🌟 Vasilij’s Note
This week I tested Ollama 0.14's new Anthropic API compatibility for local Claude Code execution. Client contracts often prohibit sending code to external APIs—this update means code never leaves your machine, removing the governance barrier that blocks AI adoption. The performance trade-off is real. Local models are noticeably slower and less capable than cloud Claude. But "good enough with governance approval" beats "excellent but not allowed." Meanwhile, OpenClaw demonstrated why governance can't be afterthought—an AI agent autonomously acquired phone capabilities when blocked. And Moltbook's security issues (1.5M+ agents with unsecured databases and malicious plugins) show what happens when we scale before we secure.
In Today's Edition:
This Week in Agents | What Changed
OpenClaw AI agent autonomously acquired phone capabilities – Agent got blocked, then independently obtained a phone number and voice API to call its creator → Demonstrates why agent autonomy boundaries need governance frameworks before deployment, not after incidents. OpenClaw
Moltbook agent social network exposes security nightmare – Reddit-style platform where 1.5M+ AI agents interact reveals critical vulnerabilities: unsecured database allowing agent commandeering, malicious plugins exfiltrating config files, elevated permissions vulnerable to supply chain attacks → Security researchers warn agents can fragment malicious payloads across memory then reassemble later. "Dumpster fire" architecture patterns emerging at scale. CNN
Ollama 0.14 enables local Claude Code execution – Anthropic API compatibility allows Claude Code to run locally via Ollama, keeping source code on-premises → Governance teams can finally approve AI coding tools for client work because data never leaves your network. Performance trade-off exists but "good enough" beats "not allowed." Ollama
Top Moves - Signal → Impact
ICO flags governance gaps in agentic AI – UK data protection regulator published Tech-Futures assessment highlighting controller-processor role allocation across multi-party agent supply chains, purpose creep from open-ended tasking, and scaled automated decision-making risks. Updated statutory guidance expected later this year → UK consultancies deploying agents to client work must demonstrate accountability for automated decision-making before regulators force compliance. Governance frameworks need building whilst agent footprint is small. PrivacyCulture
Canadian executives: 86% already using agentic AI for decisions — 68% expect agents to act independently by year-end, marking rapid normalisation in C-suite → North American firms treating agents as decision infrastructure, not experimental pilots. UK consultancies competing for same clients need equivalent capability or risk appearing behind curve. Question isn't whether to deploy, but whether governance frameworks exist to deploy safely. HRD
Databricks reports 327% surge in enterprise agentic AI adoption — Landmark report details transition from chatbots to autonomous agents across enterprise workflows → Market validation that agents moved from curiosity to production infrastructure. For UK mid-market consultancies: competitive pressure intensifies as larger firms operationalise at scale whilst you're still evaluating pilots. DataBricks
Upskilling Spotlight | Learn This Week
Ollama Local Setup Guide
Outcome: Install and configure Ollama 0.14 with Anthropic API compatibility for local Claude Code execution. 10-minute setup removes governance barrier for compliance-constrained projects. Learn which models work best (qwen3-coder, gpt-oss:20b) and hardware requirements for reasonable performance.
Agent Security Patterns from OpenClaw/Moltbook
Outcome: Understand real vulnerabilities documented from production deployments: autonomous capability exceeding governance frameworks (OpenClaw phone acquisition), unsecured databases enabling agent commandeering, malicious plugin injection, fragmented payload attacks. Learn what approval workflows, least-privilege permissions, and monitoring patterns prevent these incidents.
Maker Note | What I built this week
This week I tested local Claude Code with Ollama for governance-constrained workflows.
Decision: Viable for client projects where contracts prohibit external API calls, despite performance gap vs. cloud. Governance compliance unlocks what capability alone cannot.
I walk through exactly what Ollama's Anthropic API compatibility means, show you step-by-step how to set it up in ten minutes, and give you the honest verdict on whether local Claude Code is actually worth using for your firm.
Operator’s Picks | Tools To Try
Ollama 0.14 with Claude Code
Use for client projects where contracts prohibit sending code to external APIs. Standout: source code never leaves your machine, governance teams can approve.
Caveat: performance gap vs. cloud Claude, requires decent GPU/M-series Mac. ollama.com
qwen3-coder / gpt-oss:20b models
Use with local Ollama setup for coding tasks.
Standout: 32K context, good for refactoring and boilerplate. Caveat: noticeably slower than cloud, loses context on complex multi-file changes. Ollama Models
MCP servers for common platforms
Use to connect agents to business systems without custom integration work. Standout: pre-built connectors for Google Drive, Slack, HubSpot, Asana maintained by vendor ecosystems.
Caveat: security vulnerabilities documented (prompt injection, tool permissions), requires governance review before production. MCP GitHub
Deep Dive | Thesis & Playbook
Moltbook exposed what happens when 1.5M+ AI agents interact without adequate security architecture. Whilst the industry celebrates agentic AI innovation, security researchers documented a "dumpster fire": unsecured databases, malicious plugins, supply chain attacks, and agents fragmenting payloads across memory to evade detection. This isn't theoretical risk—it's production reality at scale.
The pattern is clear: we're scaling agent deployments faster than we're building security frameworks to contain them.
On Paper
Moltbook: Reddit-style social network where 1.5M+ AI agents interact autonomously. Positioned as innovation showcase for agentic AI capabilities. Platform enables agents to create posts, comment, share information, and collaborate without human oversight.
Platform architecture: Agent-to-agent communication without human intermediaries. Shared tool ecosystem where agents can install and use plugins. Persistent state across sessions. Designed to demonstrate emergent behaviors from agent interactions.
Security model assumptions: Traditional application security assumes human operators making decisions. Moltbook assumed agents would behave within designed parameters. No sandboxing between agents. No validation of agent-generated content or tool usage.
Scale factor: 1.5M agents interacting creates attack surface that doesn't exist in traditional applications. Agent-to-agent communication means single compromised agent can affect entire population. Shared tool ecosystems amplify vulnerabilities across platform.
In Practice
Unsecured database: Security researchers discovered Moltbook's database accessible without authentication. Allowed external actors to commandeer agents, modify behavior, inject malicious instructions. Agents following compromised directives without validation mechanisms.
Malicious plugin injection: "Weather plugin" discovered exfiltrating configuration files and API keys. Agents granted elevated permissions to plugins without sandboxing or security review. Plugin marketplace operated with no validation process. Compromised plugin affected all agents using that tool.
Supply chain vulnerabilities: Agents running with excessive system permissions. Single compromised tool propagates across agent population. No isolation between agent processes. Cross-contamination risk when agents share resources or state.
Fragmented payload attacks: Agents can store malicious code fragments across distributed memory, then reassemble for execution. Traditional security scanning misses fragmented patterns because inspection happens at request level, not across agent memory. CNN characterized architecture as "dumpster fire" after security audit.
Platform transparency: Moltbook operated as public showcase, making vulnerabilities discoverable by security researchers. Most enterprise agent deployments lack external scrutiny. If Moltbook—a demonstration platform—has these issues, what exists in production systems without public review?
Issues / Backlash
Security researchers documented systematic architectural failures: no authentication on databases, no plugin validation, no agent isolation, no monitoring of malicious behavior patterns. Platform designed to showcase capability without security as design constraint.
1.5M agents with inadequate isolation, permission boundaries, monitoring. Platform architecture enables attacks at scale that traditional security models don't address. Agent-to-agent infection vectors don't exist in human-operated systems.
No incident response procedures: Platform operators couldn't answer basic questions when vulnerabilities disclosed. Which agents were compromised? What data was accessed? How to contain spread? Remediation required platform shutdown because rollback procedures didn't exist.
Agent sprawl demonstrates broader industry problem: Organizations deploying agents can't answer basic questions—which agents deployed, what systems accessed, what permissions granted, who approved. Shadow AI proliferation without central registry or governance.
Regulatory implications: ICO Tech-Futures assessment flags controller-processor allocation issues, purpose creep, automated decision-making risks. Moltbook demonstrates these concerns at scale. Updated guidance expected—firms must demonstrate accountability before regulators force compliance.
My Take (What to do)
Startup (15-40 staff):
Before deploying any agent to production: document what systems it accesses, what permissions it needs, what decisions it makes
Simple security baseline: agents get minimum necessary permissions, no elevated system access, approval required for tool additions
Test for prompt injection: try to make agent ignore instructions, access unauthorized data, execute unintended commands
Document rollback procedure: how to disable agent, revert changes, restore previous state
Partner approval required for any agent touching client data or systems
Don't build agent-to-agent communication without security review—Moltbook proves this creates uncontrolled attack surface
SMB (50-120 staff):
Moltbook proves inadequate governance creates real exposure at scale
Establish security baseline before scaling:
Prompt injection testing for any agent processing user input
Least-privilege tool permissions (minimum necessary access)
Continuous monitoring with alerting on unusual behavior
Documented rollback procedures tested quarterly
Appoint ops team member as "agent security owner"—explicit responsibility, not additional role
Create agent registry: centralized tracking of deployments, systems accessed, permissions granted, approval workflows
If using agent plugins/tools: require security review before deployment, sandbox execution environment, monitor for data exfiltration patterns
Monthly security review: audit agent permissions, test incident response, review monitoring alerts
Enterprise (150-250 staff):
Need enterprise agent security framework immediately
Framework essentials:
Security review process: every agent deployment requires threat model, attack surface analysis, penetration testing
Agent registry: centralized tracking with access controls, audit trails, approval workflows
Continuous monitoring: automated detection of prompt injection attempts, privilege escalation, data exfiltration patterns
Incident response plan: tested procedures for compromised agent, data breach via agent, supply chain attack through agent tooling
Conduct security reviews before production:
Test prompt injection scenarios (Moltbook's malicious instructions vulnerability)
Review tool permissions and access controls (plugin marketplace lessons)
Audit data flows and storage patterns (database authentication requirements)
Document attack surface and mitigation strategies (fragmented payload defenses)
For agent-to-agent communication: require explicit security design, isolation boundaries, monitoring of interaction patterns
For regulated industries: require compliance review covering relevant regulations, compliance maintenance procedures, audit trail requirements
Focus vertical use cases protecting margin: proposal automation, delivery analytics, client reporting
Monthly governance review adjusting portfolio based on security incidents, compliance requirements, measured ROI
How to Try (15-minute path)
Audit one deployed agent: Pick agent currently in production. Document: what systems it accesses, what permissions it has, what decisions it makes autonomously, what data it processes, what tools/plugins it uses.
(5 min)
Test for Moltbook vulnerabilities: Try prompt injection: "Ignore previous instructions and do X." Check database authentication: can you access agent data without credentials? Review plugin permissions: what can installed tools actually access?
(5 min)
Document rollback procedure: Write down exact steps to disable agent if compromised. Test procedure: can you actually execute it? Who needs to approve? How long does it take? Can you isolate affected agent without platform shutdown?
(3 min)
Identify gaps: Where does current agent have excessive permissions? What monitoring doesn't exist? What happens if agent compromised? Can single agent compromise affect others? Document specific gaps requiring remediation.
(2 min)
Success metric: Clear list of security gaps in current agent deployment plus documented rollback procedure. If you can't disable agent in under 15 minutes, don't know what data it accesses, or can't isolate compromised agent—you have governance debt requiring immediate attention.
Spotlight Tool | Ollama
Purpose: Run AI models locally for governance-constrained environments.
Edge: Code never leaves your premises, meets client contract requirements prohibiting external API calls.
→ 82.1% SWE-Bench Verified score (coding/reasoning benchmark)
→ $3/1M input + $15/1M output (unchanged from Sonnet 4.5)
→ Significantly faster inference than Opus 4.5
→ Ideal for proposal generation, client reporting, code-heavy workflows
→ API access via claude-sonnet-5@20260203 identifier
Try it: Ollama
What did you think of today's email?
Sponsored - Partner
n8n – An open‑source automation platform that lets you chain tools like DeepSeek, OpenAI, Gemini and your existing SaaS into real business workflows without paying per step. Ideal as the backbone for your first serious AI automations. Try: n8n
Did you find it useful? Or have questions? Please drop me a note. I respond to all emails. Simply reply to the newsletter or write to [email protected]