# agent-security

Anthropic explains how claude.ai, Claude Code, and Claude Cowork contain agents: model defenses miss, permission prompts create fatigue, and the hard boundary is the VM, sandbox, filesystem policy, and egress control.

Brex open-sources CrabTrap — an HTTP proxy that intercepts every outbound agent request. Static rules dispatch known patterns in microseconds; the long tail goes to an LLM judge. Policies are inferred from traffic, not hand-written. Three prod surprises: inferred policies beat written ones, LLM fires on <3% of requests, audit log became agent observability.

Your AI Agent is very obedient — but it might be obeying the wrong person. Prompt Injection is social engineering for AI. Tool Use Exploitation is giving a Swiss Army knife to a 5-year-old. Context Poisoning is someone secretly changing books in a library. And then there's the zoo escape.

New paper: comprehensive security threat modeling of MCP, A2A, Agora, ANP (4 major AI agent protocols). Finds 12 protocol-level risks, including MCP being tricked 73.3% into calling wrong tool providers. Important for Claude Code, OpenClaw, Cursor users.