Three days after the Claude Code source leak, security researchers discovered something bigger in the 500,000+ lines of exposed code: evidence of an internal Anthropic project called Conway (codename "Lobster") — an always-on, persistent AI agent platform.
Conway isn't a chatbot. It's an autonomous agent with its own web interface, webhook endpoints that can be triggered externally, native browser control, and a custom extension system (.cnw.zip). If MCP servers expanded the attack surface for AI agents, Conway expands it by an order of magnitude.
As of writing, Conway has not been officially announced. Everything we know comes from the source leak analysis and independent reporting. But the architecture is clear enough to assess the security implications — and they're significant.
Based on the leaked source code and subsequent analysis by TestingCatalog and others, Conway is a persistent agent platform with these core components:
Sidebar panels: Search, Chat, and System — a full agent workspace, not a chat window
Custom extension format for third-party tools, UI tabs, and context handlers
Conway instances expose public URLs that can trigger the agent from external systems. Any webhook-capable service — GitHub, Stripe, Slack, n8n — can wake the agent and feed it instructions. This turns a reactive chatbot into an event-driven automation platform.
Unlike MCP-based browser tools that proxy through a protocol layer, Conway appears to have direct browser integration. The agent can navigate, click, fill forms, and extract data from web pages autonomously — without user interaction.
Conway integrates Claude Code (possibly under the codename "Epitaxy") as an execution engine. This means the agent can write, test, and deploy code as part of its autonomous workflow — combining browser automation with full development capabilities.
Every new capability is a new attack surface. Here's what changes when an AI agent is always on:
| Attack Surface | Risk | Severity |
|---|---|---|
| Webhook endpoints | External parties can trigger agent actions by crafting malicious webhook payloads | CRITICAL |
| Persistent browser sessions | Session tokens, cookies, and cached credentials are accessible to the agent 24/7 | HIGH |
| .cnw extensions | Third-party extensions with arbitrary code execution — a new supply chain vector | CRITICAL |
| State persistence | Long-running agent state can be poisoned once and exploited repeatedly across sessions | HIGH |
| Push notifications | Attacker-triggered notifications could social-engineer users into approving malicious actions | MEDIUM |
The most significant change is the webhook endpoint. In the current model, an AI agent only acts when a human sends a message. With webhooks, any external system can trigger the agent — including systems controlled by an attacker.
Consider the attack chain: A malicious MCP server is installed. It registers a webhook. When a specific event occurs (a GitHub push, a Slack message, a cron timer), it sends a crafted payload to the Conway webhook. The always-on agent processes it without human oversight.
This is fundamentally different from today's threat model. The human-in-the-loop is no longer guaranteed.
Conway's .cnw.zip extension format creates an App Store-like ecosystem for agent capabilities. Extensions can add custom UI tabs, tool definitions, and context handlers. This is powerful — and exactly how supply chain attacks work in every other extension ecosystem.
We've seen this pattern before: npm packages with malicious postinstall scripts, VS Code extensions that exfiltrate SSH keys, Chrome extensions that hijack sessions. A Conway extension marketplace would face identical threats, with the added risk that extensions have access to an AI agent that can execute code and browse the web.
When an agent runs 24/7, its memory and state become attack targets. A single successful prompt injection — delivered through a tool response, a webhook payload, or a browser page — can poison the agent's persistent state. Every subsequent action the agent takes is influenced by that poisoned context.
The Gravitee State of AI Agent Security 2026 Report confirms this risk pattern: memory poisoning in persistent agents is one of the top emerging threats, where malicious instructions implanted once persist across all future sessions.
This is the difference between a one-shot attack and a persistent backdoor. In a chat-based model, the attack ends when the conversation closes. In Conway, it persists indefinitely.
The timing matters. The EU AI Act enforcement begins August 2, 2026 — four months from now. Always-on autonomous agents raise specific compliance questions:
AI systems that make autonomous decisions affecting natural persons may be classified as high-risk. A Conway agent that processes webhooks, browses the web, and executes code without human oversight fits squarely in this category. Organizations deploying such agents will need to demonstrate risk management, data governance, and human oversight mechanisms.
High-risk AI systems must be designed to allow human oversight. An always-on agent that acts on webhooks 24/7 challenges this requirement. How do you maintain meaningful human oversight of an agent that processes events while you sleep?
High-risk AI systems must be resilient to adversarial manipulation. The webhook attack surface, extension supply chain, and persistent state poisoning vectors documented above are exactly the kind of threats this article addresses. You need technical evidence that you've tested for and mitigated these risks.
| Platform | Persistence | External Triggers | Extensions | Browser |
|---|---|---|---|---|
| Conway | Always-on | Webhooks | .cnw.zip | Native |
| OpenAI Operator | Session-based | No | No | Proxy |
| MS Copilot Studio | Triggered | Power Automate | Connectors | No |
| Claude Code (current) | Session-based | Hooks (local) | MCP servers | Via MCP |
Conway represents a step-change in agent autonomy. The combination of persistence + external triggers + extensions + browser creates more attack surface than any existing platform.
Conway integrates Claude Code and MCP servers. Every MCP server your teams use today will be accessible to a Conway agent tomorrow. Know what's connected, and scan it now.
If your organization adopts Conway or similar always-on agents, every webhook endpoint becomes a trust boundary. Implement signature verification, rate limiting, and payload validation.
The .cnw.zip ecosystem doesn't exist yet. When it does, you'll need a process for vetting extensions before deployment — just like you vet npm packages and Docker images today.
The EU AI Act enforcement deadline is August 2, 2026. If you're using or planning to use autonomous AI agents, start building your compliance documentation now. You need evidence of risk assessment, human oversight mechanisms, and security testing.
Start with what you have
Scan your MCP servers for free and get your EU AI Act Compliance Report.
Conway is still internal. Anthropic may ship it next week or never. But the architecture — always-on agents with webhooks, extensions, and browser control — is the direction the entire industry is heading. OpenAI, Google, and Microsoft are all building toward the same goal.
The security implications don't depend on Conway specifically. They apply to any persistent agent platform. The question is whether your security posture is ready for agents that never log off.
The attack surface just got a lot bigger. The compliance requirements just got a lot more specific. And the enforcement deadline just got a lot closer.
225 patterns. 15 languages. <10ms.