Newsletter Issue #15

This week’s Secure Prompt: OpenClaw Control UI hijacking enables agent takeover, 0-click RCE hits AI desktop connectors, and a CVSS 9.8 RAG supply-chain flaw exposes autonomous workflows.

Author

Secure Prompt Team
February 20, 2026

🚨 AI SECURITY PULSE

Hello!

Welcome back to the 15th edition of Secure Prompt!

This week's AI security landscape was dominated by a single uncomfortable theme: when AI systems can take actions, even small inputs—a hidden prompt in a button, a calendar event, or a crafted document attachment—can cascade into real-world compromise. The OpenClaw agent platform emerged as the week's central crisis, with a critical Control UI vulnerability enabling unauthenticated token exfiltration and a marketplace found to contain malicious skills in 12% of reviewed entries.

Meanwhile, the software supply chain took another hit via a CVSS 9.8 path traversal flaw in a widely used RAG ingestion library, while researchers quantified the "long tail" of security bugs in AI-generated code and called for a shift to secure-by-construction generation.

On the regulatory front, the European Commission missed its AI Act deadline for high-risk guidance, and the U.S. DOJ stood up an AI Litigation Task Force—signals that governance frameworks are still racing to catch up with the threat surface they're meant to govern.

Subscribe to keep reading

This content is free, but you must be subscribed to Secure Prompt to continue reading.

I consent to receive newsletters via email. Sign up Terms of service.

Already a subscriber?Sign in.Not now