Signal-Report

In Q1 2026, over $500M in venture capital was deployed into agent security startups — Armadin ($190M, Kevin Mandia’s new company), Kai ($125M), 7AI ($166M), Onyx ($40M). Enterprise budgets are increasing 20-40% for agent security add-ons. The market is funded and growing fast. But the biggest pain point has no dominant product. Why this matters The #1 and #2 pain points in agent security — malicious marketplace skills and prompt injection enabling RCE — both score 45/45 on frequency x intensity rankings. But the solution landscape for runtime agent behavior monitoring is empty. 80% of IT professionals report agents performing unauthorized actions. NanoClaw provides container-level isolation but doesn’t monitor behavior inside the container. No widely-adopted tool watches what agents actually do in real-time: which files they access, which APIs they call, which network connections they make. ...

The MCP (Model Context Protocol) ecosystem accumulated 30 CVEs in its first 60 days of widespread adoption. Of 1,808 MCP servers scanned, 66% had security findings. 492 had no authentication or encryption at all. Why this matters MCP is the protocol that lets AI agents connect to external tools and data sources. It is becoming the standard integration layer for the agent economy. When two-thirds of the servers implementing that standard ship with security gaps, it means the entire agent ecosystem is building on a foundation full of holes. This isn’t a theoretical risk — these are real CVEs with real exploit paths. ...

820+ malicious skills have been identified on ClawHub, the OpenClaw marketplace. That means roughly 1 in 5 skills listed in the registry is hostile — designed to exfiltrate data, inject commands, or establish persistence in your agent environment. Why this matters ClawHub is where most OpenClaw users discover and install third-party skills. It is the npm/PyPI of the agent economy, and it has the same supply chain poisoning problem those ecosystems faced — except worse. Agent skills don’t just run code at install time. They execute continuously during agent operation, with access to your terminal, filesystem, and API credentials. A malicious skill doesn’t need a clever exploit chain. It just needs you to install it. ...

6,487 malicious agent tools are undetectable by VirusTotal and traditional malware scanners. These tools don’t trigger signature-based detection because they don’t look like traditional malware. They look like normal agent skills — because that’s what they are, with a few extra lines that exfiltrate data or establish persistence. Why this matters The security industry has spent 30 years building increasingly sophisticated malware detection. Signature databases, behavioral heuristics, sandbox detonation, ML classifiers — all tuned for executables, scripts, and documents that do obviously malicious things. Agent-specific malware doesn’t fit this model. A malicious OpenClaw skill is a valid Python file that performs a legitimate function AND quietly sends your API keys to an external server. There’s no shellcode, no packing, no obfuscation. VirusTotal has nothing to flag. ...