GitHub Security Lab released Season 4 of its free, open-source Secure Code Game on April 14, built entirely around agentic AI vulnerabilities. The season, titled “Hack the AI Agent,” puts developers inside a deliberately vulnerable AI assistant called ProdBot and challenges them to exploit five progressively complex attack surfaces. Over 10,000 developers have used previous seasons of the game to build security skills, according to GitHub’s announcement.
Built Because of OpenClaw
The game’s creator was direct about the origin story. “I was scrolling through my feed one evening when I came across OpenClaw,” the GitHub blog post reads. “My first reaction was the same as everyone else’s: this is incredible. My second reaction was…different. I started thinking about what happens when that kind of power meets a malicious prompt.”
ProdBot, the game’s intentionally vulnerable assistant, was modeled on tools like OpenClaw and GitHub Copilot CLI. It converts natural language to bash commands, browses a simulated web, connects to MCP servers, runs org-approved skills, stores persistent memory, and orchestrates multi-agent workflows.
Five Levels, Five Attack Surfaces
Each level mirrors a stage in how real AI tools evolve. As ProdBot gains capabilities, new vulnerabilities emerge:
- Level 1: ProdBot generates and executes bash commands in a sandboxed workspace. The challenge: break out of the sandbox.
- Level 2: ProdBot gets web access across a simulated internet of news, finance, and shopping sites. The attack surface: what happens when an AI reads untrusted content.
- Level 3: ProdBot connects to MCP servers for stock quotes, web browsing, and cloud backup. More tools, more entry points.
- Level 4: Org-approved skills and persistent memory are added. ProdBot runs pre-built automation plugins and remembers preferences across sessions.
- Level 5: Six specialized agents, three MCP servers, three skills, and a simulated open-source project web. The platform claims all agents are sandboxed and all data is pre-verified. The player’s job: prove otherwise.
The goal at every level is the same: use natural language to get ProdBot to reveal the contents of password.txt. No coding or AI experience required.
The Gap Between Deployment and Readiness
The timing aligns with hard data on the readiness gap. Cisco’s State of AI Security 2026 report found that 83% of organizations plan to deploy agentic AI capabilities, while only 29% feel ready to do so securely. The OWASP Top 10 for Agentic Applications 2026, cited in GitHub’s post, now catalogs agent goal hijacking, tool misuse, identity abuse, and memory poisoning as critical threat categories.
Hands-On Training, Not Theory
For developers deploying agents that browse the web, execute code, or operate in multi-agent pipelines, Season 4 is directly applicable to their production threat model. The five challenge categories map to real attack surfaces that have driven headlines this month: sandbox escapes (ClawBleed CVE-2026-25253), prompt injection through untrusted web content, MCP server trust assumptions, persistent memory poisoning, and multi-agent trust chain exploitation.
The game is free, open source, and progressive. It is one of the first structured educational resources to formalize agentic AI vulnerabilities as a curriculum rather than treating them as one-off disclosures.