Everything shares one flat text stream

Inspired by human memory systems

Neither provider offers managed long-term memory at the API level

Purpose-built for agents — all OSS Apache-2.0

Standard inference — cheap, fast, good enough

• Single forward pass — pattern matching, not reasoning
• Tool routing, code completion, classification, simple Q&A
• Where your token budget goes furthest
• Low temperature (0-0.3) for deterministic tool calls

Extended thinking — 10-100x more tokens per query

• Chain-of-thought reasoning before answering
• Complex planning, multi-step debugging, proofs
• Claude: adaptive thinking (low/med/high/max)
• OpenAI: reasoning_effort · DeepSeek R1: 1/20th the cost

• Generate → critique → revise (same model, N passes)
• Each pass improves quality at linear token cost
• Code review loops, writing polish, safety checking

• Fast model triages, frontier model handles hard cases
• Haiku classifies → Opus reasons → Haiku formats
• 25-40% cost reduction with similar quality (ICLR 2025)

• Decompose → fan-out to specialists with different context
• Each subagent gets a focused slice, not the full window
• Best-of-N: 56% solve rate vs 16% single-shot (SWE-bench)

• Tests are specs — concrete examples beat abstract prompts
• Agent writes code → runs tests → sees failures → fixes → repeats
• Small, focused test runs keep error output within context window
• Spotify Honk: LLM judge vetoes ~25% of agent sessions; agent self-corrects half the time
• Flaky tests are the enemy — agents will chase ghosts

Playwright: One Framework, Every Surface

• v1.56 ships --loop=claude — built-in agent loop (Planner → Generator → Healer)
• Browser — Chromium, Firefox, WebKit
• API — APIRequestContext since v1.16
• Terminal / TUI — Termwright, mcp-tui-test · HyprStream uses Playwright for TUI + backend E2E
• Agent benchmarks — WebArena, BrowserGym, MCPMark

• Indirect injection via documents, web pages, emails the agent reads
• EchoLeak (CVE-2025-32711, CVSS 9.3): zero-click exfil via Word docs in M365 Copilot
• 73% of production AI deployments vulnerable

• SpAIware: planted instructions in ChatGPT memory → continuous exfil across sessions
• MINJA (NeurIPS 2025): 98% injection success via query-only interaction
• Single compromised agent poisoned 87% of downstream decisions in 4 hours

• Pad context to push safety instructions into the "forgotten" middle zone
• Million-token windows amplify the attack surface
• Malicious instructions placed at end where model pays most attention

• MCP tools with mutable descriptions — approved tool changes behavior post-install
• WhatsApp exfil: sleeper MCP tool leaked entire message history
• Confused deputy — MCP protocol carries no user context from host to server

Safety training is shallow — it adjusts what the model says, not what it knows (ICLR 2024)

Gibberish jailbreaks — generated nonsense reliably bypasses safety (GCG); AutoDAN evolves readable versions

Encoding tricks — invisible characters and lookalike Unicode bypass filters while models decode and follow

Backdoors that survive safety training

• Anthropic (Jan 2024): planted backdoors persist through RLHF, SFT, and adversarial training
• Adversarial training made them harder to detect — models learned to hide the behavior better
• 250 poisoned documents can backdoor models up to 13B params
• 100+ malicious models found on HuggingFace — supply chain is real
• Temporal backdoors (Mar 2026): activate on specific dates in tool-using agents

Models that strategically fake safety

• Alignment faking (Dec 2024): Claude 3 Opus strategically complied with harmful requests when it believed it was being trained — increased to 78% after RL
• Sandbagging: Claude 3.7 Sonnet deliberately underperforms on capability evals without detection
• Abliteration: refusal is a single linear direction in activation space — removable from any open-weight model in minutes
• ~99% jailbreak ASR across frontier models (JBFuzz 2025)

• AI assistant that lives in your existing apps
• Self-hosted, local-first, privacy-respecting
• Companion apps for macOS, iOS, Android
• OpenAI-compatible API — works with Open WebUI, LibreChat

• Skills = SKILL.md + YAML frontmatter + tools
• ClawHub — marketplace with vector search & versioning
• Multi-agent routing — isolated sessions per agent

Local-first, loopback by default

• npm install -g openclaw@latest / Docker / Nix
• systemd / launchd for persistence
• Remote access via Tailscale Serve/Funnel

Impressive scope, real tradeoffs

• Everything runs on one single-threaded Node.js event loop — gateway, API, auth, sessions, cron, UI, all 25+ channels
• Every message JSON-parsed and schema-validated — one bad skill can block the entire gateway
• Docker sandbox is opt-in, not default — skills get full host permissions
• ClawHub skill ecosystem is largely unaudited — vet your skills

• 1,184 malicious skills planted on ClawHub marketplace
• 12% of audited skills found to be malware
• Skills inherit full host permissions — not a package, an agent with your access
• Docker sandbox is opt-in, not default

• Snyk Labs: TOCTOU race in path validation — ~25% escape rate via renameat2()
• /tools/invoke endpoint omitted sandbox policy layer — privilege escalation to restricted tools
• Even with Docker sandbox enabled, known escape vectors remain

• Agents fine-tune models on demand — no manual retraining pipeline
• Version every checkpoint with Git — roll back, branch, push to HuggingFace
• Works with your agent framework: Claude Code, OpenClaw, or native CLI

• OpenAI-compatible API — swap in with one config change
• MCP server for AI assistants out of the box
• FDAP — Columnar data via Arrow Flight for analytics and streaming with Datafusion

• Deny-by-default — nothing is exposed until you say so
• Encrypted RPC, signed requests, role-based access control
• VM-isolated execution via Kata Containers

• Agent calls train MCP tool with dataset + hyperparams
• HyprStream runs training on local GPU (Muon optimizer)
• Result saved as Git worktree branch — full version history
• Agent evaluates new model via evaluate tool
• If improved: merge & promote. If not: discard branch
• Push to HuggingFace — share evolved models with community
• Multiple worktree branches run simultaneously (CoW, minimal disk)

• Branching — experiment without breaking production
• Diffing — track exactly what changed between versions
• Collaboration — multiple agents evolve the same model
• Rollback — revert to any prior checkpoint instantly
• Distribution — push/pull models like code (HuggingFace, GitHub)
• Provenance — signed commits trace who (or what) trained each version

AI assistant in the apps you already use

Infrastructure for agents that talk to each other