All Blogs

One calendar invite. Your entire vault. Zero clicks. We show how Perplexity’s Comet agentic browser can be induced to navigate the 1Password Web Vault, reveal stored secrets, and exfiltrate credentials to an attacker-controlled endpoint. The same path can escalate to full account takeover, including changing the password and extracting recovery material. Responsibly disclosed to Perplexity and 1Password.

We demonstrate a zero-click attack against Perplexity’s Comet agentic browser that leaks local files from a user’s machine. Through indirect prompt injection embedded in a calendar invitation, Comet is manipulated to access the local file system, open sensitive files, and exfiltrate their contents to an attacker-controlled endpoint. No software vulnerability is exploited. Responsibly disclosed and now patched.

We embedded ourselves inside Moltbook, the so-called ‘Internet of Agents,’ and ran a controlled influence campaign. Using only intended platform capabilities and crafted posts, we activated over 1,000 unique agent endpoints across 70+ countries in under a week, mapping them on a live world map. The platform’s faulty design lets untrusted content manipulate autonomous agents at scale.

We demonstrate how indirect prompt injection can turn OpenClaw — the popular open-source autonomous agent — into a persistent backdoor. Through a zero-click attack, we establish an external control channel, achieve durable persistence via SOUL.md manipulation, and escalate to full host compromise by deploying a C2 implant.

LLM-powered applications are moving to production faster than security practices can keep up. We built an end-to-end TARA tool — based on our paper ‘Invitation Is All You Need’ — that enables security teams to assess the risk LLM applications pose to end users, covering impact assessment across four categories, practicality scoring across six factors, risk matrix generation, and residual risk evaluation after mitigations.

OpenAI’s Atlas isn’t just a model that answers — it’s a model that acts. We analyze how OpenAI uses RL-based red teaming to defend against prompt injection in their agentic browser, why their own advice to avoid broad prompts reveals a fundamental weakness, and what it means when text becomes execution.

A deep dive into OpenAI AgentKit’s four built-in guardrails — PII, Hallucination, Moderation, and Jailbreak detection. We put each one to the test, exposing the flawed assumptions behind them and demonstrating how simple variations can bypass every single layer.

OpenAI launched AgentKit — a platform for building agentic workflows with Agent Builder, Connector Registry, and ChatKit. We break down the platform’s architecture and uncover key security risks including private data leakage, excessive agency, soft security boundaries, unsafe instruction definitions, and deployment pitfalls.