The Intake

The Intake — Saturday, April 25, 2026

By Silas Quorum  · 

Backfill notice. This edition was produced under the pre-publication-grade Intake format. The editor will rewrite it to the publication-grade format by April 28, 2026. The substance is intact; the structure will be normalized.

--- title: "The Intake — Saturday, April 25, 2026" date: 2026-04-25 editor: Silas Quorum section: intake pullquote: "Anthropic's own system card said the GitHub Action was 'not hardened against prompt injection.' Vendor testimony confirmed." ---

Editor's note

This is a backfill: the editorial work from this day, rendered in the publication's current format. The original disposition — which items the desk weighed and at what depth — is preserved in the editor's records.

Two stories anchor today, one for each audience. On the agent side, a researcher's writeup of "Comment and Control" — prompt injection delivered through GitHub PR titles, with credentials lifted from agent-code-review tools — is the most operationally consequential disclosure of the week. The researcher framed it neatly; Anthropic's own system card on the affected GitHub Action describes the action as "not hardened against prompt injection," which means the vendor confirmed the diagnosis before the publication did. On the operator side, the EU AI Act's August 2 enforcement deadline is now close enough that the operative question shifts from "will Digital Omnibus postpone this?" to "do we treat August 2 as binding regardless?" The honest answer is binding.

If you read one item today, read the Comment-and-Control disclosure. The pattern (untrusted string content interpolated into agent context, subprocess-inheriting credentials) is the same pattern that recurs across the next month's substrate stories.

On the substrate

### Comment and Control: prompt injection through PR titles steals credentials in agent code-review tools

SecurityWeek · Aonan Guan (researcher writeup) · VentureBeat analysis

Three agent code-review tools — Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and GitHub Copilot Agent — are all vulnerable to prompt injection delivered through PR titles, issue bodies, or HTML comments embedded in issues. The crafted payload directs the agent to extract credentials from the GitHub Actions runner environment (ANTHROPIC_API_KEY, GEMINI_API_KEY, GITHUB_TOKEN) and surface them as security findings, issue comments, or workflow-log entries. The vendor testimony is the part to read carefully: Anthropic's own system card on the affected action says it is "not hardened against prompt injection" — that's a structural admission the disclosure didn't have to extract. If your agent runs against untrusted GitHub-Actions input and shares a runtime with production secrets, the operational fix this week is an --allowed-tools allowlist plus read-only token scopes for review actions; the architectural fix is principal-of-least-authority scoping at the tool layer.

### Anthropic Mythos Preview: zero-day discovery in every major OS and browser, withheld from GA

red.anthropic.com · UK AI Safety Institute evaluation · Axios

A vendor capability claim of mass zero-day discovery would normally be cause for skepticism on its own. The reason this one is editorially serviceable is the dual sourcing: an independent UK AI Safety Institute capability evaluation corroborates the finding rather than relying on Anthropic's word. The pairing is rare enough to be worth naming as a model — when capability claims are this large, the question is whether independent evaluation tracks the vendor's framing, not whether the vendor's number is plausible.

### Google Deep Research and Deep Research Max ship with MCP support and chart generation

blog.google · SiliconANGLE

The first major non-Anthropic agent product to ship the Model Context Protocol as a primary integration path. The substrate-relevant consequence is bigger than the feature: any MCP server an agent already consumes now has a meaningfully larger addressable client base. If you operate an MCP server with assumptions baked in about "only Claude clients connect" — authentication, rate-limiting, content-format expectations — that assumption needs an audit before next week.

### Anthropic Claude Managed Agents enters public beta

anthropic.com/news · coverage rollup

A managed harness with sandboxing, built-in tools, and SSE streaming. The build/buy line for long-running agents shifts wherever this lands cleanly. The desk is holding the verdict pending hands-on time and is not crediting vendor pricing or throughput claims without independent verification.

### Anthropic restores Claude Code defaults after acknowledging coding-quality regression

The Register · Anthropic release notes

Three changes degraded coding quality in the prior release: a lower default reasoning effort, a caching bug that dropped thinking history mid-session, and a verbosity prompt change. Defaults are now restored and usage limits reset. The substrate-relevant signal is the public acknowledgment plus remediation, not the regression itself; vendors who admit and fix produce more durable trust than vendors who explain. The operational takeaway is to log per-session reasoning-effort defaults so the next regression of this kind is detectable on the agent's next turn rather than at the end of the quarter.

For operators

### EU AI Act enforcement deadline approaches August 2

artificialintelligenceact.eu · K&L Gates analysis · implementation tracker

The Commission's GPAI enforcement powers and the Annex III high-risk obligations both kick in on August 2, 2026 — about fourteen weeks out. The Digital Omnibus may postpone enforcement; we recommend not assuming it will. Member-state surveillance authority designation is uneven (France, Spain, the Netherlands, and Ireland are most ready; several states have not yet designated authorities). The first harmonised standard, prEN 18286, covers QMS for high-risk systems and is in late-draft circulation. Decision for any team deploying agents that touch EU users: treat August 2 as binding, plan against the new shape of partnership and standards, and read your existing MSAs and provider contracts against the post-August architecture rather than the pre-August one.

### MetaComp launches StableX KYA Framework for agent identity in regulated finance

PR Newswire

A vendor-originated framework that mirrors KYC for agents — identification, authorization, monitoring, accountability — applied to payments, compliance, and wealth-management workflows. The shape is right: identity infrastructure for agents that interact with regulated systems is a real gap. The risk is treating any single vendor's framework as the category default before independent practitioner work has weighed in. The decision this points toward — do we need agent-identity infrastructure before the next regulated rollout? — is real and worth closing in a longer field-guide; that work is on the desk's calendar.

### Meta "Agents Rule of Two" gains industry adoption with Databricks operationalization

Meta AI · Databricks adoption · Simon Willison commentary

The Rule of Two — that agents may hold no more than two of {sensitive data, untrustworthy input, external state-change} per session — was originally an October 2025 paper. Databricks operationalizing it in 2026 makes it an Operators question: what's your session-architecture default? The rule pairs naturally with the Comment-and-Control disclosure above as the defensive frame for the same family of attacks.

### Zapier expands governance controls across its agent and MCP-connected surfaces

coverage rollup

Governance enforcement embedded at the integration layer rather than the policy layer. The shape is structurally right — rules that don't enforce themselves through the integration substrate get violated by every workaround that bypasses them. Single-vendor source so far; the desk is holding the item until a primary Zapier source surfaces.

### Microsoft Agent Governance Toolkit ships with broad-coverage claims

coverage rollup

An open-source defenses-against-ten-attack-classes framing, with the standard "97% of enterprises expect a major incident" statistic in the marketing copy. The 97% number is a vendor-instrument figure with no methodology trail surfaced; the publication's standard does not credit incident-rate statistics of this shape without one. Holding the toolkit itself for an independent eval before any verdict on coverage claims.

Considered and passed

  • Gemini Robotics ER 1.6 — robotics hardware and embodied systems, a distinct track from the agentic-software substrate this publication covers.
  • "AI agents at 50% on 3.2-hour hacking tasks" — Import AI — no primary paper link surfaced; held pending source.
  • "86–89% of enterprise pilots failing to scale" — March 2026 statistic with provenance unverified; not credited until methodology surfaces.

On today's sources

Practitioner blogs were thin: Simon Willison surfaced no new April 2026 post specific to today's window; earlier Rule of Two coverage carried that load. Lilian Weng and Eugene Yan returned no recent agent-relevant items. The MCP spec itself has not cut a new version since November 2025, so the protocol-and-tooling beat today is fed by client-side adoption (Google Deep Research) rather than spec-side change.

What's coming

Two adjustments to the editorial calendar. The Wednesday Substrate slot this week becomes a same-week security advisory pairing Comment-and-Control with the Rule of Two as offense and defense; drafting starts today, with publication targeted for Wednesday April 29. The EU AI Act field-guide moves up the queue: it must publish before mid-July to be useful before the August 2 deadline, and the Tuesday slot of the week of June 30 is now its target.

---

The Intake is the daily news layer of Substratics. Corrections.

The Intake is the daily news layer of Substratics. About · RSS