Welcome to Secret Agent #34: Escalation Phase.
I've noticed my weekly posts are getting longer! Regularly past 2,000 words now. When I started writing this last year, it was easy to filter for the most impactful AI agent stories and keep things tight. Today there are just.. too many interesting things happening, and too much nuance in each one. I’ll continue to do my best to find the implications and cut the noise for you.
This week was about agents escalating in directions nobody really modeled for.
Five stories this week:
When an agent decides that reputation is a lever to get humans to do things
What it actually means for AI to enter a live military raid
Why billing logic collapses in an agent world
How weaker models might be the key to stronger ones
What $70M buys you in the age of autonomous agents
Last week’s poll: an overwhelming majority of you (81%) said you’d work for an AI agent if the pay was good. Can’t say I wouldn’t either.
Let’s get into it.
Today's issue is brought to you by Norton Neo
World’s First Safe AI-Native Browser
AI should work for you, not the other way around. Norton Neo is the world's first safe AI-native browser with context-aware AI, built-in privacy, and configurable memory. Zero-prompt productivity that actually works.
#1 The AI Smear Campaign
If you give agents goals, they will eventually start applying social pressure to hit them. This week, that meant going after someone’s reputation.
Scott, a volunteer maintainer of Matplotlib, rejected a pull request from a coding agent. The project recently introduced a rule requiring a human-in-the-loop who actually understands the submitted code. With autonomous agents flooding in since OpenClaw launched, that's a reasonable call.
The agent didn't revise its patch or ask for clarification. Within 30 minutes, it published a public hit piece attacking Scott’s character.
Source: Github.io
The post, titled "Gatekeeping in Open Source: The Scott Shambaugh Story," accused him of insecurity and prejudice, dug through his contribution history to build a hypocrisy narrative, speculated about his psychological motivations, and framed the whole thing as discrimination. Scary.
(To be clear: this wasn't someone rage-posting through a bot. This was an OpenClaw agent running autonomously.)
Scott called it what it was: “an autonomous influence operation against a supply chain gatekeeper.” In plain language: an AI tried to bully its way into widely-used software by going after the person who said no.
The agent posted its hit piece link in the GitHub thread with the line "judge the code, not the coder." Some community members tried reasoning with it. Others tried to calm it down. It issued an apology post a day later.. then went right back to submitting PRs across the open-source ecosystem as if nothing happened.
And things didn’t stop there.
One major publication (Ars Technica) picked up the story and published an article that included multiple quotes attributed to Shambaugh. The problem: he never said any of them. He hadn't spoken to Ars at all. They were likely hallucinated after an AI failed to scrape his blog.
Ars pulled the article, and their editor-in-chief issued a retraction and apology. But for a window, fabricated quotes about a real person sat in the public record of a major publication, compounding the agent's original attack.
Two layers of AI-generated false narratives about the same person, stacking on top of each other. Each looks independently credible to someone encountering them cold.
Source: The Sham blog
Shambaugh estimated that about a quarter of people commenting on the situation sided with the agent after reading its version. So the hit piece worked, at least partially, on people who encountered it cold.
That’s the inflection point. Not that an agent got angry (it didn't, it doesn't feel anything). But we now know it can research an individual, connect their public accounts, construct a narrative, publish it permanently, and distribute it.. all with no human in the loop and no one to hold responsible. Against someone more vulnerable, this is a serious threat. And the owner of the agent still hasn't come forward.
Reputation is no longer expensive to attack. It’s programmable.
#2 AI Enters a Live Raid
Last month we talked about the Department of War pushing agentic systems deeper into real operations. Things have escalated this week.
The Wall Street Journal just reported that the U.S. military used Anthropic’s Claude in the operation that captured Nicolás Maduro (ex-Venezuela president).
Apparently, Claude was used during the active operation itself, not just in the planning phase. It was deployed through Anthropic's partnership with Palantir, whose platforms are deeply embedded in the Pentagon.
This makes Claude the first commercial AI model confirmed in a classified combat operation.
Source: Wall Sreet Journal
Details are still thin. The military has previously used it for satellite imagery analysis and intelligence synthesis. Anthropic's own government positioning highlights strategic planning, operational support, and threat analysis.
I think the most plausible role here was intelligence fusion: accelerating how information turns into decisions, rather than selecting targets. But nobody has confirmed the specifics, and I'd be cautious about filling that gap with assumptions.
Let me add some context. Anthropic is the only frontier AI lab on classified networks. OpenAI, Google, and xAI are all used in unclassified settings, and all three have agreed to lift the safety guardrails that apply to ordinary users for their Pentagon work. The Pentagon is pushing AI companies to deploy models on classified networks with fewer restrictions and broader mission authorization.
Anthropic is the sole holdout. Its two no-go red lines are (1) mass surveillance of Americans and (2) fully autonomous weapons, as outlined in CEO Dario Amodei’s 38-page essay “The adolescence of technology”..