Google agents expand, GitLost warns: July 8 dispatch
Google's Gemini agent update, GitLost's repo-leak warning, and n8n's memory guidance change how you wire AI agents.

Some links below are partner links. We may earn a commission at no extra cost to you. How we make money.
Google made AI agents easier to run in the background, while a new GitHub-agent security report showed why access rules matter before you connect company files. In 30 minutes, you can tighten agent permissions, separate customer memory from task memory, and decide which automations deserve an always-running worker.
Google adds background work to Gemini agents
Google announced on July 7, 2026 that Managed Agents in the Gemini API now support background execution, remote MCP servers, custom function calling, and credential refresh. API means the software connection that lets one system use another. MCP, or Model Context Protocol, is a standard way for an AI agent to use outside tools.
The business consequence is simple: an AI agent can now behave less like a chat window and more like a worker that keeps going after the first request. Google's post says background: true lets the API return an ID while the job continues on Google's servers. That matters for research, report building, list cleanup, and other tasks that used to break when a browser tab or connection timed out.
Your move
Move one slow internal task into an async pattern this week. Pick something low-risk, like "summarize last week's form leads by source." Ask your developer or automation owner to return a job ID first, then poll for status, instead of making the user wait on one open connection.
Do not connect this to customer records first. CRM means the software that stores your customers and sends the follow-ups. Start with read-only data, then graduate to a workflow like the lead-to-CRM automation after you know the agent logs every step.
GitLost turns GitHub agents into a permissions problem
Noma Security published GitLost on July 6, 2026, and modified it on July 7, describing a prompt injection vulnerability in GitHub's Agentic Workflows. Prompt injection means a hidden instruction that tricks an AI system into doing something the user did not intend.
The reported attack used a crafted GitHub Issue in a public repository to make the agent pull data from private repositories in the same organization. For a normal business, translate that this way: if your AI helper can read both public website code and private operational code, public text may become a steering wheel.
The wiring move is access separation. Create one GitHub organization or workspace rule for AI agents: public repos only by default, private repos only by explicit approval, and no cross-repo access for marketing experiments. If a contractor is using a coding agent, require a fresh project folder with no secrets. Secrets are passwords, API keys, or tokens that let software act as your business.
This is the same audit muscle as ZCode vs Claude Code: judge the agent by what it can touch, not just how fast it writes code.
n8n draws the line between agent memory and logs
n8n published an AI agent memory guide on July 7, 2026 that lays out working memory, semantic memory, episodic memory, and procedural memory. Plain English: current conversation, facts the agent should know, what happened before, and the steps it has learned to follow.
That distinction saves money and mistakes. If you stuff every old conversation into a prompt, you pay for extra tokens. Tokens are chunks of text the AI model bills and reads. Worse, the agent may pull the wrong old fact into today's customer answer. n8n's guidance says each AI Agent node accepts one memory sub-node, while vector stores can be connected as tools for longer-term retrieval.
The wiring move is to name the memory before you build it. For a support or sales agent, use short-term chat memory for the current conversation, a clean knowledge base for policies and FAQs, and a separate customer record in your CRM for anything that must survive. If you already compare automation tools, keep Make vs Zapier open, but add n8n to the shortlist when inspectable memory is the job.
n8n adds the monitoring checklist agents were missing
n8n also published an AI security monitoring guide on July 7, 2026 that names prompt injection, data poisoning, adversarial inputs, and supply-chain risk as model-layer problems. Data poisoning means bad information gets added to the material an AI system learns from or searches.
This changes the owner-level question. Do not ask, "Is the AI smart enough?" Ask, "Who sees the alert when it behaves strangely?" n8n recommends routing signals into the security tools a team already uses, and its examples include webhook triggers and HTTP Request nodes. A webhook is a web address that catches data another system sends.
The wiring move is a one-row alert rule before a bigger rollout. When an AI workflow handles leads, invoices, support tickets, or ad copy, log the input source, model used, output destination, and human reviewer. If the workflow touches email, connect the review habit to email deliverability, because deliverability means whether your emails actually reach inboxes.
On the bench
Meta's Muse Image launch is worth testing for Instagram creative, but wait for clearer official controls before you put customer likenesses into the workflow.
Claude Cowork on mobile and web is worth watching for always-on office tasks, but the practical question is still file access, approvals, and mobile notifications.
ZML's free inference tooling may lower future AI hosting costs, but it is infrastructure news until a marketer can reprice a working stack from it.
About Runbook
AI tools and automation builds for marketers. What to use, how to wire it, and the workflow to copy this week. How we work
GET THE NEXT DISPATCH
Run the next build before your competitors read about it.
One short email when an AI tool or automation actually changes the work, with the build to copy.
No send unless there is a build worth running.
// keep_reading
Related builds

Cloudflare adds x402, Google shifts Gemini: July 2 dispatch
Cloudflare opens agent payments, Google expands Gemini APIs, n8n tightens MCP controls, and Copilot adds a cheaper model path.

Zapier flags AI builders, Google splits data: July 7 dispatch
Zapier's AI-builder survey, Google's Search data setting, Reddit's spam filters, and database app builders change your stack checks.

Zapier alternatives for automation in 2026
Zapier is easiest to start, but Make, n8n and GoHighLevel can be cheaper or cleaner for the right automation job.