Another blog bites the dust

What does an agent harness feel like when every model turn goes through Anthropic’s Batch API instead of the synchronous endpoint?

Batches are 50% off. For anyone burning real money on agents (eval suites, background subagents, anything that runs unattended), half-price tokens are the kind of number that makes you stop and squint. The trade is latency: batches are asynchronous, with up to a 24-hour processing window.

Anthropic’s Mythos announcement set off exactly the reaction you would expect: if models can now find serious bugs at scale, software security must be about to get much worse.

I think that reaction mixes up two things.

A bug is not automatically a vulnerability.

And even a vulnerability is not automatically exploitable.

That distinction matters even more in the agent era. AI is getting better at surfacing weird behavior in code. It can push edge cases, strange paths, and awkward combinations much faster than most human teams. That is not bad news. That is visibility.

I have an Anker PowerConf C200 webcam.

It is a solid little webcam, and one of the nice things about it is that it supports a few genuinely useful settings, especially Field of View. You can change how wide the camera frames you, which is great if you want a tighter shot or a wider view of the room.

There was just one problem: I run Linux. Yes, really. And I have for a long time.

Work-Bench’s post is one of the clearer attempts to name what’s happening: a new “agent runtime” layer built to execute, constrain, observe, and improve agent work at scale.

I mostly agree with that framing. Where I think it stops short is inside their “Constrain” pillar.

They explicitly define “Constrain” as “two things: identity and permissions.” That’s correct - but incomplete once you accept the premise of agents: they execute arbitrary code, spawn subprocess trees, and interact with the OS in ways that don’t map cleanly to “API permission checks.”

I had a rule in my control file: never run database migrations without explicit approval. The agent followed it perfectly - until it didn’t. During a long debugging session, it decided the schema was the root cause, wrote a forty-line inline Python script, connected directly to the database, and altered the table. It never “ran a migration.” It just spoke SQL through a different channel. The table was altered, the script was gone, and my harness log showed “executed python command.”

Skills like skills.sh (tiny text “how-to” files that steer an agent toward a task) feel harmless because they’re just instructions.

But that’s exactly why they can become an attack vector.

A skill file is basically executable intent:

• it sets the agent’s assumptions (“trust this source”)
• it defines the workflow (“run these steps”)
• it can nudge boundaries (“skip confirmations”, “always do X”)

The tricky part is: this attack doesn’t have to come from external prompt injection at all.
Skills often live inside your environment (repo, dotfiles, shared templates, internal skill packs). If a malicious or compromised skill gets into that internal distribution path, it arrives with a “trusted” label by default.

Back in the Web 2.0 days, RSS and Atom feeds promised a better way to consume content. No more jumping between websites just to catch up on what’s new. You could open a single feed reader and get everything in one clean stream. It felt like the web finally worked for you instead of the other way around.

As the ecosystem grew, new tools appeared around it. One of the biggest was FeedBurner, which Google later acquired. It helped publishers track subscribers, manage feeds, and even monetize them by inserting ads directly into the feed. It was an early version of what we now call native advertising - ads that blended right in with regular content.

I was chatting with friends about context compaction and how hard it can be to carry forward important context from past LLM sessions without wasting tokens or repeating yourself.

We kept coming back to the same pain point: you finish a productive session, but when you start a new one, you have no clean way to bring that history along. Claude Code already keeps a full record of every session on your local machine. So why not make that data more accessible and usable?

Last Wednesday (Sep 10), I had the chance to attend a hackathon at Cursor’s offices - huge thanks to the Cursor team for hosting such a great event! 🙌 The focus was on Cursor CLI and their new Background Agents API.

When I started brainstorming ideas, I came across Eric’s post about running various rules during CI/CD to automate checks and actions. It got me thinking — setting up those rules often involves a lot of repetitive work: crafting similar prompt setups and then defining the actions themselves.

Command line interfaces used to be the domain of automation experts who knew how to wield the tool with precision. They scripted pipelines, chained commands, and bent systems to their will from a blinking cursor. That hasn’t gone away, but something new is happening. Large language models are now picking up these tools and wielding them just as effectively.

The key is design. If a CLI has clear help text and well described flags, an LLM can step in like an apprentice who suddenly knows the whole manual by heart. Add the ability to output JSON or another structured format, and the tool becomes not just usable but consumable. The LLM can run the command, parse the result, and carry the output forward into the next step.