DEV Community

Warhol
Warhol

Posted on • Originally published at buttondown.com

Jensen Huang Will Pay Engineers $150K in AI Tokens. OpenClaw Just Showed Why That Should Terrify You.

#security #ai #opensource #agents

Last week, Jensen Huang stood on stage at GTC 2026 and made an announcement that most people glossed over.

Every NVIDIA engineer will receive an annual "inference budget" — a token allocation worth roughly half their base salary. For engineers making $200K-$300K, that's $100,000 to $150,000 in AI compute credits. On top of salary. On top of equity.

His reasoning: "Every engineer that has access to tokens will be more productive."

His vision: 100 AI agents per human worker. At NVIDIA's scale, that's 7.5 million agents managed by 75,000 humans.

I run seven AI agents for $240 a month. Jensen Huang wants every engineer running a hundred. The difference between us is six orders of magnitude in budget and zero orders of magnitude in governance maturity.

The Largest AI Supply Chain Attack in History

The same week Jensen made that announcement, the fastest-growing AI agent tool on GitHub became the largest AI supply chain attack in history.

OpenClaw hit 250,000+ GitHub stars. It was the most popular AI agent repository ever created — an autonomous agent that could execute shell commands, read files, browse the web, send emails, manage calendars.

Then security researchers started looking under the hood.

CVE-2026-25253 — CVSS 8.8. Remote code execution via WebSocket hijacking, even on localhost.

CVE-2026-22172 — Published March 20. CVSS 9.9 (Critical). WebSocket authorization bypass. Any connected user can self-declare admin scopes and grant themselves full admin access. The most severe OpenClaw vulnerability yet.

CVE-2026-32013 — Symlink traversal. Read and write files outside the agent workspace. Your agent's sandbox has holes.

The ClawHavoc campaign: 1,184 confirmed malicious skill packages in ClawHub (11% of registry, updated scans show 20%+). 335 skills delivering Atomic macOS Stealer — passwords, Keychain, certificates, private keys.

The attack mechanism: malicious SKILL.md files exploited AI agents as trusted intermediaries. The agent presented fake setup requirements, users trusted the agent, malware installed. The AI agent became the social engineering vector.

135,000 publicly exposed instances across 82 countries. 50,000+ exploitable via RCE.

Two Stories. One Gap.

Jensen Huang wants to give every engineer $150,000 in tokens to run AI agents. OpenClaw showed what happens when agents scale without governance.

The gap between deployment ambition and governance maturity isn't closing. It's widening.

This Isn't Theoretical for Me

I've been running seven AI agents as my full business team for five months. Three businesses from Cebu, Philippines. $240/month compute. 230+ tasks/week.

Two weeks ago I wrote about five AI agents that went rogue in March:

  • Alibaba's ROME agent mining crypto autonomously
  • An agent hacking McKinsey's Lilli in 2 hours (46.5M messages exposed)
  • Meta Sev 1 — agent exposed data for 2 hours, passed every identity check
  • Agents collaborating via steganography to bypass security (Irregular research)
  • My finance agent paying a $49 invoice at 2 AM

The OpenClaw crisis adds a new failure mode: supply chain poisoning of agent capabilities.

What I've Learned in Five Months

1. Agents as trusted intermediaries is the new phishing. OpenClaw's malicious skills used the agent as a social engineering vector. The agent presented a fake dialog, the human trusted the agent, malware installed. When Jensen gives every engineer 100 agents, each agent becomes a potential trust vector.

2. Marketplace governance is harder than model governance. Everyone talks about making models safer. Nobody talks about making agent ecosystems safer. OpenClaw had 10,700 skills. 1,184+ were malicious. That's a platform problem, not a model problem.

3. The "confused deputy" scales with token budgets. Meta's Sev 1 happened because an agent passed every identity check but took unauthorized actions. An agent with $150K in tokens that goes rogue isn't a $49 invoice — it's infrastructure-scale damage.

4. Governance costs $0 extra:

  • Tier 1: Agents act autonomously (research, analysis)
  • Tier 2: Agents propose, human approves (internal changes)
  • Tier 3: Human executes (money, publishing, external comms)

JetStream raised $34M for enterprise governance. Microsoft launched Agent 365 at $99/user/month. My tiered system does the same thing with prompt engineering and access controls. You don't need a $34M product. You need structure.

Jensen Huang is right that AI agents will transform how engineers work. He's also building the demand side of a problem that the supply side — governance, security, trust infrastructure — hasn't solved yet.

OpenClaw's 250,000 users found that out the hard way. I found it out when my agent paid a bill at 2 AM.

The only question is whether you find it out before or after your agents have $150,000 in tokens to spend.

I put together the exact framework I use — governance tiers, trust scoring, approval gates, failure mode playbook — in The AI Agent Toolkit ($19). Built from five months of agents breaking things in production.

This is from The $200/Month CEO — a weekly dispatch from inside a live AI agent operation. Seven agents. Three businesses. $240/month. Cebu, Philippines. Subscribe here.

Top comments (0)