Chinese AI Agent Finds 23 Flaws in OpenClaw Ecosystem

🧵 2. Quick context: Anthropic dropped Mythos in April and called it “dangerously good.” Restricted release. Glasswing alliance (10,000+ high- or critical-severity vulnerability findings in the first month). Cybersecurity and Infrastructure Security Agency briefings. And then the curl test happened, it was the kind of reality check this field badly needed. Anthropic’s Mythos was not tested on a toy repo. It was pointed at curl — a mature, security-obsessed project that has been fuzzed, audited, scanned, and hardened for years. The model came back with 5 “confirmed” vulnerabilities. But After human review, only one survived as a real security issue, and even that was low severity. It showed Anthropic’s model was less impressive for finding bugs on one real-world codebase. But still very useful. Because it moved the AI security conversation from “look what the model claims” to “what actually holds up under expert review.”