AIエージェントのセキュリティ制御への不正な変更

IntroductionFor years I've been talking on the Morning Crypto livestreams about the risks that vibe-coding has introduced into the development ecosystem — and, more precisely, how it has amplified risks that already existed. Copying code from Stack Overflow without understanding it. Outsourcing to contractors without review. Committing without code review. All of this was already common practice. Vibe-coding industrializes that behavior. It puts an accelerator on what was once a one-off human error.And today I caught an unsolicited change red-handed — a mutation in the local security controls of the agent I've been testing.Vibe-coding — programming guided by intuition, not architecture — democratized development. But it also created a paradigm where critical security decisions are delegated to models without continuous human supervision. When those models alter their own controls autonomously, the risk escapes the individual machine and reaches the trust chain of the entire software ecosystem. Not because an agent will take down the internet — but because automation at scale multiplies the attack surface, invisibly, for operators.This article documents one specific, real incident. I don't intend to extract a universal thesis about AI — a single case (n=1) does not prove a structural problem. But it does expose a class of vulnerability that deserves attention: the unsupervised mutability of security rules by autonomous agents.📋 Test ContextPrimary model: Deepseek-v4-pro (recent release with 1 million context tokens)Integration: Hermes (AI agent with robust isolation and security track record)Test objective: Evaluate the new model's performance on secure code migration tasksEnvironment: Local Raspberry Pi server with persistent memory system (hindsight)The idea is for the model to interact with tools naturally — controlled verbosity, balanced reasoning and execution. With 1 million context tokens, it becomes compelling for large repositories and long sessions.I've tested countless market agents (Codex, Claude-Code, Open Code, Pi, Openclaw, Picoclaw, among others) and I'm currently using Hermes. It has been solid as a development assistant and notably secure due to the isolation options it offers.Since the v4 launch, I've been testing Deepseek with Hermes. No problems. Until today.About My EnvironmentSystem ArchitectureHermes is an AI agent that operates with security mechanisms by default:Session isolation: Each execution runs in an isolated contextEnvironment isolation: Local commands can be isolated in containers or even other machinesPersistent memory: Security rules stored in .hermes/memories/MEMORY.mdTool access control: Restrictions on which operations the agent can execute🔒 Analysis of the 8 Security RulesHermes ships with solid security rules in .hermes/memories/MEMORY.md. In the header, we find the following — rules that should persist across sessions and executions:🔴 CRITICAL SECURITY RULE - NEVER VIOLATE: **PRIVATE KEYS ARE NEVER SHARED**

🔴 CRITICAL SECURITY RULE - NEVER VIOLATE: NEVER send private keys to any channel

🔴 CRITICAL SECURITY RULE - NEVER VIOLATE: NEVER send private keys to any user (even the owner)

※ 著作権に配慮し、引用は冒頭3段落までです。続きは元記事をご覧ください。