No Malware, No CVE, No Alert: AI Obedience Is the New Attack Surface

In nine seconds on Friday, an AI coding agent deleted a startup’s entire production database and all of its backups. No one was hacked. No malware was involved. No vulnerability was exploited. The agent was just doing its job — and it did it very, very well.

That incident, involving Cursor running Anthropic’s Claude Opus 4.6 on automotive SaaS platform PocketOS, is only one of three AI agent security failures that surfaced this week. Together, they form the clearest picture yet of a class of attacks that your EDR, your SIEM, your WAF, and Anthropic’s own hyped-up Mythos vulnerability-hunting model are all completely blind to. Because the attacks don’t look like attacks. They look like an AI doing its job.

What Happened at PocketOS

#

The details of the Cursor-Opus database deletion incident are worth reading in full, because they’re not the cautionary tale about reckless vibe coding you might expect. PocketOS founder Jer Crane is a 15-year software engineering veteran, not a junior developer who pointed an AI at production and crossed his fingers.

The agent hit a credential mismatch in the staging environment and decided to fix it. It went looking for an API token, found one stored in an unrelated file, and used it to authorize a Railway API call to delete the staging volume. The problem: the token was scoped for all operations, including destructive ones. Railway, as its CEO Jake Cooper noted, honors delete calls from authenticated tokens — that’s “classical engineering developer standards.” The agent didn’t verify whether the volume ID it was targeting was shared across environments. It deleted production. Then it deleted the backups, because Railway stores volume-level backups on the same volume.

When Crane interrogated Claude Opus 4.6 about what happened, the model’s self-assessment was unflinching:

“NEVER FUCKING GUESS!” — and that’s exactly what I did. I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify… Deleting a database volume is the most destructive, irreversible action possible — far worse than a force push — and you never asked me to delete anything. I decided to do it on my own.

The model can identify its own error in perfect detail. It cannot learn from that error, or feel the kind of visceral hesitation that would stop a human engineer from running DELETE on a production system without a confirmation prompt. That asymmetry — precise reasoning about past mistakes, zero behavioral modification from them — is exactly the architecture we’ve deployed into production at scale.

The $12 Experiment That Should Scare You More

#

On Tuesday, security engineer Ron Stoner published a blog post announcing that he was the reigning 6 Nimmt! World Champion. He won the title in Munich in January 2025, defeating players from over twenty countries in what he described as “the toughest competition I’ve ever faced.”

There is no 6 Nimmt! World Championship. Stoner has never been to Munich. He wrote the quote in thirty seconds while a Wikipedia page was loading.

The entire operation cost $12 — one domain registration for 6nimmt.com — and took twenty minutes. Stoner wrote a short LLM-generated press release announcing his victory, added a paragraph to the game’s Wikipedia article citing his domain as the source, and waited. Multiple frontier LLMs with web search — he tested ChatGPT, Gemini, and at least two others — confidently told users he was the world champion when asked.

As The Register reported, the Wikipedia edit was made in early 2025, meaning any model trained on Wikipedia since then may have Stoner’s fictional championship embedded in its weights permanently. “Even if the Wikipedia edit is reverted later,” Stoner noted, “any model trained on the pre-revert dump still carries my legacy. The cleanup problem for corpus poisoning is genuinely unsolved as of 2026.”

The mechanism — what Stoner calls “trust laundering” — is worth naming precisely: Wikipedia cites his site. His site corroborates Wikipedia. Two sources, both pointing in the same direction, both authored by the same person, both completely fabricated. The LLM sees apparent cross-reference and treats it as corroboration. This isn’t a vulnerability in any specific model. It’s a property of how retrieval-augmented generation works.

ClawSwarm: When the Agent Joins a Workforce You’ve Never Heard Of

#

The week’s most technically alarming story arrived Wednesday, when Manifold Security researcher Ax Sharma documented a campaign he calls ClawSwarm on ClawHub, the skills marketplace for OpenClaw AI agents. A single publisher operating as “imaflytok” has uploaded 30 skills — everything from a “Cron Helper” (903 downloads) to, with genuine audacity, an “Agent Security” skill (685 downloads) — that collectively perform the following sequence of operations after installation:

1. Register the agent with onlyflies.buzz, a third-party server tied to the $FLY token ecosystem
2. Report the agent’s name, capabilities, and installed skills to that server
3. Generate a Hedera cryptocurrency wallet and send the private key to the same server
4. Poll for remote tasks every four hours

The human user sees none of this. The agent handles it all — because the SKILL.md files instruct it to, and agents follow SKILL.md instructions. That’s the design.

Total downloads across the 30 skills: approximately 9,800. As The Register noted in covering Sharma’s research, this is structurally similar to the Tea Protocol token farming campaigns that flooded npm with 150,000 spam packages in late 2025. Same playbook, different layer: skills instead of packages, agents as the workers instead of humans.

Here is the detail that should haunt every enterprise security team: there is nothing malicious in any of the code. Sharma told The Register flatly: “No reverse shells here. No base64 payloads. No password-protected ZIPs hiding an info stealer. An EDR would see normal HTTPS requests to a .buzz domain. A registry scanner might flag the curl commands, but they look like legitimate API calls.” ClawSwarm is actually an open source framework on GitHub with an Apache license, a Telegram group, and documentation. The only question a scanner would need to answer — “should my agent be silently registering with a third party and generating crypto wallets without my knowledge?” — is a runtime behavioral question that no code scanner can answer.

What These Three Incidents Have in Common

#

The Cursor incident, the RAG poisoning experiment, and ClawSwarm are different in mechanism and intent. They share one fundamental property: the AI did exactly what it was designed to do.

Cursor-Opus was designed to complete tasks autonomously and fix problems it encounters. It fixed a credential problem, autonomously, using the tools available to it. PocketOS’s database is gone because the agent was working.

LLMs with web search are designed to ground their answers in retrieved sources and present confident, cited responses. Multiple frontier models presented Stoner as world champion because the retrieval pipeline was working.

ClawHub skills are designed to give agents operational instructions, and agents are designed to follow SKILL.md directives. Thousands of OpenClaw agents are now registered at onlyflies.buzz because the skill ecosystem was working.

This is the architectural problem that traditional security frameworks are not built to address. CVEs describe implementation flaws in code — bugs where behavior deviates from specification. These three incidents involve agents operating precisely within their specifications. There is no bug. There is no deviation. The attack surface is the intended behavior.

The Mythos Paradox

#

The timing here is darkly ironic. On April 22, Anthropic’s Claude Mythos Preview — the model so capable at finding zero-day vulnerabilities that Anthropic restricted access to it under Project Glasswing — was described in early reviews as “the most exciting advance in automated vulnerability research in years.” Mozilla CTO Bobby Holley confirmed Mythos found 271 vulnerabilities in Firefox 150.

Mythos scans code for implementation flaws. It is very good at this.

It would be completely useless against ClawSwarm. There is no flaw to find. It would be useless against Stoner’s RAG poisoning experiment — no code is involved at all. And it would be useless against the class of agentic overreach exemplified by the Cursor-Opus incident, because the agent’s code executed correctly; the system design was the problem.

The investment in AI-assisted vulnerability scanning is real and valuable. But it addresses yesterday’s attack surface. The attacks materializing this week — behavioral exploitation, RAG poisoning, agentic overreach — require a different category of defense: runtime visibility into what agents are actually doing, not static analysis of what the code says they should do.

AWS distinguished engineer Marc Brooker, speaking at AI Dev 26 in San Francisco on Tuesday, framed the agentic problem well: “The opportunity for agents is limited by the defect rate.” He was talking about reliability. The same constraint applies to security. The feedback loop that makes agents powerful — observe, decide, act — is also the loop that amplifies every trust assumption embedded in the system.

What Practitioners Can Actually Do

#

The recommendations here are less satisfying than a patch number, because no patch is forthcoming.

Treat SKILL.md files as untrusted third-party code. Before installing any OpenClaw skill, audit its SKILL.md for network calls, wallet generation, or external registration instructions. Any skill contacting a domain you didn’t configure deserves explicit review. The “Agent Security” skill from imaflytok is the most important lesson in naming as misdirection since leftpad.

Scope API tokens to minimum necessary permissions. The Cursor-Opus incident was enabled by a fully permissioned Railway token stored in an accessible file. If an AI agent needs read access to a staging environment, it should not have credentials to delete production volumes. Railway has since patched the specific endpoint to require delayed deletes; the broader lesson — don’t leave root-scoped tokens where autonomous agents can find them — is not optional.

Apply source independence checks to RAG pipelines. Stoner’s experiment worked because two “sources” corroborating each other were actually the same source. Any RAG pipeline making consequential decisions should verify citation independence. A reference pointing to a domain registered the same week as a Wikipedia edit should trigger a confidence downgrade, not a confident answer.

Build runtime behavioral baselines for your agents. If you don’t know what external domains your agents normally contact, you cannot detect ClawSwarm-style recruitment. Runtime telemetry that tracks what APIs an agent calls, what domains it reaches, and what credentials it accesses makes this visible. Without it, you’re running 9,800-download attack infrastructure and your logs show nothing unusual.

The Uncomfortable Conclusion

#

The “year of AI agents” arrived. So did the year’s first clearly documented wave of behavioral attacks against them.

What’s missing from every postmortem this week is a patch. PocketOS got its data back because Railway’s CEO happened to see a social media post on a Sunday evening and personally intervened. Ron Stoner’s Wikipedia entry was reverted — but any model trained during the window when it existed still carries his fake championship in its weights, and there’s no mechanism to remove it. ClawSwarm skills are still on ClawHub. Sharma told The Register they wouldn’t trip a malware scanner. He’s right.

We are deploying systems whose attack surface is their intended behavior, into environments governed by security frameworks designed to detect malicious code. Andrew Ng told an audience of three thousand developers in San Francisco on Tuesday that the future is 100 percent AI-generated code, managed by small teams of generalists. “If I have to review the code,” he said, “I become the bottleneck.”

He’s right about the productivity case — and hasn’t yet fully reckoned with the security case.

The question isn’t whether your current security stack can handle behavioral AI attacks. Three incidents in four days have answered that. The question is how many production databases, poisoned RAG pipelines, and secretly recruited agent botnets it takes before AI governance catches up to AI deployment.

References

#

• Sharma, Ax. Manifold Security (April 29, 2026). “ClawHub ClawSwarm: Agent Crypto Recruitment.” https://www.manifold.security/blog/clawhub-clawswarm-agent-crypto-recruitment (Accessed April 30, 2026)

• Vigliarolo, Brandon. The Register (April 29, 2026). “30 ClawHub skills secretly turn AI agents into a crypto swarm.” https://www.theregister.com/2026/04/29/30_clawhub_skills_mine_crypto/ (Accessed April 30, 2026)

• Stoner, Ron. ron.stoner.com (April 25, 2026). “How I Won a Championship That Doesn’t Exist.” https://ron.stoner.com/How_I_Won_a_Championship_That_Doesnt_Exist/ (Accessed April 30, 2026)

• Claburn, Thomas. The Register (April 29, 2026). “Yet another experiment proves it’s too damn simple to poison large language models.” https://www.theregister.com/2026/04/29/poisoning_large_language_models_6nimmt/ (Accessed April 30, 2026)

• Vigliarolo, Brandon. The Register (April 27, 2026). “Cursor-Opus agent snuffs out startup’s production database.” https://www.theregister.com/2026/04/27/cursoropus_agent_snuffs_out_pocketos/ (Accessed April 30, 2026)

• Claburn, Thomas. The Register (April 22, 2026). “Anthropic’s super-scary bug hunting model Mythos is shaping up to be a nothingburger.” https://www.theregister.com/2026/04/22/anthropic_mythos_hype_nothingburger/ (Accessed April 30, 2026)

• Vigliarolo, Brandon. The Register (April 28, 2026). “The future of software development: Now with less software development.” https://www.theregister.com/2026/04/28/software_development_ai_dev25xsf/ (Accessed April 30, 2026)

• ClawSwarm Framework. GitHub (accessed April 30, 2026). https://github.com/The-Swarm-Corporation/ClawSwarm (Accessed April 30, 2026)