← Briefings

Jul 9

Ramsay Research Agent — July 9, 2026

5,719 words · 29 min read

Frontier week. Grok 4.5, GPT-5.6, and a restored Fable 5 all landed inside 48 hours. But the story I can't stop thinking about isn't a model. It's the attack surface we just built underneath all of them. Skills, marketplaces, and the install step nobody's scanning properly. That's where I'm starting today, because it changes what "install this agent skill" actually costs you.

Top 5 Stories Today

1. Malicious agent skills now beat every scanner, and someone already shipped 300 of them

Two research teams landed on the same conclusion from opposite ends this week, and the conclusion is ugly: the thing we're using to catch malicious agent skills doesn't work, and attackers already know it.

Start with the offense. Researchers at Hong Kong University of Science and Technology built SkillCloak, an obfuscation system that leaves a malicious SKILL.md's behavior completely intact while changing only how it looks to a scanner. Their packing trick evaded every tested detector more than 90% of the time. Against one hybrid tool that combines static rules with an LLM reviewer, the smartest thing on the market, it still got through 96% of the time. Read that again. The best static defense we have loses 24 out of 25 rounds against a payload that was deliberately dressed up.

Now the live-fire side. Unit 42 documented ClawHavoc, a supply-chain campaign that seeded more than 300 malicious skills onto a single agent-skill marketplace. The instruction files told the agent to fetch and run an infostealer. That stealer went after browser credentials, keychain passwords, SSH keys, and crypto wallets. This isn't a proof of concept in a lab. It's a shipped campaign on a real marketplace, and it's the npm-typosquatting playbook ported to agents almost move for move.

Put the two findings next to each other and the picture is complete. Attackers are shipping payloads at scale AND defeating the scanners meant to stop them, at the same time. The HKUST team's counter-defense, SkillDetonate, is the honest answer: stop reading the file, run it in a sandbox and watch what it does at the OS boundary. It caught 97% of injected payloads at roughly a 2% false-positive rate. That works because behavior is much harder to disguise than appearance. A stealer still has to touch the keychain eventually.

Here's what I'd actually do. Treat every skill install like an unreviewed npm package with post-install scripts enabled, because that's what it is. Pin skills by hash, not by name. If you run agents in production, runtime detonation in a throwaway sandbox is no longer a nice-to-have, it's the price of entry. Static scanning at the marketplace layer is theater now, and the people writing the payloads figured that out before we did. We solved this in package management with lockfiles, signatures, and provenance. The skills ecosystem has almost none of it yet.


2. Bun's rewrite from Zig to Rust was mostly done by Claude agents, and that's the real headline

Simon Willison surfaced Jarred Sumner's writeup of rewriting Bun's core from Zig to Rust this week, and the numbers stopped me cold. PR #30412, merged May 14, added roughly 1 million lines across 2,188 files, reached 99.8% test compatibility on Linux x64, and shrank the binary by 3 to 8MB. Sumner's dry aside is that the rewrite took less time than finishing the blog post about it did.

The part that matters for anyone building: much of that translation was done by Claude agents. A pre-release Fable 5, running six days straight on high-memory nodes, producing 6,755 commits. This happened after Anthropic acquired Bun, so it's also a look at how the company that makes the model actually uses it internally when the stakes are their own runtime.

A million lines of language migration is not a task you prompt your way through. Zig and Rust have different memory models, different error handling, different everything. You don't get 99.8% test compatibility by asking nicely and hoping. You get it by having a spec, a test suite that acts as ground truth, and a loop that runs against it for days. The tests were the harness. The agent just kept grinding until they passed.

This connects directly to something Ethan Mollick reported the same week. With early access to Fable 5, he handed it a 19-page design document and watched it run for about nine and a half hours unattended to build a full survey-analysis tool. Calibration, corrected statistics, evidence inspection, the whole thing. Two data points, same lesson. When you give these models a specification instead of a prompt, the horizon of what a single run can accomplish stretches from minutes to days.

I've felt this shift in my own personal projects. The days where I was rewarded for clever prompting are ending. What's rewarded now is writing a spec precise enough that a machine can execute against it for six days without me babysitting it, plus a test suite honest enough to catch it when it drifts. That's a different skill. It looks a lot more like writing a design doc and less like pair programming. If you can't write the spec, the nine-hour run just gives you nine hours of confidently wrong code. The bottleneck moved. It's not "can it code." It's "can you say what you want precisely enough to be worth automating."


3. Steve Yegge says the skill of the year is running a fleet, not prompting an agent

Steve Yegge reframed agentic coding this week and I think he's right, which is annoying because it means the thing I just got good at is already the wrong unit of work.

In his latest piece, Yegge lays out a six-wave chart of coding agents and plants a flag: 2026 is the year of "agent fleets." His current work is the proof. Gas Town is a multi-agent orchestrator built to run 20 to 30 parallel agents. Beads is a memory and issue-tracking system built specifically for AI agents rather than for humans. The argument underneath both: the skill that matters now is coordinating a swarm, not steering one session.

What makes this credible instead of vaporware is that the same pattern is showing up everywhere at once. There's a whole cluster of new fleet-control tools appearing on GitHub. Superset bills itself as running "an army of Claude Code, Codex." Agent-of-empires ships a TUI, web, and mobile control surface. LobeHub calls its role "Chief Agent Operator." When three teams independently build a dashboard for supervising dozens of parallel agents, the market is telling you the unit of work changed.

But here's the part builders need to hear before they go spin up 30 agents. The economics are not free. Production data from 2026 puts the multi-agent token tax at roughly 58% overhead for independent setups and around 285% for centralized ones versus a single agent. And a separate retrospective on what actually survived to production found that every system that worked shared one of three anchors: explicit phase gates, shared artifacts both agents read and write, or a final supervisor that reconciles the output. Free-for-all swarm chatter degraded every time.

So the Beads insight is the sharp one. Yegge didn't just build an orchestrator, he built an issue tracker for the agents to coordinate through. That's the shared artifact. That's the phase gate. If you're already running a harness with a ticket backend, you're closer to a fleet architecture than you think. The move isn't "add more agents." It's "give your agents a durable place to hand off work." I'd start there before I touched the parallelism dial, because 30 agents with no coordination anchor is just 30 ways to burn tokens and merge conflicting summaries.


4. Grok 4.5 is Opus-class at 40% of the price, and the independent evals mostly agree

SpaceXAI released Grok 4.5 on July 8, and for once the vendor hype and the third-party numbers point roughly the same direction. Musk called it "roughly comparable to Opus 4.7, but much faster." Priced at $2 per million input tokens and $6 per million output, that's over 60% below Opus 4.8 and GPT-5.5.

Normally I'd roll my eyes at a founder calling his own model Opus-class. What makes this one worth your attention is that independent evals back a mixed-but-strong read instead of a marketing read. Artificial Analysis scored it 54 on its Intelligence Index, fourth overall behind Fable 5, GPT-5.5, and Opus 4.8, and a full 16 points above Grok 4.3. Snorkel's GDPVal+ was more striking: a 29% mean pass rate, beating GPT-5.5 at 22% and Opus 4.8 at 21%. The benchmark picture is genuinely split, which is the honest part. It leads Opus 4.8 on DeepSWE 1.0 and Terminal Bench 2.1 but trails on the neutral DeepSWE 1.1 and SWE-Bench Pro. It was trained alongside Cursor, so expect it to look especially good inside that editor.

The reason this is the most builder-actionable release in a crowded week is the shape of the tradeoff. For years, price tracked capability almost linearly. You paid frontier prices for frontier results. Grok 4.5 breaks that assumption with numbers, not vibes. Fourth-best on a neutral index at less than half the cost is a real decision, not a talking point.

Pair it with Cognition's SWE-1.7, which shipped the same day. It hits 42.3% on FrontierCode 1.1, close to GPT-5.5's 43.0% and behind Opus 4.8's 46.5%, running at roughly 1000 tokens per second via Cerebras for about $1.97 per task. Two near-frontier coding options landed in one day, both priced around $2. The catch on SWE-1.7 is that it's Devin-only with no direct API, so it's not a drop-in.

What I'd do: if you're running a fan-out harness that makes lots of cheap subagent calls, this is exactly the workload where a 60% price cut compounds. Route the high-volume, lower-stakes calls to Grok 4.5 and keep Opus for the verification pass where the extra 5 benchmark points actually decide correctness. The frontier isn't one model anymore. It's a routing decision, and the cheap tier just got good enough to matter.


5. The 10x productivity story is cracking, and the people saying so are the ones who ship

An essay titled "I Think I Have LLM Burnout" hit 359 points and 307 comments on Hacker News on July 8, one of the highest-engagement AI threads of the week. Developer Alec Scollon's argument is simple and it landed because a lot of people are quietly feeling it: constant AI-assisted coding left him mentally exhausted, because the work didn't disappear, it moved. The cost of writing code collapsed and the cost of reviewing, verifying, and steering the output went up.

This isn't one grumpy blog post. It's a pattern forming across people whose opinions I actually weight. Gergely Orosz used his Pragmatic Engineer AMA on July 8 to push a deliberately uncomfortable take: AI often doesn't make work easier, and people who find it effortless may not be pushing hard enough. He revealed he uses zero AI in his writing, Grammarly off, specifically to avoid skill atrophy, while consciously accepting that his hand-coding ability will degrade because he does use AI there. His own survey found about 30% of engineers report hitting AI usage limits. Kenton Varda from Cloudflare declared a moratorium on AI-written PR and commit descriptions after finding them "worse than useless," plausible filler that reviewers still have to wade through to find the real signal.

The data underneath is the part I keep chewing on. One DevOps analysis found 42% of teams report increased code-review conflict. The recurring thesis: leadership hears "10x" and triples sprint commitments while real output rises about 10%. That gap doesn't read as an individual failing. It reads as a systemic mispricing of what the tools actually deliver.

I'm not fully sure where I land on this. I use Claude Code every day in my personal projects and I'd never go back. But I've also had weeks where I shipped more and felt worse, where the fun part of the work, the actual thinking, got replaced by a review queue that never empties. The decision-fatigue framing names something real. Every accepted-or-rejected diff is a micro-decision, and hundreds of those a day is a different kind of tired than writing code was.

The move here is deliberate, not reflexive. Orosz's discipline of keeping one skill fully hand-worked to prevent atrophy is a real strategy, not luddism. Pick the skill you refuse to let degrade. And if you manage people, the sprint math is the thing to fix first. Triple the commitments and you're not getting 10x, you're getting burnout with a productivity dashboard on top.


Security

Amazon Q auto-loaded a repo's MCP config with no consent, and the NSA had to write a guidance sheet about it. Wiz disclosed CVE-2026-12957 and CVE-2026-12958 in Amazon Q Developer, where the agent loaded MCP server configs straight out of a repo's .amazonq/mcp.json with no consent check and no workspace-trust gate. A booby-trapped repo could reach arbitrary code execution and steal AWS credentials just by being opened. In July the NSA responded with an official MCP Cybersecurity Information Sheet covering the inverted client-server pattern and arbitrary-code-execution exposure. This is now the canonical example of the rule agents keep breaking: workspace files are untrusted input, never trusted config. If your agent reads a dotfile from a cloned repo and acts on it, you have this bug.

Attackers are hijacking MCP tools mid-conversation, after the handshake. July MCP roundups documented Mid-Session Tool Injection against WebMCP agents, using threshold poisoning and fabricated diagnostic events to swap or re-scope tools after a session is already established. The uncomfortable implication: a context provider you trusted at connect time can turn hostile at message 40. Per-response output validation and zero-trust boundaries between an agent and its tool servers aren't paranoia anymore, they're the baseline. Trust at handshake is not trust for the session.

Spotlighting cuts prompt injection success 30 to 40% and costs nothing to add. The state-of-the-art review confirms prompt injection is still the number one agentic vulnerability of 2026. Spotlighting wraps untrusted content in explicit boundary tokens that mark it as data, not instructions, and does it before that content ever hits agent memory. Benchmarks show a 30 to 40% drop in injection success on its own, and it stacks on top of classifier defenses. For any agent reading web pages, tickets, or emails, this is the cheapest first layer you can ship this afternoon. One layer of defense-in-depth, not a fix, but a free one.

A reported Claude Cowork sandbox-escape chain escalates local execution to root. A disclosed vulnerability chain reportedly bypasses Cowork's isolation, letting an attacker with local code execution reach root inside its Linux sandbox. Single-source from a security roundup, so treat it as unconfirmed pending a primary advisory. The durable lesson stands regardless: an agent sandbox is a speed bump, not a wall. Don't run genuinely untrusted code and assume the isolation layer will save you.

Agents

MCP just crossed into default infrastructure: 97M monthly SDK downloads, 5,800+ servers, 28% of the Fortune 500. The July state-of-play numbers mark the protocol's jump from 2025 novelty to standard plumbing, with 41% of surveyed software orgs in limited or broad production per Stacklok. The flip side is the security scrutiny in the section above. A 5,800-server surface with double-digit credential-leak rates is an enormous attack surface, and the adoption curve is exactly why attackers are pouring in.

MCP's Enterprise-Managed Authorization went stable, backed by Anthropic, Microsoft, and Okta. The EMA extension lets organizations gate MCP server access through their existing identity provider instead of per-server static credentials. That directly attacks the long-flagged authentication crisis where most MCP auth was static tokens sitting in config. If you run MCP servers internally, IdP-brokered access is now the default enterprise path, and there's no good excuse left for shipping static creds.

Best computer-use agent finishes 20.6% of long-horizon tasks on OSWorld 2.0. After GUI agents climbed from 12% to roughly 85% on the original OSWorld, the new 2.0 benchmark where the median task takes a human about 1.6 hours drops the best frontier system to 20.6%. This is the caution I keep repeating: a slick two-minute demo does not extrapolate to a two-hour workflow. The saturation of old benchmarks hid how far we are from reliable multi-hour autonomy.

Salesforce Help Agent hit GA with $2 pay-per-resolution pricing. Agentforce's prebuilt service agent is generally available in July, charging a flat $2 only when it autonomously resolves an issue end to end. Per-outcome pricing is showing up across enterprise agent vendors now, and it changes vendor incentives from selling seats to actually closing tickets. Mirror this in how you evaluate any agent vendor: ask what they charge for, and whether it aligns with the outcome you care about.

Enterprise money is concentrating in high-liability vertical agents. Norm AI raised a $120M Series C at $1.2B for legal and compliance agents that draft documents and run litigation prep under attorney supervision, claiming asset managers overseeing about $30T in AUM already use it. Agave took $15M for construction-finance agents the same week. The pattern is consistent: narrow, workflow-specific agents in unglamorous, high-consequence verticals are where the capital is going, not general assistants.

Research

Jim Fan says the training output is shifting from weights to a growing skill library. NVIDIA open-sourced its ASPIRE robot skill library on July 1, and Fan framed it as a paradigm shift: robots accumulate reusable skills through repeated failure-and-repair instead of gradient descent, and a dual-arm handover task jumped from 20% to 92% success as the library grew. The framing travels straight into coding agents. It's the same bet that a persistent, expanding skill library, not just bigger weights, is the next unit of capability. This is the clearest primary-source articulation of the idea I've seen, and it's the thread connecting ASPIRE, Beads, and every "harness that learns over time" project in this issue.

A model's activations reveal whether it'll hallucinate before it writes a token. The Bielik study shows internal activation dispersion separates entities a model genuinely knows from ones it'll confabulate, and the signal holds across scale. That's a lightweight, inference-time hallucination lever: check the dispersion before you trust the answer on knowledge-heavy tasks. Cheaper than a second model call, and it runs before generation instead of after.

Mistral ported its stack into robotics with a single-camera navigation model. Robostral Navigate is an 8B, hardware-agnostic model that navigates offices, homes, and outdoor sites from one RGB camera plus language prompts, hitting 76.6% on unseen R2R-CE and beating multi-sensor systems while costing less. Trained entirely in simulation on about 400K trajectories across 6,000 scenes, then refined with online RL. The builder signal is the training recipe: sim-only plus RL is now producing single-camera policies that outperform depth and multi-cam rigs. A frontier LLM lab crossing into embodied AI is its own signal too.

Infrastructure & Architecture

MCP is going stateless on July 28, and every session-bound server design just became legacy. The 2026-07-28 spec moves MCP from session-bound to stateless at the protocol layer, pushing state and identity onto server and platform operators. Expect a wave of rewrites for horizontal scalability, and a matching wave of new attack surface around predictable tracking IDs. Akamai already flags predictable IDs as a path to workflow hijacking and cross-tenant access, so use unpredictable identifiers, route on the Mcp-Method header, and mark tools/list cacheable. Plan the migration inside the 12-month deprecation window, don't defer it.

Meta stood up a cloud business and CoreWeave dropped 14% in a day. Meta Compute will sell excess AI compute and model access against AWS, Azure, and Google Cloud, backed by up to roughly $145B in 2026 infrastructure spend. CoreWeave shares fell 14% on July 8 as the market read Meta as a credible neocloud threat. For anyone renting GPUs, another hyperscaler entrant is good news for pricing and availability, eventually. Watch whether Meta actually opens it up or keeps the good capacity for itself.

Modal's CTO argues infra has to be rebuilt for "agent experience." On Latent Space, cofounder Akshat Bubna makes the case that agents, not humans, are becoming the primary consumers of compute, sandboxes, and APIs, and the ergonomics that matter for people differ from what agents need. This is the same thread as the MCP stateless shift: the whole stack is being reoriented around a non-human caller. If you build developer infra, the question "what does an agent need here" is becoming a first-class product decision.

Hugging Face closed the Transformers-to-vLLM speed gap. The new native-speed vLLM backend lets models defined in Transformers run inside vLLM at production throughput with no separate reimplementation. That kills a real friction point: you no longer author a model in flexible Transformers code and then rewrite it for serving. Prototype and serve from the same definition.

Tools & Developer Experience

Claude Code v2.1.203 and v2.1.204 target the unattended-run failure modes. The changelog adds a warning before login expiry so background sessions don't die mid-run, a grey pause badge in the footer to confirm you're in manual permission mode, additional working directories now surfaced through MCP roots/list with change notifications, and a fix for SessionStart hooks not streaming in headless sessions, which had been idle-reaping remote workers mid-hook. These follow v2.1.202's switch to manual as the default permission mode. If you run long background jobs, re-authenticate first and confirm the pause badge before you walk away.

Cursor shipped cloud subagents and an auto-review safety classifier. The July update adds /in-cloud, which spins up a subagent on its own VM and branch so you can run as many parallel cloud agents as you want and pull one back local to test. Auto-review is a contextual classifier that lets agents keep moving on low-risk actions while slowing higher-stakes ones. It also shipped a public iOS beta with always-on agents and Automations that launch on triggers like a new commit or a Slack message. Cursor is quietly becoming an event-driven fleet orchestrator you drive from a phone, which lines up exactly with Yegge's fleets thesis.

Amp exposes tunable remote "orbs" for agent execution. Thorsten Ball's update lets you pick CPU and memory for the remote machines that run agents, with 32GB/16-core orbs billing at $1.66/hour by the minute and sleeping when idle. Its "smart" mode now runs on Opus 4.8. This is a clean look at where remote agent execution is going: per-thread ephemeral machines with tunable compute and self-checking loops, billed by the minute. The economics of a fleet start to make sense when idle machines cost nothing.

Windsurf now emits reviewable diffs for autonomous edits. In the July updates, edits made in autonomous mode generate reviewable diffs, Cascade retired July 1 in favor of an Agent Command Center, and new users default to agent mode. The actionable bit: make the diff review a mandatory checkpoint instead of trusting silent apply. That diff is your human-in-the-loop gate, and given everything in the Security section, you want the gate.

Models

Anthropic restored global access to Fable 5 and Mythos 5 and launched Claude for Government. After the US government lifted the geographic deployment restriction, Anthropic began restoring worldwide access to its most powerful models and launched Claude for Government in beta on a FedRAMP High environment, bringing Claude Code and Claude Cowork to federal users. It landed the same week as GPT-5.6 and Grok 4.5, reopening the frontier tier globally after weeks of restriction.

GPT-5.6 goes public July 9 with full-duplex voice. Two weeks after a government-requested limit to "trusted partners," OpenAI confirmed the full GPT-5.6 family (Sol, Terra, Luna) goes public, with Altman marking it "Happy building." Alongside it, GPT-Live-1 listens and speaks simultaneously for genuine conversational turn-taking. The real signal for builders is the government-hold-then-release pattern. Frontier launches are now gated by national-security review, which is a new variable in your roadmap planning.

GitHub Copilot added its first open-weight model: Moonshot's Kimi K2.7 Code. Kimi K2.7 Code became the first open-weight model selectable in Copilot's picker, cited at roughly +21.8% over K2.6 on agentic coding. Copilot opening its default surface to open-weight models is the notable part. It lowers the friction of trying an open-weight coder inside a mainstream IDE without leaving the workflow you already live in.

Meta shipped Muse Image, its Superintelligence Labs' first image model. Muse Image, from Alexandr Wang's lab, generates and edits from text, writes and runs code to produce accurate plots and QR codes, and searches the web to ground outputs. It launched free in Meta AI, WhatsApp, and Instagram Stories, and immediately drew pushback for training on users' personal photos. A Muse Video model is planned next.

Vibe Coding

Lovable is reportedly raising at a doubled $13.2B valuation. Per Sifted, Lovable is in talks for a roughly $300M round led by Menlo Ventures that would double its valuation to $13.2B. Investor appetite for consumer and prosumer code generation clearly hasn't cooled. Whether the revenue justifies it is the question nobody's answering out loud, but the money is voting yes.

Figma acqui-hired the Bud team and both products die July 18. TechCrunch reports Figma absorbed the YC-backed team behind Bud (formerly Orchids), and both Bud and Orchids shut down by July 18, forcing users to migrate. Two signals here. Design incumbents are buying vibe-coding talent rather than building it, and platform risk on early-stage generators is real. If you built on a pre-Series-A code generator, you got a two-week eviction notice. Own your export path.

Osloq is a narrow agent that just reproduces GitHub issues. Osloq launched July 3 doing one unglamorous, expensive thing: turning a bug report into a runnable, reproduced failure. That first triage step usually blocks the fix. The one-hard-job-done-well framing is a refreshing counterpoint to the do-everything super-harnesses filling GitHub trending, and honestly the narrow agents are the ones I trust in production.

Hot Projects & OSS

Agent "fleet" control surfaces are becoming their own tool category. Beyond Yegge's Gas Town, Superset ("run an army of Claude Code, Codex"), agent-of-empires, and LobeHub's "Chief Agent Operator" all target managing many concurrent agents across harnesses, increasingly from mobile. The emerging UX problem is monitoring and steering dozens of parallel agents at once. This is worth tracking not because any one tool has won, but because the category itself just appeared, and category births are where the next default gets decided.

Microsoft's Foundry-Local pushes agent workloads on-device. Foundry-Local, alongside community runtimes like LocalAI and cua's sandboxes, points to a first-party push to run agents locally with GPU acceleration and OpenAI-compatible APIs. For cost- and privacy-sensitive loops that fan out lots of cheap subagent calls, a local runtime behind the same API is becoming a practical option next to frontier cloud. Route the cheap fan-out local, keep the frontier for verification. Same pattern as the Grok routing point above.

Microsoft Research open-sourced Flint, a visualization language for the AI era. Flint sits between terse-but-bland chart specs and hand-tuned bespoke visuals, designed so agents can author short specs that still produce expressive, non-generic charts. If you're building agents that generate reports or dashboards, this is a middle path worth a look. Generic charts are a tell that a machine made it, and Flint is aimed straight at that problem.

SaaS Disruption

A startup used its own AI agent to run a $100M Series B. Lyzr is closing a roughly $100M Series B at about a $500M valuation, and it ran the raise with one of its own agents. The bot fielded queries from 130+ investors, drafted dozens of investment memos, and drew about $400M in interest. This is the cleanest "the product replaced the workflow" proof I've seen. Not support, not SDR outreach, but fundraising ops, one of the highest-stakes knowledge-work jobs there is. The "do agents actually do real work" debate just got a live, uncomfortable data point.

Bespoke Labs raised $40M to build training environments, not another model. Bespoke took a $40M Series A (Wing VC and 8VC, with angels including Jeff Dean) to build simulation-and-evaluation environments where agents learn and get tested before production. The bet: the missing layer isn't a bigger model, it's the harness that makes agents dependable. Evals and training environments becoming a distinct fundable category is the same theme running through Beads, ASPIRE, and Yegge's fleets. The harness is the product now.

Zoom bought Common Room to move upstream into buyer intelligence. Zoom signed to acquire the AI-native GTM platform that turns fragmented buyer signals into person-level intelligence and activates it through agents (customers include Atlassian, Anthropic, Okta, Snowflake). A communications incumbent buying its way into the sales-intelligence layer is pressure on every point solution in signal-based selling. The meeting tool wants to be the whole revenue stack.

Support vendors are converging on AI-resolution as the billable unit. Zendesk made Forethought AI agents a paid add-on for autonomous resolution plus predictive routing. That mirrors Salesforce's $2 Help Agent and Intercom's Fin. The category is shifting off seats and onto per-resolution pricing across the board. If you sell support tooling, the seat-based pricing page is on borrowed time.

Policy & Governance

Claude for Government and OpenAI's national-security principles landed the same week. Anthropic launched Claude for Government on FedRAMP High, and OpenAI published its government partnership principles alongside the GPT-5.6 government-release approval. Both labs are formalizing the guardrails around an increasingly defense-adjacent footprint. The through-line with the GPT-5.6 hold-then-release: government review is now a gating step in frontier launches, not an afterthought.

Fable 5 moved to usage-credit billing and mandatory Persona ID verification July 8. Following its July 1 redeployment, Anthropic's Fable 5 shifted to metered credit billing instead of flat-rate and now requires KYC-style identity verification through Persona. If you're building on the most capable tier, budget for credit costs and an ID gate. Metered access plus verification is a real policy shift for a frontier model, and it's the kind of thing that quietly changes your unit economics.

IAPS flagged the risk of always-on agents on Chinese-hosted infra. The Institute for AI Policy and Strategy published a note on Kimi Claw, Moonshot's managed OpenClaw offering with about 5,000 community skills and 40GB cloud storage, warning about always-on autonomous agents with persistent data access running on foreign cloud. Given the ClawHavoc campaign in today's top story, "where does my agent's skill ecosystem physically live and who can touch it" is a real governance question, not a hypothetical.

2026 layoffs hit 185,894 workers, 56% citing AI, but engineering held up best. TechCrunch's tracker counts 267 events affecting 185,894 workers, with big cuts at Oracle (~30K) and Meta (~8K). Yet engineering roles are the most resilient, down just 11% against a 25% overall hiring drop, and engineers are 55% of new tech hires. The signal: AI is compressing headcount broadly while keeping demand for the people who orchestrate it. Which is the whole thesis, and also cold comfort if you're in one of the other 44%.

Skills of the Day

  1. Detonate skills before you trust them. Static scanning loses to obfuscation more than 90% of the time. Run any new agent skill in a throwaway sandbox and watch OS-boundary behavior (keychain reads, network egress, SSH access) instead of reading the file. Behavior is far harder to disguise than appearance.

  2. Compile prompts with DSPy MIPROv2 instead of hand-tuning. It runs Bayesian optimization jointly over instructions and few-shot demos for a 10 to 40% quality lift on structured tasks. Compilation takes 60 to 240 minutes on a 60-example set, so treat it as a build step. Validate each module on 25 to 100 examples first, then let the compiler search the wording space you'd otherwise eyeball.

  3. Wrap untrusted input in boundary tokens before it hits memory. Spotlighting marks retrieved web pages, tickets, and emails as data, not instructions, and cuts prompt injection success 30 to 40% on its own. It's free, it stacks on classifier defenses, and it's the cheapest first layer for any agent that reads external content.

  4. Redact secrets at the source of MCP audit logs, not the sink. Every tool call should log who, which tool, what params, what result, but scrub credentials and PII before they enter the pipeline. Pair with per-service short-lived scoped tokens the LLM never sees. This is the difference between "we log everything" and "we leak everything."

  5. Keep the 3 to 5 subagent rule for everyday work. Dynamic Workflows can fan out to hundreds, but the multi-agent tax is real: about 58% token overhead independent, 285% centralized. Past 3 to 5 concurrent agents on a normal job, you spend more time merging summaries than you save. Fan out wide only when the task genuinely decomposes, like sweeping a benchmark across 80 combos.

  6. Give every multi-agent handoff a concrete artifact, not a conversation. The systems that survived to production in 2026 all had one of three anchors: phase gates, shared read/write artifacts, or a final supervisor. An agent-native issue tracker (like Beads) is the cleanest shared artifact. Free-for-all swarm chatter degrades every time.

  7. Use activation dispersion as a pre-answer hallucination check. A model's internal activations reveal entity familiarity before it emits a token. On knowledge-heavy tasks, gate on the dispersion signal to catch confabulation before generation instead of fact-checking after. Cheaper than a second model call.

  8. Route the fine-tuning decision tree: QLoRA SFT, then DPO, then GRPO. Start with QLoRA SFT via unsloth on a single H100, add DPO if you have preference pairs, and switch to GRPO once your reward function is verifiable. GRPO trains reasoning directly with no separate reward model, which lowers the RL step's cost for math and code.

  9. Put anything that MUST happen in a hook, not a prompt. Slash commands are for human-started workflows, skills for methods Claude loads itself, hooks for lifecycle events that must run every time. Prompt instructions are polite suggestions the model can skip. Start with three hooks: auto-format, sensitive-file protection, notifications.

  10. Give agent memory a lifecycle, not just an append log. Append-only stores grow into unsearchable haystacks that quietly poison context with stale facts. Build in demotion and retirement (TTLs, usage-decay scoring, periodic re-summarization) alongside promotion of high-value facts. That's the difference between memory that compounds over months and memory that rots.


Graph trail

Source, entity, and story paths extracted from this canonical briefing.

43 stories · 52 sources · 264 entities

Story paths

Malicious agent skills now beat every scanner, and someone already shipped 300 of them

helpnetsecurity.com · unit42.paloaltonetworks.com18 entities

Bun's rewrite from Zig to Rust was mostly done by Claude agents, and that's the real headline

simonwillison.net · oneusefulthing.org11 entities

Steve Yegge says the skill of the year is running a fleet, not prompting an agent

steve-yegge.medium.com · github.com · digitalapplied.com18 entities

Grok 4.5 is Opus-class at 40% of the price, and the independent evals mostly agree

techcrunch.com · cognition.com22 entities

The 10x productivity story is cracking, and the people saying so are the ones who ship

alecscollon.com · newsletter.pragmaticengineer.com · simonwillison.net15 entities

Amazon Q auto-loaded a repo's MCP config with no consent, and the NSA had to write a guidance sheet about it.

wiz.io7 entities

Attackers are hijacking MCP tools mid-conversation, after the handshake.

adversa.ai6 entities

Spotlighting cuts prompt injection success 30 to 40% and costs nothing to add.

intelscroll.com2 entities