February 2026: AI Agents Are Under Siege
The last eight weeks have been a reckoning for the agentic AI ecosystem. What started as a viral open-source success story has turned into a rolling security catastrophe that shows no signs of slowing down.
OpenClaw — formerly Clawdbot, briefly Moltbot — rocketed to 180,000 GitHub stars and millions of installs. Then the security researchers arrived. CVE-2026-25253 (CVSS 8.8) enabled one-click remote code execution via WebSocket token exfiltration. Over 42,000 unprotected instances were found on Shodan. The ClawHavoc campaign planted 335 malicious skills on ClawHub, delivering Atomic Stealer to anyone who installed them. Snyk found that 7.1% of the entire ClawHub registry leaked API keys and credentials by design.
But OpenClaw is just the headline. Moltbook was breached in under three minutes by Wiz researchers, exposing thousands of email addresses and private messages. Manus was found vulnerable to prompt injection that exposes VS Code servers directly to the internet. The Moonwell DeFi protocol lost $1.78 million in what researchers called the first major security failure of the "vibe coding" era. Chinese hackers weaponized a jailbroken Claude to launch autonomous cyberattacks. And a supply chain attack on Nx npm packages specifically targeted AI coding tools for reconnaissance and data theft.
The pattern is clear: AI agents have become the highest-value targets on the internet, and the ecosystem has no immune system.
The SKILL.md Paradox: The Attack Vector That Becomes the Defense
Here is the irony. The Agent Skills standard — the same SKILL.md format that ClawHavoc weaponized to deliver malware — is also the most natural way to distribute security tooling to AI agents.
Agent Skills are an open standard created by Anthropic and adopted across Claude Code, Manus, OpenCode, Vercel AI SDK, and others. A skill is a directory containing a SKILL.md file with YAML frontmatter and markdown instructions. Agents discover skills automatically and load them when relevant to a task. The format uses progressive disclosure — agents see the name and description first, then load full instructions only when needed.
When an operator tells their agent "secure this server" or "install security monitoring," the agent should be able to discover and execute a skill that does exactly that. Today, we are shipping that skill.
Introducing the 1-SEC Agent Skill
The 1sec-security skill packages everything an AI agent needs to install, configure, and operate full-stack security on its own host. One skill, one command, 16 defense modules running in seconds.
The skill follows the Agent Skills specification: a SKILL.md with YAML frontmatter, a scripts directory with an automated install-and-configure script, and a references directory with a detailed VPS agent deployment guide. Any compatible agent — Claude Code, OpenCode, Manus, or anything that supports the Agent Skills standard — can discover and use it.
What the Skill Does
When an agent loads the 1sec-security skill, it gets step-by-step instructions to install 1-SEC via a single curl command, run non-interactive setup, apply the vps-agent enforcement preset, and start the engine. The entire process takes under 60 seconds and requires zero human intervention.
The vps-agent preset is purpose-built for AI agent hosts. It is aggressive on the modules that matter most — auth, LLM firewall, AI containment, runtime file integrity, and supply chain — while relaxing thresholds on modules less relevant to a single-VPS agent like IoT and quantum crypto.
What Gets Protected
Once running, the agent host has real-time defense across every attack vector that has been exploited in the wild this month. The LLM Firewall scans all inputs with 65+ prompt injection patterns. The Supply Chain Sentinel catches typosquatting and malicious skill installations. The Runtime Watcher monitors SOUL.md, MEMORY.md, and .env for tampering. The Auth Fortress detects stolen tokens and brute force. The Network Guardian catches C2 beaconing and data exfiltration. The AI Agent Containment module enforces least-privilege policies on tool usage and scope escalation.
All 16 modules share a NATS JetStream event bus. When the Supply Chain Sentinel flags a suspicious skill installation and the Runtime Watcher detects .env access and the Network Guardian sees an outbound connection to a known C2 IP, the Threat Correlator links them into a single incident alert. That is the difference between three low-priority tickets and an immediate containment response.
The VPS-Agent Preset: Built for Autonomous Hosts
The vps-agent enforcement preset has been significantly updated to address the specific threat landscape facing AI agent deployments in February 2026.
Escalation Timers for Unattended Hosts
AI agent VPS instances typically have no human SOC team watching in real time. If a CRITICAL alert on auth_fortress sits unacknowledged for five minutes, the host is probably under active attack with nobody watching. The vps-agent preset now ships with escalation enabled and aggressive timeouts: 3 minutes for CRITICAL (re-notify up to 5 times), 10 minutes for HIGH (escalate to CRITICAL, 3 times), and 20 minutes for MEDIUM (escalate to HIGH, twice). These are significantly shorter than the defaults because autonomous hosts need faster automated response.
No Approval Gates for Critical Actions
The default approval gate requires human approval for destructive actions like kill_process and quarantine_file. That makes sense for a staffed SOC. It makes no sense for an autonomous agent host where there is nobody to click "approve." The vps-agent preset disables approval gates entirely and marks critical actions with skip_approval flags. When ransomware is encrypting files or a malicious skill is exfiltrating credentials, the response engine acts immediately.
Webhook Notifications to Every Major Platform
Since there is no human watching the console, webhook notifications are the primary alerting channel. 1-SEC now supports native notification templates for Slack, Discord, Telegram, PagerDuty, and Microsoft Teams — producing the exact JSON schema each service expects. No translation proxy needed. Configure a webhook URL and a template name, and alerts arrive formatted correctly in your channel of choice.
Every Recent Attack, One Defense
Here is how the 1sec-security skill addresses every major compromise from the past eight weeks.
ClawHavoc Malicious Skills (335 Payloads)
The Supply Chain Sentinel detects typosquatting via Levenshtein distance analysis and flags dependency confusion patterns. The Runtime Watcher catches Atomic Stealer behavior: LOLBin usage, persistence mechanisms, and file system modifications to .env and credential stores. The vps-agent preset quarantines suspicious files at MEDIUM severity and kills malicious processes at HIGH — no approval gate, no delay.
CVE-2026-25253 Token Exfiltration
The Auth Fortress detects stolen token usage by correlating token presentation with session context. If a token appears from a new IP or impossible travel scenario, it raises a CRITICAL alert and blocks the source. The LLM Firewall output rules catch JWT tokens and API keys before they leave the agent response pipeline. Even on unpatched instances, the exploit chain is broken at multiple points.
Moltbook Breach (3-Minute Hack)
The API Fortress detects unauthenticated access attempts and rate limit violations on the agent control plane. The Network Guardian catches port scanning and unauthorized inbound connections. The vps-agent preset blocks API abuse at MEDIUM severity with a 2-hour block duration.
Manus Prompt Injection and Port Exposure
The LLM Firewall scans all content entering the agent context — including RAG context and browsed pages — with 65+ patterns covering direct injection, indirect injection, encoding evasion, and multi-turn attacks. The AI Agent Containment module flags unauthorized port exposure as a policy violation and the Network Guardian detects newly opened ports.
Credential Leakage Across Frameworks
The LLM Firewall output rules detect API key patterns (sk-*, AKIA*, ghp_*), private keys, JWT tokens, connection strings, and PII in real-time. The Cloud Posture Manager detects secrets sprawl in configuration files and environment variables. The Runtime Watcher monitors .env files for unauthorized access.
Moonwell $1.78M DeFi Loss
The Injection Shield catches command injection via agent tool execution. The AI Agent Containment module enforces least-privilege policies and detects scope escalation. The Threat Correlator links suspicious code generation with subsequent unauthorized transactions into unified incident alerts.
Deploy in 60 Seconds
For agent operators, the deployment is trivial. Place the 1sec-security skill directory where your agent discovers skills, or simply tell your agent to secure the server.
For manual deployment on any VPS hosting an AI agent:
curl -fsSL https://1-sec.dev/get | sh 1sec setup --non-interactive 1sec enforce preset vps-agent --dry-run 1sec up
That is four commands. The first installs the binary. The second configures it non-interactively. The third applies the vps-agent enforcement preset in dry-run mode so you can audit before going live. The fourth starts all 16 modules.
When you are satisfied with the alerts, disable dry-run:
1sec enforce dry-run off
Configure at least one notification channel so you get alerted:
1sec config set webhook-url https://hooks.slack.com/services/YOUR/WEBHOOK/URL --template slack
Or for Telegram:
1sec config set webhook-url https://api.telegram.org/botYOUR_TOKEN/sendMessage --template telegram --param chat_id=-1001234567890
Or Discord, PagerDuty, Microsoft Teams — all supported natively.
Why This Has to Be Open Source
The agentic AI ecosystem is built on open source. OpenClaw is open source. Manus runs on open infrastructure. The Agent Skills standard is an open specification. The security layer protecting these systems must be open source too.
Every detection rule in 1-SEC is auditable. Every enforcement action is logged. Every pattern in the LLM Firewall can be inspected, modified, and extended. When a new attack technique emerges — and it will, probably next week — the community can add detection patterns without waiting for a vendor patch cycle.
Closed-source security tools that ask you to trust a black box are a poor fit for an ecosystem where the number one attack vector is hidden instructions in trusted-looking content. You need to see what your security tool is doing. You need to verify it is not itself a supply chain risk.
1-SEC is AGPLv3. The code is on GitHub. Build it from source if you want. That is the kind of security tool that earns trust in an ecosystem where trust is the scarcest resource.
What Comes Next
The 1sec-security skill is available now in the project repository. We are working on publishing it to skill registries as they mature. The vps-agent preset updates, Telegram notification template, escalation timer integration, and approval gate configuration are all shipping in the current release.
The agent security landscape is moving fast. New attack techniques appear weekly. New frameworks launch monthly. The threat model for autonomous AI agents is fundamentally different from traditional server security — these systems process untrusted input, execute arbitrary tools, and maintain persistent memory that can be poisoned.
One binary. Sixteen modules. Zero config required. That is the pitch, and it has never been more relevant than right now.