[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-ai-agent-plugins-achieve-100-attack-success-in-new-benchmark":10,"sections":40},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":30,"tags":31,"sources":35,"feedback":39,"feedback_at":22,"cost_usd":39,"total_tokens":39},3067,"ai-agent-plugins-achieve-100-attack-success-in-new-benchmark","AI agent plugins achieve 100% attack success in new benchmark","A new 406-task benchmark found that malicious plugins in always-on AI agents had a 100% attack success rate, regardless of which language model powered them.","A new benchmark scores AI agents on the same security criteria we've applied to operating systems for decades, and finds them failing badly.\n\nResearchers from UC Berkeley built a 406-task adversarial suite targeting always-on AI agents like OpenClaw: software processes that stay running, hold live credentials, install packages, and broker access to external services. They tested three agent platforms (OpenClaw, NemoClaw, and SeClaw) against five frontier language models across four attack surfaces: supply-chain poisoning of installed skills, persistent state manipulation, cross-boundary data leakage, and indirect prompt injection. The headline result is that the highest overall attack success rate reached 70%. Malicious plugins succeeded in every single test case, regardless of which model the agent was running. SeClaw, the most hardened platform tested, cut that top-end rate to 22%, but partly by restricting what the agent could do rather than defeating the attacks outright.\n\nThe 100% plugin success rate is the number that matters. Swapping in a smarter or safer model offers no protection once a malicious plugin is installed, which means the security burden falls entirely on the platform, not the model vendor. That's a structural problem, because most AI safety investment flows toward model alignment, not the OS-level privilege separation and access control that would actually contain a compromised extension.\n\nFor comparison, classic operating systems spent two decades building out sandboxing, mandatory access controls, and privilege rings before anyone trusted them with sensitive workloads. Agent platforms are skipping that queue.","[\"ai-agents\",\"security\",\"benchmarks\",\"research\"]","2026-07-01T04:00:00.000Z","2026-07-01T06:28:44.537Z","2026-07-01T06:28:47.380Z","published",null,[24],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"The draft names two model identifiers that cannot be confirmed as publicly released — GPT-5.4 (explicitly flagged in our rejection criteria as an example of an unverified model name) and Claude Opus 4.6 (no such model exists; current Opus is 4.8 and Sonnet is 4.6) — verify both against confirmed release records before resubmitting, and correct or remove whichever cannot be confirmed.","resolved","security",[32,30,33,34],"ai-agents","benchmarks","research",[36],{"name":37,"url":38},"arXiv cs.AI","https:\u002F\u002Farxiv.org\u002Fabs\u002F2606.30755",0,{"sections":41},[42,47,51,56,61,66,71,76,81,86,91,95,100,105],{"name":43,"slug":44,"count":45,"latest_published_at":46},"AI","ai",2590,"2026-07-16T04:00:00.000Z",{"name":48,"slug":30,"count":49,"latest_published_at":50},"Security",294,"2026-07-15T19:59:48.000Z",{"name":52,"slug":53,"count":54,"latest_published_at":55},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":57,"slug":58,"count":59,"latest_published_at":60},"Policy","policy",158,"2026-07-16T00:02:48.000Z",{"name":62,"slug":63,"count":64,"latest_published_at":65},"Hardware","hardware",122,"2026-07-14T19:46:26.000Z",{"name":67,"slug":68,"count":69,"latest_published_at":70},"Consumer Tech","consumer-tech",93,"2026-07-13T13:20:48.000Z",{"name":72,"slug":73,"count":74,"latest_published_at":75},"Software","software",70,"2026-07-13T19:52:25.000Z",{"name":77,"slug":78,"count":79,"latest_published_at":80},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":82,"slug":83,"count":84,"latest_published_at":85},"Dev Tools","dev-tools",59,"2026-07-07T04:00:00.000Z",{"name":87,"slug":88,"count":89,"latest_published_at":90},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":92,"slug":93,"count":89,"latest_published_at":94},"Startups","startups","2026-06-29T20:55:50.000Z",{"name":96,"slug":97,"count":98,"latest_published_at":99},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":101,"slug":102,"count":103,"latest_published_at":104},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":106,"slug":107,"count":108,"latest_published_at":109},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]