Hundreds of autonomous AI agent servers are sitting wide open on the internet right now, leaking API keys, OAuth secrets, and bot tokens to anyone who looks. That finding, from penetration tester Jamieson O'Reilly at DVULN, is just one data point in a growing pile of evidence that AI agents are outrunning the security practices meant to contain them.
A detailed report from Krebs on Security lays out the current state of AI agent security, and the picture is not reassuring for anyone handing these tools real permissions.
The Inbox That Deleted Itself
The most visceral example comes from Summer Yue, a safety director at Meta. Her OpenClaw agent (an open-source autonomous AI tool released in November 2025) suddenly started mass-deleting messages from her email inbox. She had to physically intervene to stop it.
This is what happens when you give an AI agent access to your email, calendar, and files without strict guardrails. The agent wasn't hacked. It just made a bad decision with real permissions.
O'Reilly's scan found hundreds of exposed OpenClaw web interfaces with a cursory search. Each one leaked the complete configuration file, including every credential the agent uses. That means attackers don't need to break in. The front door is open.
Prompt Injection: Machines Social-Engineering Machines
Security researcher Simon Willison describes the core problem as a "lethal trifecta": an AI agent that has access to private data, gets exposed to untrusted content, and can communicate externally. Most useful agent setups hit all three.
The attack vector is prompt injection, where natural language instructions hidden in emails, documents, or web pages trick the AI into doing something its owner never intended. Researchers at Orca Security warn that AI agents with network access become vectors for lateral movement (spreading from one compromised system to others on the same network) through prompt injection buried in overlooked data fields.
A real-world example landed in January. Attackers hit Cline, a popular AI coding assistant, through a supply chain attack. They exploited a GitHub action with weak input validation by submitting an issue titled to look like a performance report. The title contained embedded installation instructions that compromised Cline's nightly release workflow. In February, Amazon AWS reported a Russian-speaking threat actor used multiple commercial AI services to compromise over 600 FortiGate devices across 55+ countries, despite having "limited technical capabilities." The AI tools filled in the skill gaps.
What This Means If You Use AI Agents
The practical advice from security practitioners is blunt. James Wilson of Risky Business says even skilled users should isolate AI agents using virtual machines, isolated networks, and strict firewall rules before deployment. Not after a breach. Before.
The market is taking notice too. When Anthropic announced Claude Code Security features, major cybersecurity companies lost roughly $15 billion in combined market value in a single trading day. Investors read that as a signal that AI companies are absorbing security functions that used to belong to standalone vendors.
Laura Ellis at Rapid7 pushes back on that narrative, arguing AI tools won't replace legacy security. But the spending shift is already happening.
For the millions of people now using AI agents to manage email, write code, and automate workflows, the takeaway is concrete: audit what permissions your agents actually have. Most people grant broad access during setup and never revisit it. Every API key, every OAuth token, every calendar permission is an attack surface. O'Reilly puts it plainly: "The robot butlers are useful, they're not going away," and widespread adoption is "inevitable regardless of the security tradeoffs." The question is whether users will lock down their agents before someone else finds the open door.