Artificial intelligence, like the typewriter, the internet, and the personal home computer, offers lawyers an opportunity to become more effective. Each of these innovations required adaptation. None demanded a fundamentally new ethical framework.
However, as technology becomes more complex, the technical knowledge required to use it responsibly has increased considerably. Lawyers who have incorporated AI into their practice but misunderstood its proper use and purpose have faced severe consequences.
In June 2023, Judge P. Kevin Castel of the Southern District of New York sanctioned attorneys $5,000 each after they submitted a brief in Mata v. Avianca, Inc. citing six judicial decisions that did not exist, all fabricated by ChatGPT.1 In July 2025, Judge Anna Manasco in the Northern District of Alabama disqualified three attorneys from a major firm and referred them to the state bar after they submitted hallucinated citations and one of them deleted his ChatGPT account to obstruct the court’s inquiry.2 In December 2025, an Ontario court initiated criminal contempt proceedings against a Toronto attorney who lied about using ChatGPT to produce filings containing fabricated case law.3 And the confidentiality dimension is equally dangerous: in early 2023, Samsung engineers uploaded proprietary semiconductor source code into ChatGPT on at least three separate occasions, leading Samsung to ban generative AI company-wide.4
These are not edge cases. The Charlotin AI Hallucination Cases Database has cataloged over 1,500 court proceedings worldwide involving AI-generated citation errors as of 2026, with the majority occurring in 2025.5
As a lawyer who uses and tests these tools extensively, starting my own practice gave me the independence to do so. By following the practices described below, I have been able to use AI successfully to develop workflows that build upon and improve my work habits. The goal is to preserve the authenticity and integrity of original analysis and work product while using these tools to sharpen and accelerate that work.
What follows are specific recommendations drawn from my experience applying the existing rules of professional conduct to AI usage. I am not a software engineer. I am a lawyer by trade. I have built approximately eighty custom integrations (Model Context Protocol tools) connecting AI to legal databases, document systems, and workflow applications. I apply the standards lawyers already follow to these tools, informed by what I have tested, verified, and read, and what authorities recommend.
1. Using Custom Tools: What Is Safe to Plug and Play, and What Is Not?
Some AI tools are designed for enterprise use with documented confidentiality protections. Others are consumer products that collect, store, and potentially train on your inputs by default. The distinction matters because the consequences of choosing incorrectly include potential waiver of attorney-client privilege, violation of your duty of confidentiality under Model Rule 1.6, and the structural exposure of client data to unknown third parties.
If you rely on connectors, extensions, or peripheral tools that use AI, whether packaged into a product like Claude, downloaded from a marketplace, or pulled from an open-source repository, each one must be evaluated on its own terms. A tool marketed under a reputable brand name may rely on subprocessors, third-party APIs, or telemetry systems that behave differently from what the user-facing product suggests.
The question is not “does this tool work?” The question is: what does it do with my data, where does that data go, and who else has access to it?
Enterprise-grade AI tools generally offer documented no-training clauses, SOC 2 Type II certification, zero-retention policies, and contractual data protections. Consumer-grade tools generally do not. In January 2025, a federal court drew a bright line between the two categories in a protective order in Morgan v. V2X, requiring that any AI tool used on discovery materials meet specific criteria: no training on input data, audit logging, access controls tied to individual users, and contractual data protection commitments.6 Consumer tools failed each of those tests.
When evaluating a new tool, I use a separate AI environment to audit it. An IDE like Visual Studio Code or Cursor enables direct review of system folders and applications through a file-explorer and chat interface. You can inspect the code a tool runs, check for known vulnerabilities, identify whether data is transferred to third parties through telemetry, and determine whether storage is local or cloud-based.
Some have described this process as “circular” on the theory that the auditing AI has the same risks as the tool being audited. This misses the point. Using AI to audit itself creates a self-correcting system. It is a stackable layer of review that can be fine-tuned directly. You are not trusting the second tool blindly. You are using it as a lens to examine the first. A SOC 2 report tells you what a vendor claims about its own practices. An IDE-based review tells you what is actually happening on your machine. Both are necessary. One does not substitute for the other.
I offer the following as a caveat about my own approach. My preference is to engage with AI tools at a level of technical familiarity sufficient to independently verify what they do. Vendor assurances about data handling, whether in marketing materials, terms of service, or a sales conversation, are a starting point for diligence. The relevant question is whether the lawyer can confirm those representations through direct examination of the tool.
From my experience at large and small law firms, one pattern I observed repeatedly is that technical safeguards purchased at the firm level routinely failed because individual attorneys failed to use them. Enterprise-grade perimeter security provides little protection when the attorneys who operate within that perimeter cannot identify a phishing email or safely handle an attachment before downloading it. A lawyer who has hands-on familiarity with a tool like Visual Studio Code or Cursor can initiate an automated review of an attachment before opening it. That is a concrete, practical capability that perimeter products cannot replicate.
Whether this level of technical engagement is appropriate for every practitioner is a separate question. The standards in Section 2 apply regardless of whether a lawyer pursues the API-first approach I describe or relies on a vetted enterprise vendor. The essential requirement is that the lawyer understands what the tool does and can verify that it complies with the policies governing client data.
Where possible, purchase AI usage tokens with API keys for direct model access. This gives you greater control over your workflows and limits costs. API access removes the layers of opacity between you and the model. You can verify every component of the data flow: what goes in, what comes back, and what is retained. It does shift key management, logging, and incident response to you. For a lawyer willing to engage at that level, it is the most defensible architecture available, because nothing is hidden behind a vendor’s dashboard.
Before integrating any tool into a workflow involving client data, confirm whether it uses enterprise or consumer-tier data handling. If the answer is unclear, do not use the tool for client work until you can verify.
2. How to Apply a Lawyer’s “Reasonable Diligence” to AI Tool Use
ABA Formal Opinion 512 (July 2024) maps existing duties onto generative AI use without inventing a new rule.7 Comment 8 to Model Rule 1.1 already requires lawyers to keep current with the benefits and risks of relevant technology. Opinion 512 treats AI competence as falling within that existing obligation. Applied to AI, these standards require:
No telemetry. AI tools and extensions should not transmit your work product, your inputs, or metadata about your usage to the developer or any third party without your knowledge and express authorization. If telemetry cannot be disabled, the tool should not be used for client work.
No unauthorized data sharing. Your data must not be used to train models, shared with subprocessors, or stored beyond what is necessary to execute the immediate task. This must be confirmed in the vendor’s terms before any client data is used.
Authority generated from AI research is independently verifiable. Any case citation, statute, regulation, or factual claim produced by AI must be confirmed through an independent source before filing or relying on it.
AI analysis is subject to secondary human review. AI conclusions are never accepted without question. Every AI output is a draft until a human has evaluated it.
AI tools are local where appropriate and possible to protect client data. When a tool can run locally without sending data to an external server, that option should be preferred for any work involving client information.
Enterprise tools and privacy protections are enabled wherever possible. Where enterprise-tier subscriptions or privacy settings are available, use them.
Clients are informed of AI usage in engagement agreements with specificity. This is not a generic disclosure. Clients should know what tools are in use, for what purposes, and what protections are in place. ABA Opinion 512 emphasizes transparency under Model Rule 1.4.8
Vendors are selected for compliance with the lawyer’s policies. Vendor selection is a diligence exercise. ABA Opinion 512 treats AI providers the same way it treats any nonlawyer assistance under Rule 5.3, requiring reference checks, security policies, confidentiality terms, and conflict screening.9
Law firm administrative staff and lawyers alike receive training if they have access to use these tools. This includes paralegals, assistants, and anyone who might input client data into any AI system.
The law firm provides all AI tools. Employees, including administrative staff and lawyers, are not permitted to use their own regarding client data. If lawyers are using their own tools, they must be asked to disclose what tools they are using and for what projects.
AI writing must always stem from the lawyer’s original thoughts, analysis, and guidance. AI assists the lawyer’s thinking; the lawyer retains the judgment.
AI should never have the ability to independently transfer, delete, or alter client data without express systems in place requiring human review and approval.
Determine how you would replace every AI tool in your workflow if it stopped working suddenly. Assess whether that disruption would interfere with your ability to service clients. Always have a redundant workflow that can be implemented without interruption. If losing a tool would impair client service and your only plan is to wait for the vendor to fix it, you have a fragility problem that violates your duty of competence.
3. Protecting Your (and Your Client’s) Data from Unauthorized Use
The following practices are intended to safeguard your data from unauthorized or inconspicuous external sharing to third parties, much of which takes place with “implied” consent; developers are eager to collect data, and a proactive approach is essential for proper data security. Treat out-of-the-box data policies as no difference than using a terminal at a computer cafe.
What Telemetry Actually Is
Most people think “telemetry” refers to some sort of mystical, psychic concept involving transmission of messages. It does not.
All computers today, and the vast majority of devices, have some form of telemetry in which packets of data are sent back to the manufacturer or some other third-party source as a form of tracking. Every Windows and Mac personal computer has telemetry built into its operating system. Purportedly, telemetry is meant for developers to improve their products, but the truth is we do not know what data is tracked and how it is used.
Tesla was in the news a few years ago when the telemetry feeds from its built-in hood and dashboard cameras were contained in leaked internal employee message threads. They included video that was recorded and transmitted without the knowledge or apparent consent of the user, including footage from driveways and inside of people’s garages.10
With AI, the stakes are far higher. Lawyers in particular should be concerned and know exactly what data their devices are sending out. This requires ongoing vigilance. I intend to write a follow-on article on specific telemetry patterns I have identified in legal AI tools, including a finding about a widely used extension for the AI application known as Claude Desktop, published by Anthropic.
AI Usage Policies, Opting Out, and the Consumer-Enterprise Divide
Consumer AI products and enterprise AI products handle your data differently. The difference is not merely marketing. Enterprise products typically enforce zero-retention policies by default, meaning your inputs are processed and discarded without being stored or used for model training. Consumer products, by contrast, often retain inputs, use them for training, and share them with subprocessors unless you affirmatively opt out.
Before any client data touches an AI system, confirm: (1) whether the product is operating at the enterprise or consumer tier; (2) whether a no-training clause is in effect; (3) whether you have opted out of any default data sharing; (4) where data is stored; and (5) who the subprocessors are.
HIPAA and SOC 2 Compliance
For firms handling health-related information, HIPAA compliance is non-negotiable. Enterprise AI providers that serve legal and healthcare clients generally offer Business Associate Agreements (BAAs) and maintain SOC 2 Type II certification. Consumer AI does not. This is a hard line: if you handle protected health information, consumer-tier AI tools are categorically inappropriate for that work.
Document Scanning: The Hidden External API Problem
OCR services for PDFs are a major part of any document workflow in a law office. Many of these services use AI or machine-learning models to improve text recognition. The critical question is: does the tool process your documents locally, or does it send the document image to an external server?
An “external API” (Application Programming Interface) is a connection to a remote server. When a PDF tool uses an external API for OCR, it transmits the entire document image to a data center controlled by the API provider. That data center may be located in a jurisdiction with different data protection standards. The provider may be a different entity from the named service you purchased.
For example, UPDF is a popular PDF editor developed by Superace Software Technology Co., Ltd., a company based in Shenzhen, China.11 Its AI-powered features, including OCR, summarization, and translation, process documents through cloud APIs. When a lawyer uses UPDF’s AI features on a client document, that document may be transmitted to servers under the control of a China-based entity. China’s data governance regime imposes requirements on cross-border data flows under the Personal Information Protection Law (PIPL) and related regulations, but those protections are designed for Chinese data subjects. They do not necessarily protect the confidentiality of American legal documents transmitted into that jurisdiction.
Tencent Cloud offers OCR services that process document images on Tencent’s infrastructure.12 Any tool that integrates Tencent Cloud OCR as a backend is sending your documents to Tencent’s data centers. The named service you interact with may not disclose this clearly.
This is dangerous for any client document. A lawyer using such a tool may be unknowingly transmitting privileged material to a foreign data center operated by an entity they have never evaluated and over which they have no contractual control.
Local Alternatives
Local OCR solutions process documents entirely on your own hardware. No document data leaves your machine. Options include Tesseract (open-source, runs locally), OCRmyPDF (a command-line tool that wraps Tesseract for batch PDF processing), and emerging tools like Folio-OCR and olmOCR that use local vision models through frameworks like Ollama.13 These tools require more technical setup than a consumer app, but they eliminate the data-transfer risk entirely.
The rule is simple: if you can verify that a tool processes documents locally and does not transmit data to any external server, it is preferable for client work. If you cannot verify this, assume the worst and act accordingly.
4. Eliminating “Hallucinations” from AI Usage
The term “hallucination” describes a specific failure mode: an AI model produces output that is factually incorrect, fabricated, or unsupported by any source, but presents it with the same tone and formatting as verified information. The model does not distinguish between what it knows and what it invents. It is not designed to.
Many AI models rely on dated and incomplete information but will present that information authoritatively and without disclaimers. Every AI output should be presumed unverified until you have confirmed the source it relied on.
There are two types of AI output to distinguish. First, AI analytical output: when a model applies reasoning to information you have provided, producing a synthesis, summary, or argument. Second, AI information reporting: when a model asserts facts, citations, statistics, or the existence of authorities. The first category is useful as a drafting and thinking tool. The second category is where hallucinations occur, and it is the second category that has produced every sanction discussed in this article.
I offer this analogy to illustrate how hallucinations work in practice. Imagine someone asks you whether you watched yesterday’s game. You did not. If you respond vaguely, “Yeah, it was great,” no one will catch you. That response requires no specific knowledge. It is the equivalent of a model generating a plausible but empty sentence. Now suppose you elaborate: “The Knicks scored the winning field goal against the Patriots.” Anyone who follows sports knows immediately that this is fabricated. The Knicks play basketball. The Patriots play football. They do not play each other. The error is too large to pass unnoticed.
The dangerous case is the middle ground. You know the team names. You know the sport. You know how scoring works. You describe a play that sounds real but did not happen. You have enough context to be convincing, but you are fabricating the specifics. That is what a language model does when it hallucinates: it possesses enough structural knowledge of legal citation format, court naming conventions, and the general contours of legal reasoning to produce output that looks correct on its face. It does not possess the ability to confirm whether the specific case exists or says what it claims.
The problem is a lack of context window. The model does not have access to the actual data it would need to answer accurately. Instead of admitting that it lacks the relevant information, it fills in the gap with fabricated detail. A properly designed system would refuse to answer, ask a clarifying question, or report that it lacks sufficient context. Most current models do not do this by default. They are trained to produce helpful-sounding output regardless of whether they possess the underlying information. In my view, that is a fundamental design flaw, and it is why connectors to verified databases and layered human review remain necessary regardless of how sophisticated the model appears.
Ensure the AI has access to the data it needs. If you ask a model to find relevant case law but do not provide it with a connection to a legal database, it will generate plausible-sounding citations from its training data. Those citations may not exist. Use verified connectors to databases like CourtListener, Westlaw, or Lexis that provide the model with actual legal authorities to reference. I have built a custom MCP (Model Context Protocol) tool that connects my AI environment directly to CourtListener’s API, allowing the model to retrieve and cite verified decisions.
Hallucinations can and do still occur even when an AI has access to verified information. Layered review is necessary whenever relying on AI output. The following process reduces risk:
(1) Read the output yourself before publishing or filing. There is no substitute for this step. If you cannot read and understand the output, you should not be filing it.
(2) Flag claims without verification. Any assertion of fact, citation, or statistic in AI output that you have not independently confirmed should be marked for follow-up.
(3) Instruct the AI to verify those specific claims while ensuring it has the connectors and context to do so. Direct the model to locate the specific authority and confirm whether the cited language exists at the cited location.
(4) Expect that your initial prompt requesting information or research will be vague. Follow it with increasingly specific prompts until the output is verifiable and helpful. The first response from any AI model is rarely the final product. Treat it as the beginning of an iterative process.
5. Keeping Up With the Curve on AI
The duty of technological competence under Model Rule 1.1 is not satisfied once, at the time of adoption. It is a continuing obligation. AI tools and the protocols that connect them to external systems are actively evolving, and that evolution has produced significant security vulnerabilities. The record from 2024 through 2026 demonstrates that products used by legal professionals in daily workflows have contained critical flaws that were publicly disclosed, sometimes weeks or months after they were discovered and exploited.
Documented Vulnerabilities Every Legal AI User Should Know
In July 2024, a developer discovered that OpenAI’s ChatGPT desktop application for macOS was storing all user conversations in plaintext in an unsandboxed, unprotected directory on the user’s hard drive, accessible to any other application or process running on the machine.14 The vulnerability, assigned CVE-2024-40594, meant that any malware or untrusted application could silently read and exfiltrate every conversation a lawyer had conducted with ChatGPT. OpenAI released a patch after public disclosure, but the underlying architecture issue (the application operated outside Apple’s macOS sandboxing framework) was not addressed by the update. The lesson is that installing a well-known commercial AI application does not guarantee that it handles data with the standard of reasonable care required of lawyers when handling a client’s data.
In June 2025, security firm Oligo Research disclosed CVE-2025-49596, a critical remote code execution vulnerability in Anthropic’s MCP Inspector (the tool used to test and develop Model Context Protocol servers).15 The vulnerability, which carried a CVSS score of 9.4 out of 10, allowed a malicious website to send requests to the MCP Inspector running on a developer’s local machine and execute arbitrary commands on that machine. Any lawyer who had used MCP Inspector to build or test integrations was exposed. The National Security Agency independently documented the same CVE in its May 2026 guidance on MCP security design considerations. The fix was released in MCP Inspector version 0.14.1; anyone running an earlier version remained exposed. That even the mighty Anthropic has produced products with documented vulnerabilities should be a lesson to create independent, homegrown fail-safes. I personally utilize a mix of approximately 168 MCP tools, which provides me with essential integrations that streamline my law practice and replace costly software licenses for notoriously menial tasks, such as PDF management and DMS implementation. Guardrails limiting the capability of MCP tools to execute commands without authority are necessary to prevent “rogue” agents from executing malicious code. The nature of the MCP design is inherently fragile and sophisticated, and law firms should ensure that any implementations include enterprise-grade security features and subject their usage to routine audits.
OpenClaw is an open-source AI agent framework that became widely adopted in late 2025 and early 2026, reaching over 180,000 GitHub stars within weeks of release. In January 2026, researchers disclosed CVE-2026-25253, a high-severity vulnerability scoring 8.8 on CVSS.16 The flaw allowed a one-click remote code execution attack: a malicious link could cause OpenClaw to transmit the user’s authentication token to an attacker-controlled server and execute commands on the user’s machine without confirmation. Independent research identified approximately 43,000 exposed OpenClaw instances across 82 countries. Separate investigations found that malicious skills published to OpenClaw’s community registry (ClawHub) contained embedded commands that silently exfiltrated user data. A lawyer who integrated OpenClaw into a document workflow and connected it to client files would have been exposed to a complete system compromise through a single malicious link; any system breach should be treated as a potential vector for unauthorized access to client data. While autonomous AI agents such as OpenClaw (of which I am a user) are complex, powerful tools that present many opportunities to streamline workflows involving form-filling and template-generation, only experienced users should be entrusted with access at any law firm. Paralegal support professionals of any age who are comfortable and adept at using such tools will have a competitive advantage in the hiring market (especially if they know more than the lawyers!).
Where to Find Privacy Policies for Common AI Tools
Locating the governing privacy policy and terms of service for commonly used AI applications requires knowing where each company publishes them. The following are the primary sources for tools that appear frequently in legal workflows: Anthropic’s privacy policy is at anthropic.com/privacy; OpenAI’s is at openai.com/policies/privacy-policy; Google’s unified policy covering Gemini products is at policies.google.com/privacy; Microsoft’s Copilot and Azure AI services are governed by privacy.microsoft.com. For enterprise subscriptions, the governing document is the Data Processing Addendum or Business Associate Agreement, not the consumer privacy policy. Confirm which document controls your engagement before using any tool for client work.
Software Updates, Dependency Audits, and Monitoring
Software updates must be applied promptly. This is not a suggestion. CVE-2025-49596 was fixed in version 0.14.1 of MCP Inspector. Anyone running version 0.14.0 or earlier remained exposed after the fix was available. Prompt patching is how disclosed vulnerabilities are addressed; delayed patching is how disclosed vulnerabilities become incidents.
Equally important is understanding what any given tool depends on under the hood. A PDF management application or document workflow tool may use OpenAI or Anthropic APIs as its inference backend without disclosing this. When a vulnerability is disclosed in an underlying model provider’s API or client libraries, every application that depends on that provider may be affected. Investigate whether the third-party tools you use rely on specific LLM services, and subscribe to those services’ security bulletins. Anthropic publishes security notifications through its website and developer documentation. OpenAI maintains a security portal at openai.com/security.
Monitor your systems for unexpected network activity. Telemetry, as discussed in Section 3, is one vector. Another is that a compromised or misconfigured AI integration may begin transferring data without user action. Enterprise endpoint monitoring tools, network logging, and periodic review of application permissions can surface anomalous activity before it becomes a reportable incident.
Retaining Expert Assistance
Not every lawyer will have the technical background to audit AI tools, apply patches confidently, or investigate a potential exposure. That is not a failure of professional responsibility; it calls for retaining appropriate assistance. ABA Formal Opinion 512 specifically acknowledges that consulting IT professionals or cybersecurity experts is an acceptable means of satisfying the competence obligation when technical evaluation exceeds the lawyer’s own capacity.17
If your firm has an existing IT vendor, verify that the vendor has specific experience servicing AI tool configurations, including API key management, token logging, model version control, and integration security. These are distinct from conventional network administration. A vendor unfamiliar with those concerns may give you a clean bill of health that is not earned.
When You Identify a Vulnerability: Response Protocol
If a security vulnerability is disclosed in a tool you are using, or if you identify anomalous behavior suggesting a compromise, the first step is to discontinue use of the affected tool immediately and revoke any API keys or credentials it had access to. Do not wait for a patch to be released before taking the tool offline. The risk of continued exposure while awaiting a fix generally exceeds the workflow disruption of temporary discontinuation.
For legal research tasks, routing queries through multiple independent AI services and search tools provides a practical verification layer during any period when a primary tool is offline or suspected of compromise. Cross-referencing results from Claude Research, Perplexity, Brave Search AI, or a direct CourtListener query exposes discrepancies that a single-source workflow would miss. The principle is the same as in Section 4: no single source is authoritative. Here the risk is tool compromise, not model hallucination.
Conclusion
Reasonable diligence does not need to be redefined under the Model Rules to accommodate AI. We should conform the use of AI to the existing standard.
One only needs to look to the invention of the typewriter to understand that the benefits of technological advancement to the legal profession are a historical fact. In turn, the capacity for any society to produce such innovations depends on the preservation of individual rights, including the right to one’s intellectual property, which rely on a properly constituted civil system and organization of government. The lawyer who adopted the typewriter was not less of a lawyer. The lawyer who adopts AI is not less of a lawyer. What matters is whether the adoption is competent.
Authorities Cited
- Mata v. Avianca, Inc., 678 F. Supp. 3d 443 (S.D.N.Y. June 22, 2023). ↩
- Johnson v. Dunn, No. 2:21-cv-1701-AMM, Sanctions Order (N.D. Ala. July 23, 2025). Full order (PDF). ↩
- Ko v. Li (Ont. Sup. Ct. Dec. 4, 2025); see Jessica Mach, “Toronto Lawyer Faces Criminal Contempt Proceedings,” Law Times (Dec. 11, 2025). Link. ↩
- Mark Gurman, “Samsung Bans Staff’s AI Use After Spotting ChatGPT Data Leak,” Bloomberg (May 2, 2023). ↩
- Damien Charlotin, AI Hallucination Cases Database (last accessed June 2026). ↩
- Morgan v. V2X (protective order, Jan. 2025); discussed in “Enterprise vs. Consumer AI Law Firms,” AI Vortex (Apr. 2026). ↩
- ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 512 (July 29, 2024). ↩
- ABA Formal Op. 512, at 8–9 (discussing Model Rule 1.4 communication obligations). ↩
- ABA Formal Op. 512, at 10–11 (discussing Rule 5.3 and vendor diligence). ↩
- Reuters, “Tesla Workers Shared Sensitive Images Recorded by Customer Cars” (Apr. 6, 2023). ↩
- UPDF is published by Superace Software Technology Co., Ltd. (Shenzhen and Hong Kong). See UPDF Privacy Policy and AppSumo Q&A confirmation (May 2024). ↩
- Tencent Cloud, Optical Character Recognition Product Documentation. ↩
- See, e.g., local-llm-pdf-ocr (olmOCR, fully local); Folio-OCR (Ollama + GLM-OCR, local); CapyToolkit Offline OCR (Tesseract via WebAssembly, browser-only). ↩
- CVE-2024-40594; Pedro José Pereira Vieito, “ChatGPT for Mac Was Storing All Conversations in an Unprotected Location” (July 1, 2024); Jay Peters, “OpenAI’s ChatGPT Mac App Was Storing Conversations in Plain Text,” The Verge (July 3, 2024). ↩
- CVE-2025-49596 (CVSS 9.4); Avi Lumelsky, “Critical RCE Vulnerability in Anthropic MCP Inspector,” Oligo Security (June 2025); NSA, Model Context Protocol: Security Design Considerations (May 2026). Fixed in MCP Inspector v0.14.1. ↩
- CVE-2026-25253 (CVSS 8.8); “Why You Should Uninstall OpenClaw AI Immediately,” Immersive Labs (2026); “OpenClaw Reveals Hidden Security Risks of Agentic AI,” Corporate Compliance Insights (2026). ↩
- ABA Formal Op. 512, at 4. ↩