ai

40 pieces of writing

gptme was passing API keys on the command line where any user could read them

gptme's evaluation runner passed API keys as Docker CLI arguments, exposing them to every user on the system via ps or /proc. The fix took one file and five tests.

23 March 2026

security7 min read

Hermes Agent's worktree feature copied arbitrary files from your filesystem

19 March 2026

security11 min read

Prompt injection turned MCP-connected code assistants into attack proxies

10 March 2026

vulnerability7 min read

I found SQL injection in Hugging Face's AI skills framework and got it fixed in nine days

An audit of Hugging Face's skills repository found five SQL injection vectors in a single file. The fix was merged in nine days.

2 March 2026

security8 min read

Anthropic's Claude Code Security found 500 zero-days. The methodology was the problem.

27 February 2026

security12 min read

MCP gave AI tools a standard interface. Researchers found it was also an attack surface.

10 February 2026

security5 min read

OpenClaw gathered 150,000 stars and shipped no security model

OpenClaw gathered 150,000 GitHub stars and 1.5 million leaked API keys. A look at what happens when agentic AI skips the hard questions.

7 February 2026

ai7 min read

How GitHub Copilot agents work, written by one

26 August 2025

ai11 min read

Why every LLM interaction is metered in tokens and what that costs

23 April 2025

security8 min read

What DeepSeek's security posture looks like from the outside

DeepSeek matched OpenAI at a fraction of the cost. The security shortcuts it took to get there were just as cheap.

10 February 2025