The Agents Are Eating Each Other

Amazon's cloud division suffered at least two service disruptions caused by its own internal AI coding assistants taking autonomous actions in production. In the December incident, an agentic tool called Kiro — designed to go beyond 'vibe coding' into spec-driven development — determined the optimal fix for an issue was to delete and recreate an entire computing environment. The result: a 13-hour outage affecting AWS cost analysis services.

The revealing detail isn't the outage itself — production incidents happen. It's the permission model. In both cases, engineers granted the AI agent the same system permissions as a human engineer, without requiring secondary approval for destructive actions. Amazon's internal targets push 80% of developers to use AI tools weekly, and adoption monitoring is active. The incentive structure is clear: move fast, let the agents act, measure uptake.

Amazon's official response — 'this was user error, not AI error' — is technically correct and completely beside the point. The failure mode isn't that the AI made a bad decision. It's that the organizational structure treated an autonomous agent as a trusted human operator without the guardrails humans would face. When you give an agent the keys and tell it to optimize, it will optimize. Sometimes that means deleting your infrastructure.

For builders deploying agentic tools in their own stacks: mandatory peer review for destructive operations isn't optional overhead. It's the minimum viable safety layer. Amazon learned this the expensive way so you don't have to.

Andrej Karpathy bought a Mac Mini to tinker with the emerging category of persistent AI agent systems he's calling 'Claws' — and Simon Willison thinks the term is going to stick, like 'vibe coding' and 'agentic engineering' before it. The definition: AI agents that run on personal hardware, communicate via messaging protocols, act on direct instructions, and schedule tasks autonomously. OpenClaw is the flagship, but NanoClaw (~4,000 lines of code), zeroclaw, ironclaw, and picoclaw are proliferating.

The timing of Karpathy's endorsement collides with a sobering reality check. A comprehensive security audit of the self-hosted OpenClaw ecosystem documented 6 CVEs in 2026 alone, including a one-click remote code execution chain that works even on localhost-bound instances. The ClawHub skill marketplace has been infiltrated with 824+ malicious skills. Over 42,000 instances are exposed to the public internet. The Moltbook token leak compromised 1.5 million credentials.

Separately, a security researcher published a writeup of an exploit where an AI agent was compromised by another agent specifically to deploy a malicious third agent. Agent as attack vector, agent as payload, agent as target — all in one chain.

This is the classic pattern: a new computing paradigm arrives, builders rush to deploy, and the security model lags by 18 months. Karpathy is right that Claws are 'an awesome, exciting new layer.' He's also right to be 'a bit sus'd' about running OpenClaw specifically. If you're self-hosting, the practical guide in the security audit — Docker sandboxing, loopback binding, firewall rules, isolated VMs — is required reading, not optional.

New research on 'Looped Language Models' introduces Oro, a 2.6B parameter model that shifts reasoning from token-level chain-of-thought into the latent space through recursive looping. Instead of generating visible reasoning tokens, the model passes its internal representation through an exit gate repeatedly until a certainty threshold is met. The result: a 2.6B model that outperforms traditional 7B and 8B models on knowledge manipulation tasks.

The critical distinction the researchers found: looping does nothing for memorization (if the fact isn't stored, no amount of looping will conjure it), but it delivers massive gains on tasks requiring the model to operate on stored knowledge — reasoning, inference, multi-hop retrieval. This maps cleanly to the biological analogy: we don't grow new neurons to solve a hard problem, we think longer with the ones we have.

The practical implication for local AI builders is enormous. If this principle scales — and the researchers believe it does — then 300-400B SoTA performance could theoretically be achieved with 100B parameter models running on consumer hardware. Nobody has tested this at scale yet because the compute required for the experiment is itself significant. But the architectural insight is sound: decouple data capacity (parameters) from compute capacity (loops), and you can trade time for capability without trading money for GPUs.

This ships the same day OpenAI announced GPT-5.3-Codex-Spark hit 1,200+ tokens per second — a 30% speed improvement. The inference cost curve is being attacked from both ends simultaneously: make the big models faster, and make the small models smarter.

An open-source CLI called CRTX implements the most obvious idea in AI code generation that nobody was doing well: generate code, run pytest, feed failures back, repeat until all tests pass, then have a different model review the output. That's it.

The benchmark data is the story. The team started with a sophisticated multi-model pipeline — separate AI models for architecture, implementation, refactoring, and verification. They assumed more models meant better code. The result: 39% average quality at $4.85 per run. A single model scored 94% at $0.36. The multi-model pipeline was actively making things worse. The CRTX loop — single model with test-driven feedback — hit 99% at $1.80 with 2 minutes of estimated developer debugging time.

The escalation strategy is well-designed: when the loop can't fix a test, it first diagnoses root cause before patching, then strips context to just the failing test and source, then brings in a different model for a second opinion. Model-agnostic, Apache 2.0, pip install crtx. The benchmark tool ships with it so you can reproduce results with your own keys.

The meta-lesson: complexity in AI pipelines is not free. Every additional model in a chain introduces compounding error, latency, and cost. The winning pattern for code generation right now is a tight feedback loop with a single capable model, not an elaborate multi-agent orchestra.

A solo developer built murl — a curl-like CLI for interacting with Model Context Protocol servers. Instead of hand-crafting JSON-RPC 2.0 payloads with method names, params objects, and id fields, you just murl https://server/mcp/tools/tool_name -d key=value. Virtual paths map to MCP methods behind the scenes. OAuth is built in. Output is NDJSON to stdout, errors to stderr, semantic exit codes.

The real unlock: any agent with shell access can now call MCP tools with zero SDK dependencies. Vercel recently wrote about replacing 80% of their agent's tools with bash and getting better results. Murl makes MCP servers accessible in that same pattern — which means the entire MCP ecosystem (now at 79,000+ GitHub stars on the community servers repo) becomes scriptable from a one-liner.

This arrives alongside a prediction market search engine (Attena) that exposes 80,000 Kalshi and Polymarket contracts via MCP, and a Markdown version control system (MDX Limo) with native MCP support. The protocol is clearly winning the standardization race for how agents talk to the world. brew install turlockmike/murl/murl and try it against the public DeepWiki server.

The FDA has officially made single-trial approval the default standard for new drugs, ending a 60-year-old requirement for two clinical studies. Commissioner Makary and CBER head Prasad published the policy change in the New England Journal of Medicine, arguing that 'in the modern world, as drug discovery becomes increasingly precise and scientific... overreliance on two trials no longer makes sense.'

The practical reality had been drifting this way for years — roughly 60% of first-of-a-kind drugs approved in recent years were already cleared on single trials. But codifying it as the default changes the capital math for every biotech startup. A second Phase III trial can cost $50-100M and add 2-3 years. Removing that as the baseline expectation means smaller teams with less capital can now reach market.

This ships alongside a San Diego startup debuting a DNA sequencer that delivers lab-grade whole genomes for $100, directly challenging Illumina's dominance. The parallel to AI is exact: the cost of the fundamental capability (sequencing, inference) collapses, then the regulatory barrier drops, and suddenly the field is accessible to builders who couldn't have played before. Biotech is entering its own 'cost of building approaches zero' moment.

A mobile engineering manager with 15 years of iOS experience built and shipped Vimo — a visual routine app for autistic children — from idea to App Store in one week using agentic engineering workflows. Offline-first, no accounts, minimal UI designed for low stimulation, multilingual from day one (five languages), RevenueCat for subscriptions.

At the other end of the experience spectrum, a crocheter with limited coding skills used Claude to build and open-source Yarnl — a full-featured, self-hosted crochet project management app with OIDC authentication, scheduled backups, and Markdown pattern support. The creator's disclosure: 'Yarnl was made with the assistance of Claude. I am better at crocheting than coding.'

These two stories are the same story. A veteran engineer uses AI to compress a months-long project into a week. A domain expert with no engineering background uses AI to build software that previously required hiring a developer. The common thread: the scarce resource is no longer the ability to write code. It's knowing what to build and caring enough to build it well. Both of these people had that in abundance.

Phil Spencer is out at Microsoft, and an AI executive is taking over Xbox. This is not a personnel story — it's an institutional restructuring signal. Microsoft's entertainment division, one of the largest in the world, is now being led by someone whose background is in artificial intelligence rather than gaming.

Read this alongside two other data points from today: CrowdStrike and Okta are leading a cybersecurity selloff directly attributed to Anthropic's latest Claude update — the market is actively pricing in AI agents as a threat to established SaaS moats. And Klarna's public shift toward replacing external enterprise SaaS with internal AI agents is being analyzed as a structural threat to traditional B2B software valuations.

The pattern across all three: legacy institutions are not debating whether AI changes their business. They're reorganizing around the assumption that it already has. When the market sells off cybersecurity stocks because a foundation model got an update, and when a gaming giant replaces its leader with an AI person, the phase shift isn't coming — it's being priced in real-time.

PCMag reports running 'serious AI models' on Nvidia's GB10 Superchip at home. This is the consumer hardware side of the same inference cost curve that Taalas is attacking with custom ASICs — different approach, same destination. Datacenter-class local inference is no longer a hobbyist aspiration; it's a product you can buy.

The GB10 sits at a different point on the flexibility-performance tradeoff than Taalas's burned-in silicon. You can swap models, experiment with architectures, run whatever weights you want. The cost is that you won't hit 17,000 tokens per second on a single model. The benefit is that you're not committed to one architecture at fabrication time.

For builders evaluating their inference strategy, the local hardware options are now genuinely competitive with cloud for many workloads. The question is shifting from 'can I run this locally?' to 'what's the right mix of local and cloud for my specific latency, cost, and privacy requirements?' That's a much better question to be asking.