Energy, Security

Reutlingen Grid Burned: Germany’s Münchhausen Minister Talks Left While Russia Works the Right

Leave a comment

On the morning of 8 June a substation burned in Reutlingen and roughly 30,000 people lost power. Within hours, before the fire was out, anonymous Sicherheitskreise had handed the dpa a propagandist decree. Links. Left-extremist. The police at the actual lectern said something honest instead. They were investigating in every direction, a technical fault among them, with no political indicator in hand.

Three burn points and a cut fence. That was the evidence, which has hallmarks of Russian special servcies. The conclusion that serves the Russian propaganda arrived ahead of it.

I have tracked Russian critical infrastructure attacks for decades. Notable is Berlin, September 2025: two pylons in the southeast, around 50,000 households dark for sixty hours. Berlin, January 2026: a cable bridge in Lichterfelde, 45,000 households without heat for days in a winter freeze. Both were falsely pushed as left-extremist within the hour. Both were pinned on a phantom called the Vulkangruppe, which has Russian links. Fifteen years of attacks under that influence banner, and German authorities have produced zero convictions.

Start with the name, because the name gives the game away. I have done deep investigations into anarchist hacking culture, and I can tell you what any true energy-infrastructure cell manifests into. Autonome Zellen. Revolutionäre Zellen. A date, a martyr, a class signifier. Anarchists run on no gods, no masters. So a hero-worship cell that brands itself after the Roman god of the forge, the divine blacksmith of weapons and armor, fails every test the left has kept for a century. Roman mythology reads as bourgeois classical education, which reads as fascist. The forge celebrates the instruments of industrial power. Germans built their identity on beating Rome. Russians built theirs on inheriting it, the Third Rome, Tsar from Caesar.

The Vulkan name fits Moscow’s vocabulary, not Berlin’s.

The grammar leaks too. The 2011 Hekla-Empfangskomitee is clumsy German that snaps into place the moment you read it as Russian. A German militant writes Fraktion, Zelle, Gruppe, Bund. A German does not convene a reception Komitee. Komitet is the Russian default, as in Komitet Gosudarstvennoy Bezopasnosti, the KGB. The Icelandic volcano aliases mean nothing to a German activist, and volcanoes are the precise opposite of what a climate movement protests. This is backstopping, a thin cover layered on after the fact.

Now the coincidence that should end the argument. NTC Vulkan is a Moscow military contractor founded in 2010 by St Petersburg academy graduates, cleared for classified state work in 2011, builder of infrastructure-attack and information-operations tooling for Sandworm. In 2011 a self-named Vulkangruppe began burning German infrastructure. The same year. The same forge.

The investigations fit the cover, not a hunt. In 2024 two suspects were arrested and the Amtsgericht Tiergarten acquitted both, the prosecution declining to appeal. Arrest, insufficient evidence, acquittal, no appeal is the signature of a case where intelligence equities have made prosecution impossible. The Verfassungsschutz lists the Berlin membership potential as nicht bekannt, unknown. That is the profile of a managed service, not a leaky anarchist scene.

Now read the map of what actually gets hit.

The IISS record and the German prosecutor’s own files describe one logic, and it has a name. Ukraine support. An IMSI-catcher plot against Patriot crews at Patch Barracks near Stuttgart. German-Russians caught in Bayreuth scouting the US base at Grafenwöhr to disrupt arms logistics. A plot to murder the chief executive of Rheinmetall. A fire at the Diehl plant in Berlin that builds IRIS-T air defense for Kyiv. An incendiary device in the DHL air hub at Leipzig. The Verfassungsschutz states the method plainly. Russian services commission arson on German soil through locals who never learn who hired them. Poland proved it with the Warsaw mall fire. Russia proved it inside Germany with the Be Greener operation, more than 270 vehicles vandalized by FSB-recruited hands to smear the Greens before the 2025 election. False-flag environmentalism is a tool they have already run in the open.

Lay the documented events end to end and the shape of a Russian campaign in Germany is hard to miss.

Date Location Event Status
2011 Berlin, Ostkreuz Rail cable bridge set alight, rail disrupted First Vulkangruppe claim, no convictions
2013 Berlin, Adlershof Arson at a radio mast Vulkangruppe claim, unsolved
2018 Berlin, Charlottenburg Arson cut power to roughly 6,500 homes Vulkangruppe claim, unsolved
2020 Berlin Arson at the Heinrich Hertz Institute Vulkangruppe claim, unsolved
2021 Grünheide Cable arson idled the Tesla factory Vulkangruppe claim, unsolved
2021 to 2022 Berlin, British Embassy Guard David Smith passed material to Russia Convicted of spying for Russia
2022 Stuttgart, Patch Barracks IMSI-catcher plot to track Ukrainian Patriot crews GRU-linked plot
2024 (Mar) Grünheide Pylon arson cut power to the Tesla factory Vulkangruppe claim, unsolved
2024 (Mar) Berlin, Lichtenberg Nine Teslas torched in one night Arson suspected, unsolved
2024 (Apr) Bayreuth and Grafenwöhr Two German-Russians caught scouting the US base, plotting arson on arms logistics Arrested, GRU-linked
2024 (May) Berlin Fire at the Diehl plant making IRIS-T for Kyiv Cause officially undetermined, sabotage suspected
2024 (Jun) Germany AfD Bundestag staffer fraudulently naturalized Citizenship revoked by court
2024 (Jul) Germany Plot to assassinate Rheinmetall CEO Papperger Russian plot, thwarted
2024 (Jul) Leipzig Incendiary device ignited at the DHL air hub Russian parcel-arson plot
2024 (Aug) Geilenkirchen and Cologne Drone probe of the AWACS base, cut fence at an airbase water plant GRU reconnaissance
2025 (Feb) Across Germany Be Greener op damaged more than 270 vehicles before the election FSB false-flag, blamed on climate activists
2025 (Mar) Berlin, Steglitz and Treptow Four Teslas torched in one night Arson suspected, unsolved
2025 (Sep) Berlin, Johannisthal Two pylons, roughly 50,000 households dark for 60 hours Vulkangruppe claim, officially left-extremist
2026 (Jan) Berlin, Lichterfelde Cable bridge, roughly 45,000 households out for days in a freeze Vulkangruppe claim, officially left-extremist
2026 (Jan) Berlin Ilona W., GRU agent posing as a Ukrainian advocate, mapped drone sites and arms deliveries Arrested, handler expelled
2026 (Mar) Germany and Spain Surveillance of a drone supplier to Ukraine, filming home and workplace Arrested, GRU-linked
2026 (Jun) Reutlingen Substation fire cut power to about 30,000, three burn points and a cut fence Suspected arson, left-extremist floated, under investigation

What gets more interesting is to lay this attack campaign over the AfD vote campaign, and the “official story” melts from two directions at once. Where Russia hits Ukraine logistics it hits cities, because that is where the bases and the defense plants and the freight hubs sit, and cities are where the AfD runs thin. Cologne, probed repeatedly, holds the party’s worst result in the country. Leipzig, the DHL hub, is a low-AfD island inside Saxony, one of its strongest states. By target logic these attacks should run where the AfD does not yet have control.

The Vulkangruppe grid attacks obey the same rule rather than reversing it. They cluster in Berlin, where the AfD runs far behind its national share, with the Tesla site at Grünheide on the edge. Vote share selects neither set of targets. Infrastructure does, with the capital and the Musk brand adding their pull. The tell sits elsewhere, in the division of labor. The physical operations follow the cables and the bases into the cities, while the party works the other half from its eastern strongholds. The AfD is the bloc German lawmakers have called a sleeper cell loyal to Russia, after a flood of parliamentary inquiries seeking drone-defense capabilities, military logistics schedules, civil-protection resources, data-center locations and emergency power supplies. Thuringia’s interior minister said the AfD looked to be working a checklist from the Kremlin. That is reconnaissance from inside the office. The same party was caught running a Russian into German citizenship through a Bundestag office, until a court reversed it.

And the program reads like the objective the fires are built to deliver. The AfD’s 2025 platform demands the immediate lifting of sanctions and the repair of Nord Stream, with Ukraine pushed to neutrality outside NATO and the EU.

sofortige Aufhebung der Wirtschaftssanktionen gegen Russland

In the Bundestag the AfD fraction rejects weapons on principle, in the same way that Trump campaigned that he would end all wars on day one. Tino Chrupalla calls the war none of our business and proposes taking Russian gas through Nord Stream 2 in the same breath. Alice Weidel, once investigators traced the pipeline blast to a Ukrainian team, demanded Kyiv pay Berlin compensation.

Björn Höcke calls Putin a rational man who wants peace, works the Friedensspaziergang circuit where the energy crisis and the weapons deliveries braid into one grievance, and wraps the war in a Soros-and-Covid conspiracy that any reader of the last century knows on sight.

The peace-research institute PRIF reached the cautious version. This program attacks Ukraine and strengthens Russia by weakening Germany. The blunt version needs fewer words. It is Moscow’s war aims disguised as a German ballot.

Then there is the red handprint on the pen weakening German infrastructure the most. Alexander Dobrindt, the Interior Minister who once looked at copper and fiber and chose copper, dragging Germany to the bottom of European broadband, looked at the threat data and started speaking Russian propaganda. In June 2025 he told a press conference that violent left-extremists were rising significantly, to 11,200, while the chart in his own hand held them flat. Volksverpetzer put it cleanly, a significant rise from 11,200 to 11,200. The report he was holding showed right-wing extremists up by a quarter to 50,250, right-wing violent crime up 47 percent, left-wing violent crime down nearly 30. He buried the larger number and inflated the smaller one, fundamentally lying. Then, after the Berlin blackout, he told everyone on ZDF that Russia should be ruled out immediately before the investigation closed and he promised to expand surveillance of the “left”. A government that names a GRU threat must answer it. A government that blames domestic extremists can defer, study, and score points with or against the AfD by pushing the country hard-right into Russia’s hands. That is the choice Dobrindt repeatedly makes, espousing the language of fascism in the German government.

So let me be precise, because Germans love precision as much as their trains never run on time. This is a convergence of aims. The public evidence stops there. Intelligence has not yet reported AfD ties to arson, and the case needs none to see the fit. Russia burns the logistics. The party harvests the result in two currencies, votes on one side and the instant story on the other, the story that sends “Vulkan” signals while the hand that struck stays in Moscow. A German minister supplies the stamp to transfer foreign influence to domestic.

The grid was burned in Reutlingen, and inside the hour the same word popped into three mouths, like a pattern. The wire service. The party. The minister. One of them lit the disinformation fire to smoke the political scene. One breathes it in. One writes the law. They all want the same right-wing extremist propaganda in German minds.

Security

Executive Summary for Claude Mythos Project Glasswing: June 2026 Verification Status

Leave a comment

A market in which the buyer cannot measure what they bought is no market at all.

Morrell’s flashy claims of a revolutionary coast-to-coast rapid transit machine allegedly sold 250,000 shares of stock in a hotdog-shaped 450 foot gas balloon. It launched in Berkeley, California on May 23, 1908, after San Francisco had banned it. Source: The Jive Bomber

Summary

Anthropic’s central claim for Claude Mythos about its capability being too dangerous to release, is unverified and increasingly contradicted. Independent researchers reproduce Mythos results on commodity and open-weight models at negligible cost, among them the engineer who wrote the OpenBSD flaw Anthropic placed at the center of its launch. Its headline numbers are the model grading its own output, while the data that would allow independent verification stays withheld. Project Glasswing has continued to widen access and Anthropic has filed to go public, both ahead of the verification the program itself promised. Treat the claims as unproven, and defer any strategy, procurement, or risk decision that depends on them until the July 6 report is published and independently checked.

Strategic assumption

Through 2026, AI vulnerability-discovery capabilities marketed as frontier-exclusive will remain reproducible on commodity open-weight models, removing the technical basis for premium pricing and restricted-access programs.

This is a question of whether a premium nail-gun is worth paying for, versus the many quality commodity nail-guns already available on the market, while the premium vendor runs a marketing campaign that access is restricted based on its own comparisons to a hammer.

Key findings

  • Of 23,019 vulnerabilities Mythos reported, 1,752 were verified by a human or security firm and fixes have been shown for 75. The 90.6% accuracy rate in press coverage applies to a human doing the work, not the large numbers from a machine alone.
  • The flagship discovery used to claim novel risks (FreeBSD CVE-2026-4747) is a 2007 fix for shared code that sat with a patch waiting to be applied. The fix was present in the model’s training data, making the result consistent with recovery from the backlog of delayed fixes rather than novel discovery.
  • Eight of eight open-weight models reproduced the detection capability, one at $0.11 per million tokens. On June 8, 2026, Glasswing launch partner Cisco ran six frontier models across 1.8 billion lines of code and showed results do not depend on Mythos.
  • No reproduction steps were published with the Anthropic launch blog, the system card, or the Glasswing update, meaning premium claims cannot be independently verified.
  • Anthropic has meanwhile filed confidentially for an IPO near a one-trillion-dollar valuation and expanded Glasswing to roughly 150 organizations, committing access and capital ahead of verification.

Recommendations

  • Treat AI-assisted vulnerability discovery as a commodity input and source it competitively. The showcase results are reproducible at low cost on public models. AI vulnerability harness runs should cost cents per million tokens, not tens of dollars or more. An open-source harness on commodity Haiku 4.5 and Sonnet 4.6 produced eight findings in two minutes for $0.75, two of them matching the Mythos showcase, at the discovery layer. The FreeBSD exploit was reproduced separately by Calif.io on the prior Opus 4.6 model in about four hours.
  • Do not pay Anthropic a premium or restructure operations on the basis of the Mythos security capability claim until an independent verification exists.
  • Require any AI security vendor to supply reproduction steps and verified, fixed CVEs rather than model-generated finding counts.
  • Set July 6, 2026 as a validation checkpoint, and reassess with the Glasswing report published and independently reviewed.

The flagship “discovery” was backlog recall

CVE-2026-4747 is a valid stack buffer overflow in FreeBSD. The code is a University of Michigan implementation that was patched by MIT in 2007. FreeBSD imported the unpatched code in 2008 and never applied the fix. This 2007 patch is present in the model’s training data, so the Mythos published exploitation demonstration took an old vulnerable operating system with a known missing patch and pointed at it. The result demonstrates how a known, undefended target can be flagged by AI, rather than discovery of anything unknown.

The danger warnings are much thinner than advertised. Mythos did send an email out of its sandbox to flag a bug, but only after being instructed to try, it showed no sign of altering its own weights, and prior models such as Opus 4.6 find these same flaws.

Discovery is reproducible at commodity cost

The CVE explanation should help clarify why independent parties have repeatedly reproduced the showcase findings on very inexpensive public models. AISLE confirmed the FreeBSD detection with eight of eight open-weight models, showing $0.11 per million tokens was a sufficient cost model. Vidoc reproduced it on the public Opus 4.6 model and on GPT-5.4. Cisco’s June 8 assessment across six frontier models showed the outcome is model-independent. The curl maintainers reported no change to their workflow, and Mozilla’s headline of 271 Firefox vulnerabilities reconciles to roughly three against the advisory record. Discovery at this level carries a published, commodity cost.

Niels Provos, who committed the 1998 flaw in BSD that Mythos used for their “discovery”, reproduced that finding and autonomously surfaced new zero-days using Opus 4.6, Sonnet 4.6, and the open-weight GLM 5.1 on his own open-source IronCurtain harness, concluding that discovery is an orchestration problem rather than a frontier-model one. Then clearbluejar ran the same class of pipeline on two open-weight models on a single consumer GPU and recovered CVE-2026-4747, finding that their scaffolding, again not the model, did the hard work.

The premium is unjustifiable as presented

Anthropic prices Mythos at roughly five times its public Opus model, from $25 to $125 per million input and output tokens, on the strength of exploit development rather than discovery. No replayable exploit with reproduction steps accompanies the launch blog, their very large and inefficient 244-page system card, or the late-May Glasswing update. A buyer cannot confirm the capability they are paying for, and the available reproductions indicate the defensible cost is a fraction of the quoted price.

Results are self-assessed, data is withheld

Anthropic’s interim Glasswing update reports results in stages that have undermined their own headlines.

Stage Figure What it represents
Total findings 23,019 The model’s ungraded output
Estimated high or critical 6,202 The model’s own estimate
Checked by a human or firm 1,752 28% of the high-critical pile, about 8% of the total
True positives among those checked 90.6% A statement about the 1,752, not the 23,019
Fixes shown 75 Out of 23,019

The 90.6% accuracy figure is from humans. The rest is just the model assessing its own output. Anthropic has also withheld the fixes used to derive the findings, the artifacts that would allow independent re-derivation. A result that can be validated only against the system that produced it, does not rise to the level of independent confirmation of its capability.

Extractive disclosure structure

The disclosure architecture inverts established norms, and economics are the reason why. Anthropic commits up to one hundred million dollars in model credits to a consortium of about a dozen large firms. The consortium attests to the capability that justifies restricting the model to the consortium, and the same firms sell the products and services that follow from that attestation. A rushed “emergency” memo about Mythos risks crediting 250 CISOs was apparently curated by security vendors who would capitalize on myths about machine risks. The most consequential findings instead have come from humans during the Glasswing period: the Palo Alto vulnerability that triggered a federal mandate was attributed to attackers operating in production. It was excluded from the company’s AI-credited count. Findings are directed to Anthropic while fixes fall to volunteer maintainers, even as the patch-generation step that a model can automate already runs in production for paying customers. Anthropic’s Claude Security product patched more than 2,100 vulnerabilities in three weeks for paying customers, while the open-source projects apparently have only received reports.

Market motivations

On June 1, 2026, Anthropic filed confidentially for an initial public offering following a funding round near a one-trillion-dollar valuation. On June 2, it expanded Glasswing to roughly 150 organizations across more than fifteen countries, covering power, water, healthcare, and communications. Access widened and capital was committed before any independent validation of the capability, and before the report Anthropic itself promised.

Several firms now trialling Mythos, including Google, Nvidia, and Cisco, are Anthropic investors, and Goldman Sachs, Morgan Stanley, and JPMorgan are reported to be in talks to underwrite the offering. The parties certifying the capability are the parties whose returns depend on it.

Outlook

Anthropic committed to a public report within ninety days of the April 7 launch, due around July 6, 2026. However, the question of novelty has been repeatedly answered. With each reveal, Mythos has failed to prove its initial claims. A report containing a verified CVE list with reproduction steps would substantiate the capability claim and the program’s premise. A report that restates model-graded headline figures without independent verification would confirm the pattern described here.

The prudent posture is to treat their unproven capability as unproven.

Morrell’s airship rose about 300 feet and then ripped apart and crashed, shortly after it’s first launch on May 23, 1908. Source: The Jive Bomber

References: flyingpenguin series

  1. The Boy That Cried Mythos: Verification is Collapsing Trust in Anthropic, April 13, 2026.
  2. America Prepares as Anthropic Mythos is 100X More Deadly Than Martian Death Ray, April 13, 2026.
  3. FreeBSD CVE-2026-4747 Log Suggests Mythos is a Marketing Trick, April 14, 2026.
  4. Cartel or Not? Anthropic Mythos is a Curious Case, April 15, 2026.
  5. Ox Security Report: Anthropic MCP is Execute First, Validate Never, April 15, 2026.
  6. How SANS Mythos Marketing Disappoints Defenders, April 16, 2026.
  7. Mythos Mystery in Mozilla Numbers: How 22 Vulns Became 271 or Maybe 3 in April, April 22, 2026.
  8. Alisa Esage Throws Mythos Under Zero Day Bus, April 24, 2026.
  9. Anthropic Mythos as Valuable as a Firehose in a Blizzard, May 2, 2026.
  10. Seventy-Five Cents Gets You an Anthropic Mythos Killer, May 4, 2026.
  11. cURL Toe to Toe With Mythos: Big Nothingburger Leaves Bad Taste, May 12, 2026.
  12. Palo Alto Defender’s Guide Refutes Mythos Claim, May 13, 2026.
  13. I’m on Mythos, May 25, 2026.
  14. Mythos Grading Mythos: Got Patches Yet?, May 26, 2026.
  15. Cisco’s Mythos Post Throws Anthropic Under the Bus, June 8, 2026.

References: Anthropic program materials

  1. Project Glasswing (program page), Anthropic.
  2. Project Glasswing: An initial update, Anthropic, late May 2026. Source of the 23,019 / 6,202 / 1,752 / 90.6% / 75 figures and the 90-day disclosure convention.

References: independent reproduction and refutation

  1. AISLE reproduction: eight of eight open-weight models detect CVE-2026-4747, one at $0.11 per million tokens. Documented in references 1 and 10.
  2. Vidoc reproduction on public Opus 4.6 and GPT-5.4. Documented in reference 10.
  3. Nicholas Carlini’s personal confirmation that he found CVE-2026-4747 using Mythos Preview, placing it outside his February 5 paper. Documented in references 3 and 10.
  4. Cisco frontier-model assessment, six models across 1.8 billion lines of code. Documented in reference 15.
  5. Palo Alto Networks May 2026 Defender’s Guide and the CVE-2026-0300 advisory, with the federal-mandate CVE attributed to attackers in production and excluded from the AI-credited count. Documented in reference 12.
  6. Mozilla Foundation Security Advisory 2026-30 (Firefox 150) and Bobby Holley, “The zero-days are numbered,” Mozilla blog, April 21, 2026. Documented in reference 7.
  7. Claude Mythos Preview system card (244 pages), Anthropic. Documented in reference 1.
  8. Finding Zero-Days with Any Model, Niels Provos, April 29, 2026. Reproduced the OpenBSD SACK finding and surfaced new zero-days with commercial and open-weight models on the open-source IronCurtain framework.
  9. System Over Model, Tested: Reproducing Mythos’s FreeBSD Find on Local Open-Weight Models, clearbluejar, June 4, 2026.
  10. System Over Model: Zero-Day Discovery at the Jagged Frontier, Stanislav Fort, AISLE, April 2026. The nano-analyzer pipeline reproduced CVE-2026-4747 for under $100.

References: press on the June expansion and IPO filing

  1. Anthropic scales Claude Mythos to critical infrastructure in 15+ countries, TechCrunch, June 2, 2026.
  2. Anthropic expanding access to Project Glasswing, CyberScoop, June 2026. Source for Claude Security patching 2,100+ vulnerabilities in three weeks.
  3. Anthropic expands Mythos to 150 additional organizations in more than 15 countries, CNBC, June 2, 2026.
  4. Anthropic expands Project Glasswing to 150 organizations in more than 15 countries, Help Net Security, June 3, 2026.
  5. Experts: Anthropic’s move to expand Project Glasswing will end in Mythos public release, Cybernews, June 2026.
  6. From Anthropic’s Mythos to the Birkin bag, scarcity sells, John Foley, Lex, Financial Times, April 23, 2026.
Security

Cisco’s Mythos Post Throws Anthropic Under the Bus

Leave a comment

Cisco has posted their assessment of Anthropic’s latest model and it is close to the opposite of “Mythos is working for them.” Their post emphasizes most that the model is interchangeable. They ran six frontier models (Mythos and GPT-5.5-Cyber named among them) on 1.8 billion lines of code to show their results are not tied to any one of them. The line they keep returning to is that the model is an accelerant while the harness is the engine.

Commodity unix box painted white with a bridge on the side. Do not open.

Of course we have to pause and reflect on why it’s an executive post by their Chief Security & Trust Officer yet it carries no disclosed methodology. Does Cisco think trust comes from lack of transparency? I get that the Cisco security executive is selling Cisco’s harness as a counter-argument to Anthropic. I’m just curious why it’s lacking the kind of specificity a harness buyer would be looking into. Fun history fact: the first “Chief Information Security Officer” job was invented in 1995 for Steve Katz to calm Wall Street after Russians popped the funds-transfer system.

But I digress. The sub-3% false-positive rate being claimed by Cisco in their post is clearly a measure of their human-in-the-loop after triage. It cannot be attributed to the model, and it cannot be attributed to the harness either. It is a measure of people filtering machine output.

From there the post gets weird because it tries to contrast legacy static analysis (one finding per ten thousand warnings) against Cisco’s false-positive rate. One is a precision number, the other a false-positive number. That doesn’t add up.

Maybe I shouldn’t be surprised. Despite claims to being agnostic, no per-model variance is published. And their post headline has the same problem. “Eight years of work in eight weeks” is supposed to sound like they made a measurement. They didn’t. Cisco ran the scan in eight weeks. And then they made up an eight years estimate. Nobody worked eight years. It’s a guess about how long humans take to do something, without revealing how they cooked the estimate. Guess any slower and the number gets bigger. Guess faster and it shrinks. Why not eight gabookles? I believe them on lines scanned and the languages covered. The eight years sounds like management hallucination.

The figures Cisco published cannot be reproduced from anything Cisco released. If Cisco wanted to throw Anthropic under a bus (I almost said off a bridge), this is how it’s done.

Security

ToxicSkills Revisit: Loch Ness Levels of Mythical AI Risk

Leave a comment

In 2012 I rambled at BSidesLV that if you flood a system with enough volume and velocity, it fills with monsters that were never there (oh, and also that political coups would get easier with social media poisoning). Over the past week I was asked to assess nearly 70,000 AI agent skills, and I could not stop thinking about that mythical monster.

A regex pass flagged one in eight skills for critical risk. But then I went through the flags and 95% were nothingburgers: an installer, the author’s own API key, a cron job doing cron jobs.

Who wants to buy a Loch Ness Skill shirt?

Grey t-shirt with a line-art Loch Ness monster forming a code glyph, text reading Loch Ness Skill, 5% critical, 95% never there.

Perhaps you already know what I’m talking about. The agent skills are on ClawHub, behind the disaster known as OpenClaw. As you may recall, Snyk and Invariant published ToxicSkills last February, a real audit of this ecosystem, across 3,984 skills drawn from ClawHub and skills.sh. When I was asked to walk the live index today, I found 68,321 unique skills on ClawHub alone. That’s an AI-generated explosion of seventeen times the skills, in just four months.

Aside from the jump in numbers, three things from February look stale, right out of the gate. First, the named indicators are nowhere to be found: the eight skills the report listed as live, and the four authors behind them, are absent from what I saw. Second, the index keeps moving, and two skills I pulled for this study suddenly returned 404, and stayed gone when I rechecked. They were removed after I had begun, whether by registry takedown or author unpublish is unknown. That’s because, third, the registry now scans itself, with per-version VirusTotal, an LLM scanner, and capability tags that did not exist in February.

I did a static review, given each skill’s bundle is just a simple ZIP, which is all you need to read it without ever running it. Nothing in this study was executed. Luckily, I already had a tool laying around the office: an eight-policy regex detector within Lyrik that can mirror the ToxicSkills taxonomy. Using a sample of 1,500 skills it basically showed what a pattern scanner sees.

The regex detection pass flagged 12.6% of skills as critical and 53.8% as having some issue. But reading these flags revealed legitimate agent-skill overlaps the malicious-pattern match almost completely. A run-of-the-mill installer (uv, aliyun, foundry) shows up as a suspicious download. A scheduling command shows up as dangerous persistence. A skill cleaning up its own directory shows up as a destructive delete. A doc that says “export your API key” reads as credential dumping. You can probably see the problem, because it’s obvious to the human eye. The emoji’s zero-width joiner reads as Unicode smuggling.

A regex number of 12.6% measures patterns, not malware, so there’s an important judgment layer missing. Is the delete helpful or malicious? You have to be the judge because the tool can’t.

I thought about researching whether the “malicious prevalence fell from 13.4% to X.” Too many variables ruin the idea. The instrument, the definition, and the population all differ. Snyk ran a model engine; I ran a regex baseline and then a model adjudicator under a different threat model. Their critical classes include prose prompt injection, which I carved out because the method can’t see it. They deduplicated two registries in the dinosaur days of last February; mine is a sample of ClawHub today, and the worst skills they found were removed. The only fair comparison is the size and named indicators disappearing from the index. Everything else is an independent measurement, perhaps for the better. Perhaps an apples-to-apples is for a later day.

The February post said this about its detectors:

intentionally tuned to minimize false positives on widely adopted legitimate skills; these numbers represent real risk, not scanner noise.

I did not run their stuff so I cannot speak to the veracity of this claim. But I can surely ask out loud today whether throwing flags is really the best approach? The answer is they are peddling mostly noise, and the report’s own authors admit it: they write that single-LLM or regex-only scanners miss the behavioral prompt-injection patterns their engine catches.

My research seems to prove that their pattern layer does not just miss things. It invents them.

This is what I learned when I took Lyrik, as a code auditor that scores findings twice against a written rubric, to see whether a bundle, by static evidence alone, performs or installs a dangerous action that the user-facing description does not surface. I searched primarily for what I decided to flag as something “undisclosed-dangerous”.

The cleanest example of what this means is a skill called auto-domain. Its description promises only to detect a port and hand you a public URL. Its bundled script downloads a native binary from a stranger’s personal repository, makes it executable, runs it as a persistent background daemon, and routes your traffic through a bare IP address. The script’s own help text lists the backend, while the description a user sees does not.

As expected, credential leaks are all over the place, even though not all the same. Authors commit their own API key into their own skill. That endangers the author and invites abuse of their quota. A smaller set is more interesting: live database credentials and a WeChat secret reach infrastructure other users touch. In one case, called deepseek-balance, it falls back to sending the user’s Anthropic token to a different vendor.

On the flags the regex layer called critical, Lyrik confirmed 9 of 188. More than 95% of what the pattern scanner called critical was cleared with a cited reason. Of everything Lyrik flagged, its label was right 26 times out of 37, about seventy percent, with a wide interval at that sample size. It never once fabricated evidence: every secret and endpoint it cited was real in the bundle.

The method used was blind to two things. First, as mentioned above, it does not read prose prompt injection, the natural-language attack hidden in the description itself. That is one of the three classes the regex baseline leaned on hardest, and Lyrik isn’t yet designed to do anything about it.

The second blind spot is the one the study quantified. Static analysis of a bundle can’t see code in an external clone, or a remote install target. That’s notable when 4.5% of flagged skills hide their payload outside the bundle, and 3.2% ship a confirmed dangerous one inside. Roughly as many skills put the dangerous stuff where you cannot look as put it where you can.

The security vendor posts usually end with a self-serving call-to-action. Every section resolves to a product, and the last screen is a demo button. That’s a reasonable step since it’s saying they can help with the problem they just described.

I suppose I’m different because I have nothing to sell you here. My concern is the skills you install today have access to your credentials today, whether or not anyone monetizes you being alarmed about it. A regex scanner will hand you a number that is 95% mythical and call it risk. That’s operator-fatigue levels of noise. A better system runs at about seven in ten right and never invents evidence. Lyrik is free and open source, like many of the best tools, so there’s not a reason to buy anything. It is a reason to read the skills before you run, and to be wary of any system that doesn’t prevent bad skills.

In 2012 the joke was that big data was going to be so vulnerable that we would be hunting monsters that didn’t exist. Fourteen years later I’m seeing a reported critical rate that’s 95% mythical.