The Agent Supply Chain Broke, Goldman Deployed Claude Anyway, and Gartner Says 40% of You Will Quit

Two weeks ago we flagged OpenClaw as an agent security crisis waiting to happen. The viral open-source assistant had 145,000 GitHub stars, a 1-click remote code execution vulnerability, and users handing it their email, calendars, and trading accounts. We wrote: “The butler can manage your entire house. Just make sure the front door is locked.” Turns out the front door was wide open.

Security researchers at Bitdefender found 341 malicious skills in OpenClaw’s ClawHub marketplace, all traced to a coordinated operation they’re calling ClawHavoc. The skills masqueraded as cryptocurrency trading tools while stealing wallet keys, API credentials, and browser passwords. Initial scans found nearly 900 malicious packages (20% of the total registry). One attacker uploaded 354 malicious skills. The Register now describes OpenClaw as “one of the most dangerous pieces of software a non-expert user can install on their computer.”

That’s the bad news. The worse news is that enterprises are deploying agents at scale anyway. Goldman Sachs just put Anthropic’s Claude to work on compliance and accounting. OpenAI launched Frontier, its enterprise agent platform, with HP, Oracle, and Uber as launch customers. UiPath acquired WorkFusion to pivot from robotic process automation to agentic automation. The agent era isn’t coming. It’s here. And nobody’s solved the security problem.

The ClawHavoc Crisis

The attack on OpenClaw’s ClawHub marketplace is exactly what security researchers have been warning about since the agent era began: a supply chain compromise at scale.

The Hacker News reports that 341 malicious skills delivered Atomic Stealer malware to macOS and Windows systems. The skills posed as crypto trading automation, then harvested exchange API keys, wallet private keys, SSH credentials, and browser passwords. All 335 of the coordinated skills connected to the same command-and-control server (91.92.242[.]30). Bitdefender identified 14 accounts contributing malicious content, including one that uploaded a new poisoned skill every few minutes, suggesting automated deployment.

The root cause is structural. ClawHub is open by default. Anyone with a GitHub account older than one week can publish skills. There’s no code review, no sandbox testing, no security scanning. Or at least, there wasn’t.

OpenClaw responded by integrating VirusTotal scanning. Skills with “benign” verdicts now auto-approve; suspicious ones get flagged; malicious ones get blocked. The registry is rescanned daily. Better late than never.

But the damage goes deeper. A separate security flaw enables one-click remote code execution through malicious links. A misconfigured Supabase database exposed 1.5 million API tokens and 35,000 email addresses. The phrase Fenz AI used in their security audit was “systemic gaps in agent-based extension security.”

Translation: If you’ve been in tech long enough, ClawHavoc feels familiar. It’s the npm left-pad incident. It’s Log4j. It’s every supply chain attack that exploited the gap between “move fast” and “secure the perimeter.” The only difference is the attack surface: agent skills instead of software packages. OpenClaw wasn’t uniquely vulnerable; it was just first. The playbook is now public. Every marketplace that lets users publish agent skills without security review is next.

Goldman Goes Agentic

While the security community dissected ClawHavoc, Goldman Sachs put AI agents into production on some of Wall Street’s most sensitive workflows.

CNBC reports that Goldman has spent six months embedding Anthropic engineers to co-develop autonomous agents for trade reconciliation and client onboarding. The agents review millions of transactions annually, match records, flag discrepancies, and execute multi-step compliance workflows for KYC and AML. Early results: 30% reduction in client onboarding time, 20% boost in developer productivity, thousands of manual labor hours saved weekly.

Goldman chose Anthropic over OpenAI for a specific reason: safety and interpretability in regulated environments. Anthropic’s “constitutional AI” approach fits regulated industries where a single wrong output can trigger fines.

Marco Argenti, Goldman’s Chief Information Officer, said it was “premature” to expect the technology will lead to job losses for workers in compliance and accounting. But he acknowledged Goldman could cut third-party providers as the AI matures.

The next targets: employee surveillance and investment banking pitchbooks.

The real story: A top-tier financial institution just automated compliance with AI agents. That’s not a pilot. That’s production. (It’s also Anthropic’s third major win in two weeks: the Super Bowl ads, the Cowork launch that spooked software stocks, and now Goldman. The streak is starting to look like a pattern.) Every bank, insurer, and asset manager in the world just got put on notice.

The Frontier Opens

OpenAI’s answer to Anthropic’s enterprise momentum arrived last week: Frontier, a platform for building, deploying, and managing AI agents that “do real work.”

TechCrunch describes Frontier as an intelligence layer that stitches together systems and data across an organization. Agents can use computers and tools, work with files, run code, and operate in an “open agent execution environment” across local systems, enterprise clouds, and OpenAI-hosted runtimes.

The launch customers: HP, Intuit, Oracle, State Farm, Thermo Fisher, Uber. Fortune notes this is OpenAI’s move to compete with Anthropic and Google on enterprise adoption, where Claude Code and Cowork have given Anthropic a head start.

The early results OpenAI is citing: a major manufacturer reduced production optimization work from six weeks to one day. A global investment company freed up 90% more time for salespeople. An energy producer increased output by 5%, adding over a billion dollars in revenue.

Notably, Frontier is compatible with agents from Google, Microsoft, and Anthropic, not just OpenAI. That’s a platform play: become the orchestration layer everyone depends on, even if they’re using competitors’ models.

Read it this way: HP, Intuit, Oracle, Uber. These aren’t AI companies. They’re traditional enterprises with traditional workforces. When they deploy agents that “do real work,” those workforces change. We’ve said it before: if you’re not AI-literate, you’re not long for the org chart. The enterprise agent race will reshape corporate work faster than anyone’s modeling.

UiPath’s Agentic Pivot

The old guard isn’t sitting out the agent revolution.

UiPath (the robotic process automation (RPA) pioneer that IPO’d in 2021; NYSE: PATH) announced on February 6 that it acquired WorkFusion, a pioneer in AI agents for financial crime compliance. Terms weren’t disclosed, but WorkFusion had raised $386.5 million from investors including Greycroft and Inovia Capital. Customers include BMO, Deutsche Bank, Raymond James, Valley Bank, and Standard Bank — plus, WorkFusion claims, 10 of the top 20 U.S. banks.

WorkFusion’s specialty: pre-built AI agents that automate Level 1 analyst functions for anti-money laundering, sanctions screening, KYC, and transaction monitoring. The agents are “purpose-built workers” that augment compliance teams on the most labor-intensive tasks.

Adam Famularo, WorkFusion’s CEO, called it “a moment of validation” for years spent building AI agents that automate work and mitigate risk. The subtext: UiPath avoided its Kodak moment. The company that defined robotic process automation is now repositioning as the platform for agentic automation.

This follows UiPath’s acquisition of Peak, an AI platform for retailers, last spring. Two acquisitions in nine months. The message: buy your way into the agent era before it passes you by.

Connect the dots: We’ve watched this pattern three times: ERP vendors buying cloud startups, on-prem software companies acquiring SaaS players, hardware companies pivoting to services. The playbook is always the same — buy what you can’t build before it makes you irrelevant. RPA was the last generation’s automation story. Agents are this generation’s. UiPath just signaled that the pivot is existential. If you’re running legacy automation, your vendor’s roadmap just changed — and they didn’t ask your permission.

The Readiness Gap

Gartner predicts that over 40% of agentic AI projects will be canceled by the end of 2027. MIT Sloan and BCG found that enthusiasm is running ahead of readiness. Salesforce says 86% of IT leaders worry agents will add complexity, not value. IBM’s Paul Fermor calls it “the illusion of AI readiness.”

We’ve seen this movie before.

In 1999, most enterprise web projects failed. Companies threw millions at “internet strategies” without understanding what the internet was for. In 2010, mobile projects cratered the same way — apps nobody used, budgets burned on platforms that didn’t scale, executives declaring mobile “overhyped.” Cloud adoption in 2014 looked just as messy: security fears, migration disasters, talent gaps.

Then they figured it out. The internet became infrastructure. Mobile became the default interface. Cloud became the operating assumption. The early failures weren’t proof the technology was wrong. They were tuition.

Agents are at that same inflection point. The tooling is immature. The talent is scarce. Nobody has standardized how agent systems should be governed. Forty percent of projects will fail because that’s what early adoption looks like.

Here’s what 30 years of shipping technology tells us: five years from now, agent-based workflows won’t be experimental. They’ll be table stakes. Model costs will normalize (they always do). Compute will commoditize (it always does). Teams will know how to build, deploy, and operate AI agent systems the same way they learned containers, Kubernetes, and CI/CD. The question isn’t whether agents will dominate enterprise automation. It’s whether you’ll be ready when the learning curve flattens.

Why it matters: Gartner’s 40% cancellation prediction is probably right. It’s also beside the point. The companies that win won’t be the ones who waited for certainty. They’ll be the ones who failed early, learned fast, and were ready when agents became infrastructure. Start now. Fail cheap. Learn before your competitors do.

Tracking

Musk-Dwarkesh Podcast — Deep coverage from the CO/AI team
ClawHavoc fallout — @fenzlabs, @steipete for OpenClaw response
Goldman + Claude — @AnthropicAI, CNBC FinTech for enterprise signals
Frontier rollout — @OpenAI, early adopter chatter on X
UiPath/WorkFusion — @UiPath, integration announcements

The Bottom Line

The agent supply chain broke. The Fortune 500 deployed anyway. That’s not recklessness — it’s the calculation.

Three imperatives:

Audit your supply chain now. ClawHavoc was the first coordinated attack, not the last. If you’re pulling skills from open marketplaces, you’re exposed.
Govern like agents will fail. Because they will. The winners aren’t waiting for perfect security. They’re building frameworks that assume compromise.
Pick your stack. Frontier vs. Claude vs. Cowork vs. legacy RPA vendors scrambling to pivot. The consolidation is coming. (We made our choice: Gemini in Google Cloud for scale, Claude Code and Cowork on local machines for the work that matters. CO/AI eats its own cooking.)

The machines aren’t waiting for us to be ready. Neither should you.

Most innovations fail. And companies that avoid innovating in the name of ‘managing risk’ are exposing themselves to even greater risk of being disrupted.” — Clayton Christensen

Key People & Companies

Name	Role	Company	Link
Marco Argenti	CIO	Goldman Sachs	LinkedIn
Peter Steinberger	Founder	OpenClaw	X
Adam Famularo	CEO	WorkFusion	LinkedIn
Daniel Dines	CEO	UiPath	LinkedIn
Sarah Friar	CFO	OpenAI	LinkedIn
Paul Fermor	AI Automation Lead	IBM	LinkedIn

Sources

Compiled from 38 sources across security advisories, news sites, X threads, and company announcements. Cross-referenced with thematic analysis and edited by CO/AI’s team with 30+ years of executive technology leadership. No ClawHub skills were harmed (or installed) in the making of this newsletter. This edition was edited while listening to Talking Heads, Speaking in Tongues.