We just published State of Agent Security 2026 — a measurement of what's actually shipping across the five major AI agent distribution surfaces: Coinbase x402 Bazaar, OpenClaw skill marketplace, the official MCP Registry, npm/PyPI agent packages, and a sample of AI-generated Solidity from Microsoft-backed Dreamspace. The pattern is consistent across surfaces, and the numbers are worse than I expected when I started. What we found Surface Targets scanned Critical/high findings x402 Bazaar (Coinbase) 26,302 endpoints only 0.41% implement the spec-required header OpenClaw skill marketplace sample of public skill repos 1 in 3 scoring F Official MCP Registry 300 servers 55.3% npm agent packages sample of crew-ai-* , langchain-* , etc. 82.6% PyPI agent packages sample 31% That x402 number is the one I keep coming back to. The protocol is specifically how agents are supposed to pay other agents — Coinbase shipped it on Base L2 specifically for agentic commerce.…