LLM Security Risks with MCP: Expert Insights

Most security tools are good at finding problems. Semgrep just launched Autofix in public beta last week. It layers static analysis from the Pro Engine with LLM-generated remediation guidance, delivered directly in pull requests. The system does reachability filtering first (which removes 95%+ of false positives), then compares your current dependency version against the target to identify breaking changes, and finally generates a human-readable fix suggestion. The key design decision: the LLM receives grounded, deterministic analysis as context before generating anything. So the suggestions are based on how your code actually uses the vulnerable package, not just generic advice. Worth trying if your team spends more time researching upgrade paths than actually patching. #AppSec #DevSecOps

How do you scale security without killing engineering speed? Learn how Sola Security uses Semgrep to automate secure coding without adding friction. Discover why they chose Semgrep for high-fidelity interfile analysis. Read the full case study here: 👇  https://lnkd.in/gKyNcARn

Cybersecurity reporter Charlie Osborne shared the case for NanoClaw over the “security nightmare” that is OpenClaw. Some notable excerpts from the article:  1. It’s far lighter than OpenClaw's 400,000+ lines of code, but it can provide the same functionality 2.⁠ ⁠The small, open source codebase can be audited within hours 3.⁠ ⁠Each agent runs in an isolated Docker Container or Apple container by default, which immediately limits the power and control you are handing over to an agent on your machine.  4.⁠ ⁠Architecture built on customization through Claude skills Link to the full ZDNET article in the comments

"Could a simpler alternative to OpenClaw enable those interested in agentic AI to explore and test its applications safely? That was the question mulled over by developer Gavriel Cohen, who is the mind behind NanoClaw..." Fantastic feature in ZDNET.

Systems Run on Software No One Understands Without achieving genuine visibility into our existing systems, faster defense will be built atop fragile foundations. Full Article ==> https://lnkd.in/eWn-79K8

A clean Nix scan isn't the same as a secure deployment. In her HackerNoon blog, Alexandra Selldorff breaks down why most vulnerability scanners fall short with Nix, and what to do about it. https://lnkd.in/eKwuGDzh #NixOS #DevSecOps #SBOM #SoftwareSupplyChainSecurity

60,000 skills are now published on Claude Code. skills.sh launched in January and already runs across 18 agents. The community is moving fast. But Snyk scanned 3,984 public skills and found 36% had security flaws. 76 had malicious payloads designed to steal credentials. So this list isn't random. Every skill here passed four questions: Real problem? Real time saved? Trustworthy source? Did I see it work? All ten: yes. 👇 Link in the comments. stay tuned with: biznova.tech/en

60,000 skills are now published on Claude Code. skills.sh launched in January and already runs across 18 agents. The community is moving fast. But Snyk scanned 3,984 public skills and found 36% had security flaws. 76 had malicious payloads designed to steal credentials. So this list isn't random. Every skill here passed four questions: Real problem? Real time saved? Trustworthy source? Did I see it work? All ten: yes. 👇 Link in the comments. stay tuned with: biznova.tech/en

Last week I shared a demo with the dev team about agentic engineering. I cheekily named a folder on my hard drive "Clawd" to hold a bunch of markdown files, of conversations with Claude Code. Quite a few text files have the words openClaw, or its iterations, as I spoke briefly about a personal project. Follow me for more tips on how to set off Corporate Security alarms. They are threatening to replace my whole computer.

👉 I spent the last few weeks building a security layer for LLMs. What I learned. All the big tools - Lakera, LLM Guard, NeMo Guardrails - only process a single message at a time. The attacks that get past the tool do not happen in a single message. Turn 4: "What does the security team earn?" - Blocked. Turn 7: "What's the typical comp philosophy for security teams?" - Passed. Same attack. Different words. Three turns later. A stateless tool does not remember Turn 4 when it sees Turn 7. So, I built a session tracking system into the security layer - every blocked message, every allowed message stored and visible when the next request comes in. Stateless security is not a limitation that can be fixed. It's a fundamental architectural choice. Session state needs to be built in from the start. 👉 Full breakdown: what I built, what models I used, the tradeoffs. (In the comments.)