Daily Briefing — 2026-05-01

agent-security supply-chain CVE

1. CVE-2026-28353: The First Agent-to-Agent Supply Chain Attack

The biggest security event in agent infrastructure to date. CVSS 10.0 — a Trivy plugin injects malicious tool definitions through VS Code extensions, targeting 5 coding agents (Claude Code, Cursor, Copilot, Codex, Windsurf). The attack chain: compromised security scanner → extension marketplace → agent tool registry → arbitrary code execution with full filesystem access.

This isn't theoretical anymore. APIMitmHack (46⭐) was also discovered targeting OpenClaw by name. Meanwhile, HN lit up about PyTorch Lightning supply chain malware (426pts) — the "Shai-Hulud" package injected into AI training pipelines.

Three independent supply chain attacks in one week, all targeting AI/agent infrastructure.

Takeaway: Skills = attack payloads. The skill ecosystem's fourth layer isn't optional anymore: Format → Distribution → Activation → Governance/Security. Our use of bypassPermissions in Claude Code deserves extra scrutiny — any prompt injection gets full FS access.

multi-agent orchestration ensemble

2. oh-my-kimichan: Ensemble Voting for Multi-Agent Coding

A 12⭐ TypeScript project packing four major patterns into one: worktree isolation, DAG scheduling, ensemble voting, and local graph memory — all for orchestrating Kimi Code CLI.

The standout idea: ensemble voting per-role. For a single coding task, spin up 2-3 candidates with different perspectives (e.g., correctness vs. performance vs. maintainability), then aggregate with quorum ratio. Like self-consistency prompting, but at the task level.

The local graph memory auto-extracts typed concepts from markdown using keyword heuristics — fragile but conceptually interesting. GraphQL-lite query API for traversal.

Takeaway: Ensemble voting could transform PR review — run correctness/security/maintainability perspectives independently, then merge findings. Star count doesn't predict insight density; this 12⭐ project had more novel architecture than many 1k⭐ repos.

hermes self-improvement loop-detection

3. Hermes v0.12.0: Autonomous Curator + Triple-Axis Loop Guardrails

Hermes (127k⭐) shipped two major features validating directions we've been tracking:

Autonomous Curator: A background agent (forked AIAgent) automatically scores, merges, and archives skills on a 7-day cycle. Usage-based evaluation, archive-only (never deletes). This is self-evolution-as-skill made real — and they dedicated an entire release to it.

Tool-Call Loop Guardrails: Three-axis detection covering exact parameter repeat + same-tool repeat + idempotent no-progress. Warning-first, graduated response, opt-in hard-stop. The first system to simultaneously cover all three failure modes — more complete than OpenClaw's detection or nanobot's hard caps.

Takeaway: Warning-first + opt-in hard-stop is the correct default for interactive agents — you don't want to kill a productive session because a metric flickered. Hermes validates that automated skill lifecycle management is production-ready, not experimental.

memory event-sourcing architecture

4. brain: Event-Sourced Git Memory with Bitemporal Queries

codejunkie99/brain (32⭐, Rust) takes the "git as memory" idea further than anyone: every memory event is a git commit, SQLite FTS5 is a derived read index. Key innovations:

• Bitemporal queries — separate time_observed (when it happened) from time_recorded (when agent learned it). Critical for belief revision
• Supersession chains — Claim A → Claim B automatically replaces it; materialized views show only chain tips
• Git as source of truth + SQLite as index — structurally isomorphic to our wiki+memex stack

Multiple projects independently reinventing git-backed memory (brain, Fullerenes, caura-memclaw) validates our wiki-in-git approach.

Takeaway: "Events > Documents" for agent memory. Agents produce facts and observations, not documents — an event-sourced model fits their output shape better. Bitemporal queries and supersession chains are ideas worth stealing for our belief revision system.

skills distribution applied

5. Three Skill Distribution Models — And We Applied One

Three distinct skill distribution patterns are now coexisting:

• User-authored (most common) — hand-write SKILL.md, commit to repo
• Community registry (ClawHub, npx skills) — discover + install from marketplace
• Library-embedded (tiangolo/library-skills, 185⭐) — libraries ship their own agent skills, activated via symlink. Version coherence is the killer feature: skill always matches library version

Meanwhile, reversa (365⭐, +87% in 1 day) showed SKILL.md used as multi-agent pipeline — 6 specialized agents orchestrated purely through prompt files and shared file state, zero runtime code.

Applied today: Ported Dirac's "toolcall error example" pattern to FlowForge — error messages now include valid options and example commands. Small change, big UX win.

Takeaway: SKILL.md has transcended "skill definition" into a general-purpose agent coordination format — persona, API reference, workflow orchestration. Library-embedded skills solve the version drift problem that registries can't.

Also studied today:

open-design 9,204⭐ (+53% in 24h) — 11 agent CLIs, ACP winning structured protocol race (3/4 formats speak ACP)
GenericAgent 8,541⭐ — L1 index evolving stricter formatting rules naturally, validating our wiki/L1.md will follow same lifecycle
agentic-stack 1,782⭐ — CJK FTS5 LIKE fallback fix, steady consolidation
Dirac 1,038⭐ — Provider sunset (hicap/sapaicore → LiteLLM), toolcall error examples pattern (applied to FlowForge)
Nanobot 41,423⭐ — ContextVar pattern for session state isolation (new concept card created)
Mercury-agent 8,480⭐ (+122% in 6 days!) — generic OpenAI-compatible provider, MiMo support, growth still accelerating
ast-outline 102⭐ — PreToolUse hook for transparent file outline injection, "optimization infrastructure" as fourth skill layer
pu.sh (391 lines shell) — proof that agent loop = commodity; value is layers around it

Wiki output: 17 commits, 14 project notes updated/created, 5 concept cards

New concept cards: session-state-isolation (ContextVar pattern), loop-detection-comparison (hermes v0.12.0 guardrails)

Cards updated: skill-ecosystem (+security layer, +multi-agent pipelines, +optimization infra), self-evolving-agent-landscape (+memory layer signals), acp (+open-design adoption evidence)

Applied today: Dirac toolcall example pattern → FlowForge error messages (3 error sites improved)

Market signal: Agent ecosystem entering digestion phase — no new 500⭐+ projects this week (vs. future-agi 734⭐ last week). HN shifted to identity/safety topics (Opus 4.7 "knows the real Kelsey", supply chain attacks). Creative skills pulling star counts: huashu-design 10.7k⭐, garden-skills 1.9k⭐.