This document tracks high-signal individuals identified through live conversations in the agent security, MCP, and execution-boundary ecosystem. Updated continuously as part of the HELM OSS operator mission.
| Dimension |
Weight |
| Systems / security depth |
0-25 |
| Execution-safety focus |
0-20 |
| OSS track record |
0-15 |
| Builder energy (ships things) |
0-15 |
| Product judgment |
0-10 |
| Clarity of communication |
0-10 |
| Network centrality |
0-5 |
- Role: SVP Engineering & AI at Sophos. Former NSA. Hopkins PhD.
- Why: Published a full CaMeL prototype POC for OpenClaw. Opened 6 focused enforcement-hook issues (openclaw/openclaw#48503–48519) that describe the same architecture HELM implements. Uses identical framing: "enforcement primitives in the kernel, policy engine as plugin." The SELinux analogy he uses is exact.
- Evidence:
- HELM interactions:
- X reply to his article (Mar 2026) referencing
before_tool_call hook + SELinux analogy + HELM
- GitHub comment on #48503 with HELM's implementation decisions (actionCategory + capabilities bitmask, externalContentDetected, receiptId)
- Next step: Monitor for response to GitHub comment. If positive engagement, initiate DM with concrete technical question about hook schema alignment.
- Score estimate: 92/100
- Role: Senior Threat Researcher at Microsoft. 137K+ followers. SANS instructor.
- Why: Published SHIELD.md (security standard for OpenClaw/AI agents). Explicitly named SHIELD's ceiling: "not a security boundary." This is the exact gap HELM fills.
- Evidence: SHIELD.md article with 137K views
- HELM interactions:
- X reply (Mar 2026): named prompt injection override of SHIELD as root cause, positioned HELM as runtime layer below the model
- Next step: Monitor reply engagement. Consider quoting his SHIELD article with HELM architecture framing once thread cools.
- Score estimate: 85/100
- Role: Anthropic Hackathon winner. Agentic security researcher.
- Why: Published "Shorthand Guide to Everything Agentic Security" with exfiltration-via-tool-call as core threat model. Active in MCP/agent security community.
- HELM interactions: X reply (Mar 2026) on exfiltration-via-tool-call pattern → missing execution boundary → HELM
- Next step: Follow for new posts. Engage next relevant article.
- Score estimate: 78/100
- Role: Smart contract security researcher, AI red teaming. Affiliated with Spearbit, Zenith256.
- Why: Posted: "prompts are like comments — non-binding. Security boundaries must be enforced, not requested. The real boundary is between the LLM layer and the execution layer." Verbatim HELM architecture framing.
- HELM interactions: X reply (Mar 2026): execution layer intercepts + validates + enforces + signs, below where LLM can touch
- Next step: Engage next relevant post. Strong crossover between smart contract security and HELM's signed receipt / proof-graph model.
- Score estimate: 74/100
- Role: Microsoft AutoGen team contributor.
- Why: Opened
microsoft/autogen#7427 (MCP tool poisoning CVE-class), referencing OWASP MCP Top 10 and fail-closed defaults.
- HELM interactions: GitHub comment on #7427 with schema pinning + execution boundary + signed receipts +
McpWorkbench hook suggestion
- Next step: Monitor for response. Offer to contribute a concrete validation hook to
autogen-ext/tools/mcp/.
- Score estimate: 71/100
| Handle |
Context |
Signal |
| @dreddi |
GitHub CLI org (openclaw/openclaw maintainer) |
Opened cli/cli#12912 (schema for agents); responded to HELM comment |
| @williammartin |
GitHub CLI org |
Active on agent security issues |
| @arscontexta |
"determinism boundary separates guaranteed agent behavior from probabilistic compliance" |
Exact HELM framing; small account but sharp |
| @asmah2107 |
"Each tool call is an unsigned contract" post |
Named the root of all MCP attack classes correctly |
| @erans |
X |
"Rule files are not enforcement" — exact execution-boundary framing; replied with HELM |
| @provnai |
X/GitHub |
Built McpVanguard MCP proxy; semantic scoring gap identified; execution boundary reply sent |
| @s-a-m-a-i |
GitHub |
Built PolicyLayer Intercept (transport proxy); commented on complementary two-layer stack |
| @ilblackdragon |
GitHub |
nearai/ironclaw maintainer; persistent sandbox issue#1458; per-call policy hook comment sent |
| @MindTheGapMTG |
X |
"immutable audit trail" framing on MCP runtime security; signed receipt reply sent |
| @Mako_L |
GitHub |
BakeLens/crust security researcher; DLP bypass report#116; dispatch boundary comment sent |
| Date |
Surface |
Target |
Action |
Response |
| Mar 2026 |
X |
@fr0gger_ |
Reply to SHIELD.md article |
Pending |
| Mar 2026 |
X |
@affaanmustafa |
Reply to agentic security guide |
Pending |
| Mar 2026 |
GitHub |
openclaw/openclaw#48503 |
Comment: actionCategory + capabilities + receiptId |
Pending |
| Mar 2026 |
GitHub |
microsoft/autogen#7427 |
Comment: schema pinning + execution boundary + McpWorkbench |
Pending |
| Mar 2026 |
GitHub |
cli/cli#12912 |
Comment: two-layer schema + execution boundary architecture |
Pending |
| Mar 2026 |
X |
@RogueEngineer |
Reply to CaMeL prototype article |
Pending |
| Mar 2026 |
X |
@asmah2107 |
Reply to MCP security post |
Pending |
| Mar 2026 |
X |
@MarioPoneder |
Reply to enforcement layer post |
Pending |
| Mar 2026 |
X |
@mindburnlabs |
Posted 3-tweet thread: prompt-layer vs execution kernel |
Live |
| Mar 2026 |
X |
@mindburnlabs |
Posted AISecHub category-gap post (execution firewall) |
Live |
| Mar 2026 |
GitHub |
ironcurtain#67 |
Comment: HELM as atomic policy+receipt kernel, interop with ironcurtain |
Live |
| Mar 2026 |
GitHub |
agentshield-benchmark#36 |
Feature request: Execution Boundary category + HELM as reference |
Live |
| Mar 2026 |
GitHub |
nearai/ironclaw#1458 |
Comment: per-call policy hook before exec_in_container, signed receipts |
Live |
| Mar 2026 |
GitHub |
BakeLens/crust#116 |
Comment: pattern-scanning root cause analysis, dispatch boundary alternative |
Live |
| Mar 2026 |
GitHub |
github-mcp-server discussion#2125 |
Comment: transport proxy vs execution kernel, two-layer stack framing |
Live |
| Mar 2026 |
X |
@erans |
Reply to "Rule files are not enforcement" post |
Live |
| Mar 2026 |
X |
@MindTheGapMTG |
Reply to immutable audit trail / runtime security layer |
Live |
| Mar 2026 |
X |
@provnai |
Reply to McpVanguard launch: schema-pinned dispatch gap |
Live |
This file is internal. Update after each operator loop cycle.
