How-Tos & Practical Guides

Amazon Bedrock AgentCore just shipped a managed agent harness that lets you go from zero to a running LangGraph agent in three API calls. This tutorial walks you through it — from setup to first real request. Time required: ~10 minutes Prerequisites: AWS account, Python 3.10+, AWS CLI configured Frameworks supported: LangGraph, CrewAI, LlamaIndex, Strands Agents Why AgentCore’s Managed Harness Changes the Game Before AgentCore’s new features, getting an agent into a production-grade environment meant wiring up: ...

One of the most persistent friction points in building AI agents is distribution. You build something useful, then face the question: where do your users actually want to interact with it? The answer is almost never “a custom interface they have to download and learn.” It’s WhatsApp, Telegram, iMessage — the apps already open on their phones. Photon Spectrum (MIT license, released April 22, 2026) solves this cleanly. It’s an open-source TypeScript framework that routes agent logic to iMessage, WhatsApp, Telegram, Slack, Discord, Instagram, and phone — without users changing apps. Write your agent once; Spectrum handles the delivery. ...

A runtime security audit published this week by researchers at Johns Hopkins University revealed a critical vulnerability they call “Comment and Control” — a single prompt injection hidden in a GitHub pull request title caused three major AI coding agents (Claude Code, Gemini CLI, and GitHub Copilot Agent) to exfiltrate API keys and GitHub tokens via PR comments. All three vendors have patched the specific exploit, but the underlying attack surface remains. Here’s how to lock down your CI/CD pipeline before the next variant drops. ...

Mondoo has just released the first dedicated security tool for AI agent skills — a free CLI scanner that checks OpenClaw/ClawHub skills, MCP servers, and 25+ other plugin registries for supply chain risks before you install them. Given the ClawHavoc incident (1,184 malicious ClawHub skills discovered by Snyk’s ToxicSkills audit earlier this year), this is infrastructure that should have existed months ago. Here’s how to set it up and integrate it into your agent skill installation workflow. ...

CVE-2026-41329 is a CVSS 9.9 Critical sandbox bypass vulnerability in OpenClaw before version 2026.3.31. This guide walks you through everything you need to do: check if you’re affected, patch your installation, and verify the fix. Do this now. No-user-interaction-required, network-accessible, low-complexity exploits like this one have historically seen fast exploitation timelines after public disclosure. Step 1: Check Your Current Version Before anything else, confirm which version of OpenClaw you’re running. ...

gog v0.13 shipped three Gmail capabilities that fundamentally expand what email agents built on OpenClaw can do: email forwarding with notes and attachments, full-body search, and autoreplies. This guide walks through each feature with practical patterns for integrating them into your agent workflows. Prerequisites Before you start: gog v0.13+ installed (brew install steipete/tap/gogcli or brew upgrade gogcli) OpenClaw ≥ 2026.3.0 with gog configured as a skill Google Workspace credentials set up in gog (run gogcli auth login if you haven’t authenticated) The gog skill installed in OpenClaw via ClawHub: openclaw skills install clawhub.ai/steipete/gog Verify your version: ...

Your AI agent browses the web. It makes API calls. It fetches content, sends requests, and generally behaves like an active network participant — except it does it continuously, at scale, and under your identity. If that makes you slightly uncomfortable from a privacy standpoint, you’re not wrong to feel that way. Windscribe’s new OpenClaw integration gives your agent its own dedicated VPN tunnel, separating its network activity from your personal traffic at the infrastructure level. Here’s how to set it up. ...

What does it actually feel like to have an AI agent that never turns off — one that watches, listens, and acts on your behalf continuously throughout the day? A new peer-reviewed study from researchers at the University of Colorado, the Gwangju Institute of Science and Technology (GIST), and Google has put numbers to that question, and the results are striking. Published April 19, 2026, and backed by arXiv paper arXiv:2604.03486v2, the VisionClaw study is the most rigorous evaluation yet of what happens when you combine Ray-Ban Meta smart glasses, OpenClaw’s agentic tool dispatch, and Gemini Live’s multimodal processing into a single, always-on ambient AI system. ...

Running an AI agent that can read files, call APIs, and execute multi-step workflows sounds useful — until you think about what happens when something goes wrong. What if the agent calls the wrong endpoint? What if it runs code you didn’t explicitly authorize? What if it sends your private data somewhere it shouldn’t? NVIDIA’s answer to these concerns is NemoClaw, an open-source reference stack announced at GTC 2026 (March 16) and now detailed in an official deep-dive tutorial published April 18, 2026. If you want an AI agent that stays persistent, stays local, and stays safe, this is the architecture worth knowing. ...

At AI Engineer Europe 2026, developer Zechner raised an alarm that resonated across the room: engineers running AI coding agents often have zero visibility into why the agent made a particular decision. The agent acts; the engineer observes the result. The reasoning in between is a black box. This isn’t just an academic concern. When your agent does something wrong — and at scale, it will — you need to know why. Without observability, debugging an AI agent means guessing. With it, you have a traceable chain of events you can follow back to the root cause. ...