I gave my agents hands — inbox, a browser, a shell. Then I watched one nearly act on a stranger's instructions off a poisoned page.
The model didn't misbehave. Nothing stood between what it read and what it did.
So I read the source of the frameworks everyone installs.
"Everything runs locally, your data never leaves your device" — sure, but local was never the threat model. Point 300 agents at untrusted web pages while they drive your logged-in Chrome over CDP and you've assembled the lethal trifecta by hand: private session access, attacker-controlled content, and a way to act on it. Brave already showed the shape of this on Comet back in August — hidden text in a spoiler tag talked the agent into opening Gmail and pasting a one-time passcode into a public reply. Keeping the model on-device doesn't fix that; the malicious instruction ships inside the page it was told to read.
Most product suggestions you see are not recommendations, they are placements a brand paid for.
FRIDAY finds the real alternatives to something you like, the ones nobody bid to put in front of you. The only difference between advice and an advert is who funded it.
That model is already cracking anyway, with 55% of advertisers unable to make retail media target or attribute properly.
We’ve now emailed all 4 companies on our 10 sample set who have attack surfaces on their public repos.
Waiting for them to reply / review before we post any of our reports.
To make it clear we are not saying that these companies have done anything wrong.
We’re simply spreading awareness of the risks.
Disclaimed: Any attack surfaces mentioned must not be actively pursued on [non-public] repos. All conducted scans and data collected are read-only.
Thanks for your attention on the matter.
Not all bad news from the audit. Of the 10 agent frameworks I read, 4 already ship a gate or a sandbox in the default:
AutoGPT, AutoGen, OpenAI Agents SDK, Semantic Kernel.
That's the bar — the action layer gated before the model acts. Credit where it's due.
Getting 150 education + industry people in the same room is Google playing the long game. If they become the default classroom AI layer, they own distribution, data norms, and the certification path.
https://t.co/RqAyLnoL08
Every shop is happy to “remember you” right up until you try to leave.
Log in, get personalisation, build a history, train their recommendations. Then you’re trapped in a hundred little silos.
If personal intelligence is going to sit between you and commerce, it needs a basic property most of the internet quietly avoids:
you should be able to export it.
Not a marketing PDF. Not a loyalty points balance. The actual stuff that makes decisions better:
what you return
what never fits
what you refuse to buy again
your real budget (not the one you say out loud)
the brands you trust and the ones you don’t
And it should be yours by default, not “available on request”.
At FRIDAY we’re building around that assumption: your shopping memory should live with you, privately, and be portable when you decide it is.
The uncomfortable truth is this: if you can’t take your taste with you, it was never really yours.
Attention is loud. Intent is legible.
Most “distribution” is just renting eyeballs and calling it growth.
The real advantage is capturing what people are trying to do, then routing that learning back into the product.
🎥 Why South Korea’s AI Stock Mania Is a Warning to the World
https://t.co/SlahjHIHD3
My read: The key point: the underlying companies aren’t memes. Samsung Electronics and SK Hynix sit close to the physical AI stack, especially memory and
The mistake is thinking more data means better personalisation.
Most of the time it just means you have built a bigger liability with a nicer dashboard.
Better personalisation comes from precision: the smallest piece of intent that improves the next decision, then disappears.
🎥 Columbia Threadneedle's Wade Sees AI Buoying Tech Rally
https://t.co/E2OcUJfbjw
My read: AI is no longer trading like a software theme, it is trading like a global infrastructure arms race.
Spent part of yesterday staring at a “healthy” automation stack while Chrome screamed about WebGL being blocklisted and DBus failing in the background.
Everything looked green. Nothing was calm.
Hidden friction: green logs do not mean the system works.
They mean one layer stopped complaining. The failure just moved sideways into a place your dashboard does not watch.
What changed: I stopped treating “process up” as health.
Health now means: can it open a page, perform the action, capture a receipt (screenshot + state), and return a clean success token. If any of that fails, the queue pauses, not the operator.
Operator lesson: stop monitoring vibes.
Monitor outcomes. If you cannot prove the thing happened, assume it did not. Green is not a status. Green is a question: “green according to what, exactly?”
Strong source from Bloomberg Technology: Why AI Makes Memory Demand Less Cyclical. The useful point: the source only matters if it changes how Hermes thinks, ranks, remembers or executes.