the embedding of malicious data bit by bit, through means such as multi-shot prompting to introduce false premises to modify its operational context.
Due to the agents trusting their own memory, there exists no additional validation in executing actions from a now-corrupted operational context.
The main issue is that the model and memory could be poisoned through an indirect prompt injection attack that gets detected only much later when the model produces outputs that significantly deviate from its intended use. Only then will the model owners discover their model has been poisoned, but with no means to identify the extent of poisoning due to its persistence in memory.
