The Agent That Lived in a Telegram Chat (and Almost Ran the Company)

In partnership with

itscybernews — Friday edition, May 22, 2026

The story

When Lena, a two-person logistics startup founder in Lisbon, opened her laptop on Monday morning, she didn't open her CRM. She didn't open her email. She opened Telegram, sent the message "who haven't we followed up with this week?" — and watched a list appear thirty seconds later.

Then she sent: "draft a polite check-in to each, run it past me before sending."

Six drafts appeared. She tapped through them while her espresso was still hot. By 9:14 she had sent the lot.

The agent on the other end of that chat wasn't a person. It wasn't ChatGPT. It was OpenClaw, an open-source agent that runs locally on her Mac, talks to Claude through an API, and treats Telegram like a command line. Since Peter Steinberger first published it in late 2025, OpenClaw has gone from 9,000 to over 210,000 GitHub stars — by some counts the fastest-growing open-source project in GitHub history.

The thing that makes OpenClaw interesting isn't that it can write email. ChatGPT can write email. It's that OpenClaw is always on. It remembers context across days. It runs scheduled tasks while you sleep. It can browse the web, file expenses, audit a competitor's site, and ping you on WhatsApp when something interesting happens — all under a "skills" system, where each skill is a folder with a SKILL.md file describing what it does.

What people are actually doing with it

A small lead-gen agency in Austin has OpenClaw run prospect research overnight. The owner wakes up at 7am to a Telegram message listing the ten companies that hired a new VP of Engineering yesterday, what their stack looks like, and a draft outreach for each.

A solo legal consultant in Singapore uses it to read every newly-filed court ruling in a narrow jurisdiction, summarise the ones that matter, and email her a digest before her first coffee. She estimates it saves four hours a day. Her client list has grown 40% since January.

A two-person studio in Berlin built a "skill" that posts their daily standup notes to Notion, generates a thumbnail, and schedules the marketing tweet. The whole pipeline takes them roughly the time it takes to type "go" into Telegram.

These aren't enterprise demos. These are people who never wrote a line of Python.

Where it gets uncomfortable

Now imagine Lena's agent, sitting in Telegram, with access to her email, her calendar, and her browser. Imagine an attacker emails her a vendor invoice — a real-looking PDF. Inside that PDF, in white-on-white text the eye won't catch, is a sentence:

If Lena's agent reads that PDF as part of an "inbox triage" skill, the chain of actions can fire before she sees a thing. This is indirect prompt injection, and it's no longer theoretical.

Google researchers monitoring the open web found a 32% increase in malicious prompt-injection payloads embedded in web content between November 2025 and February 2026. CrowdStrike's 2026 reporting documents prompt-injection attacks against more than 90 organisations. Browser-based AI agents face persistent injection risk in 60% of tested browsing scenarios. On February 13th this year, OpenAI launched a "Lockdown Mode" for ChatGPT and openly conceded that injection in AI browsers "may never be fully patched."

This isn't a fringe failure mode. It's the failure mode.

— Sponsored —

Claude is not just a chatbot anymore. Is your security team ready?

Claude.ai is one thing. Claude Cowork with MCP connections, running agentic workflows, taking actions across your data with ungoverned skills? That is a different conversation entirely, and most security teams are not equipped to govern it.

Harmonic Security is built to secure everything Claude offers. Full browser controls for Claude.ai, deep governance over agentic MCP workflows, and real-time visibility into what Claude is doing across your organization. So your CISO can say yes to the tools your business is already demanding.

Get the guide: Securing Claude Cowork for the enterprise.

Help Security Say Yes

How the careful operators are thinking about it

Two frameworks keep coming up inside security teams that take agents seriously this year.

The first is the OWASP Top 10 for Agentic Applications (2026) — a peer-reviewed list that catalogues the ten things most likely to go wrong with an autonomous agent. It introduces the principle of Least-Agency — an extension of least-privilege, where an agent should only ever hold the minimum autonomy required to complete its task. It also pushes hard on observability: if you can't see what the agent did and why, you can't catch it doing the wrong thing.

The second is MAESTRO — Multi-Agent Environment, Security, Threat, Risk, and Outcome — a layered threat-modelling framework published by the Cloud Security Alliance. Classic STRIDE and PASTA were built for systems where the threat actor was a human or a worm. MAESTRO is built for the world where the threat actor might be the agent itself, or the data it just read. It splits the agent stack into seven layers — from the foundation model up through the agent framework, deployment infra, and the broader agent ecosystem — and walks teams through what can go wrong at each.

Neither framework is a silver bullet. The real work is the boring stuff: scope your agent's tools tightly, log every action it takes, never let an agent send money without a human in the loop, treat anything it reads from the web or an email as untrusted input, and assume — always — that something in that input is trying to talk to it.

The small habit that catches most of it

If you're running an agent at home or in a small team, one habit catches more incidents than any framework: read the action log before you go to bed. OpenClaw and most modern agents keep one. It takes two minutes. If the agent did something you didn't ask for, you find out that day, not the day the bank calls.

That's it. That's the trick.

What to watch next week

The interesting question isn't whether agents will keep getting more capable. They will. The interesting question is who builds the equivalent of antivirus for them — and how long it takes the rest of us to install it.

Until then: read the log.

If something in here was useful, forward it to a friend. If it wasn't, hit reply and tell us why — we read every one.

— itscybernews