Research & Analysis
Blog
Security research, AI agent benchmarks, vulnerability analysis, and best practices from the OpenA2A team.
Build Your Own OASB Adapter: Benchmark Any Security Product in 30 Minutes
Step-by-step guide to implementing SecurityProductAdapter and running 222 attack scenarios against your product. Includes scorecard interpretation and reference adapter examples.
From Scanning to Shielding: Defense-in-Depth for AI Agents
OpenA2A Shield combines credential protection, configuration integrity monitoring, runtime detection, and compliance scoring into a unified layer.
Your AI Coding Tools Are Leaking Your API Keys
AI coding assistants read your .env files, terminal history, and MCP server configs. Here is how to protect credentials.
OpenA2A CLI: One-Command Security Reviews for AI Projects
Run opena2a review in any project directory and get a security posture score with credential scanning and actionable fix commands.
OASB: Why AI Agents Need CIS-Style Security Benchmarks
OASB brings the CIS Benchmark model to agentic AI -- 46 controls, 10 categories, 3 maturity levels.
Securing OpenClaw: 6 Security Fixes Landed in Main
We contributed 6 security fixes to OpenClaw (205K+ stars). 4 PRs merged directly, 2 adopted by maintainers. Covers credential redaction, code safety scanning, path traversal, and more.
How Do You Give an AI Agent a Verifiable, Auditable, Enforceable Identity?
AI agents are making decisions and accessing sensitive data autonomously. Most have no real identity. Here's how to give every agent a cryptographic identity.
OAuth and OIDC Were Never Designed for AI Agents
OAuth 2.0 and OIDC power human authentication. AI agents aren't humans. Here's the identity gap and how AIM solves it.
Introducing OASB: The Security Benchmark for AI Agents
OASB defines the first comprehensive security benchmark for AI agents — 46 controls across 10 categories with 3 maturity levels.
OpenClaw Merges Built-In Skill Security Scanner
PR #9806 merged 1,721 lines into OpenClaw adding a code safety scanner that detects malicious patterns in skills on install and update.
CVE-2026-25253 Now Has a Scanner: Detecting the OpenClaw WebSocket RCE
HackMyAgent v0.4.0 ships the first automated detection for CVE-2026-25253 (CVSS 8.8), expanded ClawHavoc IOCs, and 11 new security checks.
I Broke My AI Agent in 5 Minutes (And You Should Too)
HackMyAgent is a security toolkit for AI agents with 4 modes: Attack, Secure, Benchmark, and Scan.
The State of AI Agent Security: 97,000 Hosts, 1,190 Exposed Configs
We scanned 97,013 internet-facing hosts for AI agent vulnerabilities. 14.4% had confirmed security issues.
Why Your NHI Strategy Doesn't Cover AI Agents
Traditional NHI platforms manage service accounts and API keys. AI agents are a fundamentally different class.
341 Malicious Skills and a 1-Click RCE: Scanning OpenClaw for ClawHavoc
The ClawHavoc campaign planted 341 malicious skills on ClawHub. We built a scanner to detect it.
The OWASP Agentic Top 10 and What It Means for NHI Governance
How each OWASP Agentic risk maps to NHI governance capabilities.
The ServiceNow AI Vulnerability: What Went Wrong
ServiceNow disclosed the most severe AI-driven vulnerability to date.
Introducing AIM: Open Source Security for AI Agents
AIM provides cryptographic identity, MCP attestation, trust scoring, and audit logging.
One Line of Code to Secure Your AI Agents
CVE-2025-32711 (EchoLeak) affected Microsoft Copilot. Learn how to secure your AI agents.