Daniel Smith | Building ClawQL Agents

2.6K posts

Daniel Smith | Building ClawQL Agents

@DanielSmithDev

Building @ClawQL Agent/MCP as the API and document intelligence platform for enterprises! PlatformEng/SRE/DevOps in a love-hate relationship with Kubernetes.

Los Angeles, CA Katılım Mayıs 2016

474 Takip Edilen797 Takipçiler

Sabitlenmiş Tweet

Daniel Smith | Building ClawQL Agents@DanielSmithDev·17 Nis

mcp-grpc-transport is now on npm (v0.1.0). Pluggable gRPC transport for MCP that supports: - Full protobuf surface (ListTools, CallTool, streaming ops, pagination, cancellation) - Bidirectional Mcp.Session stream (NDJSON compatibility) - gRPC health checking + optional server reflection - TLS/mTLS via env vars - Interceptors and custom options This is the transport many teams have been waiting for, especially those already running gRPC microservices. If you’re building production MCP servers and already operate in a gRPC-heavy environment, this should feel like a natural fit. It also pairs excellently with unified MCP servers that embed optimized internal layers (like GraphQL proxies for token efficiency). Installation & basic usage is straightforward (see code snippet in comments or npm page). One-liner integration via maybeStartGrpcMcpServer({ createMcpServer }). Perfect drop-in for teams tired of JSON serialization overhead or wanting native mesh routing. Docs & examples on the npm page. Built as part of the ClawQL stack but completely generic. Try it with ClawQL (now unified single-process) or your own MCP server. Feedback, issues, and contributions welcome. Repo: github.com/danielsmithdev… npm: npmjs.com/package/mcp-gr… Feedback, bug reports, and PRs are very welcome. Let’s make MCP even more cloud-native and production-ready together. #MCP #gRPC #AI #AgenticAI #TypeScript #Kubernetes #EnterpriseAI

Daniel Smith | Building ClawQL Agents tweet media

English

1.3K

Daniel Smith | Building ClawQL Agents@DanielSmithDev·5h

@dabit3 @DevinAI How’s Devin with tool usage? Can I connect my MCP tool and will it pretty reliably invoke it and use it?

English

153

nader dabit@dabit3·7h

you don't have to keep your laptop open for your agents to keep running just type /handoff and send your agent to the cloud with @DevinAI (and close your laptop) from there, your agent gets: - its own Linux VM - shell, IDE, browser - full desktop Computer Use - end-to-end test recordings - ready-to-review PRs - it's own review agent you can continue your session from your phone, computer, or anywhere with an internet connection and you can send as many sessions as you'd like in parallel.

English

160

31K

Daniel Smith | Building ClawQL Agents@DanielSmithDev·1d

@dabit3 Kafka is love. Kafka is life. Kafka lets my agents run while I hang with my wife. 🫡

Indonesia

nader dabit@dabit3·1d

software engineers before vs after cloud agents

Cormac@cormachayden_

software engineers before vs after agents

English

227

18.1K

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@thedawgyg @yeahbutnahbut You should learn to read before you learn to talk trash: x.com/weezerosint/st…

impulsive@weezerOSINT

what steps should i have taken? no bug bounty, no security.txt, no security@ email, support@ ignored me for 25 days. the tweet got the founder to rotate the key in hours. and we gotta stop blacklisting researchers over disclosure disagreements thats not how you make the industry better

English

141

dawgyg - WoH@thedawgyg·2d

he never tried to reach out to their security team. he sent 2 support emails and 1 X post, and then dropped the info 3 weeks after. He couldnt even wait 30 days, and he isnt even smart enough to try security@ before support@. anyone whos first thought is to email support@company instead of security@company is doing this for the attention, not trying to protect people.

English

1.8K

John Carroll@yeahbutnahbut·2d

Loving the framing of the dogpile gang. guy finds flaw, guy email's security, guy emails some others guy waits, guy drops it publicly and it's him getting all the shit. not Reframe, the people ignoring the security and support emails that have legal obligations to protect the information they hold oh you didnt buy linked in premium to run around begging staff for a response, oh you could have done all these other things SECURITY@ SUPPORT@ dickheads. citing putting the users at risk but not thinking far enough to assume that data has already gone

impulsive@weezerOSINT

if you've ever used Reframe to get sober, your private journals, your craving logs, what triggered you, how bad it got, your name, your email, all of it is sitting in a database that anyone can read without logging in i unzipped the app and found a database key in a config file. thats it. thats all it took 357,939 users exposed. disclosed april 7, no response

English

10.1K

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@thedawgyg @ZackKorman x.com/dj_curfew/stat… Seems the people he helped secure believe otherwise and directly contradict your claim.

Zeb Evans@DJ_CURFEW

@weezerOSINT i'd say the same about you - clearly you have the right intent in your work and were immediately responsive. this was a miss on us, and we'll continue to get better

English

710

dawgyg - WoH@thedawgyg·2d

this kid weezer is doing everything he can to get paid on X via engagement since he cant do anything but download random APKs and then blast companies on the platform when they dont instantly respond to him. he's an idiot

Zack Korman@ZackKorman

Security people: This behavior is completely unacceptable. I don't care that you sent a few emails and got ignored. You don't get to drop this info publicly and put these users at greater risk. He's been called out by multiple people (@rez0__) and is doubling down. Not cool.

English

121

15K

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@ZackKorman @63green @rez0__ @weezerOSINT Either way thanks for having this convo @ZackKorman and @rez0__ I appreciate nuanced discussion around what can be very polarizing topics. Always great to get opinions from other researchers in the field and check assumptions Security is a lot of freakin work Together we win🍻

English

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@ZackKorman @63green @rez0__ So my point being we don’t know how urgent he thought it was. I imaging @weezerOSINT thought it was critical that this be fixed right away and was probably shocked when they didn’t respond as urgently as he thought they should. Possibly so urgent he needed to put major pressure?

English

Zack Korman@ZackKorman·2d

English

252

75.6K

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@ZackKorman @63green @rez0__ Yup just trying to figure out the nuance. Legally there’s no mandated window for disclosure and honest attempts to disclose protect you under the CFAA from being sued. Where do we draw the line? What is considered sufficient effort? Where’s the shared responsibility model here?

English

Zack Korman@ZackKorman·2d

@DanielSmithDev @63green @rez0__ Again, no one is saying anything good about the company here. They clearly suck

English

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@ZackKorman @63green @rez0__ Sure there are many instances where researchers follow things perfectly and companies respond well. But there are also times where grey hat behavior successfully moves an otherwise obstinate company and forces them to take things seriously. Companies shouldn’t need to be forced

English

Zack Korman@ZackKorman·2d

No one is denying that it’s the company’s fault. Obviously you’re right about all of that. But there’s a ton of space between “two emails they maybe didn’t even see (because they’re irresponsible)” and “it took a viral tweet”. These things happen all the time and don’t end in a viral tweet because the researcher finds a way in before it gets there. And I am thankful for that, because it helps protect people.

English

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@rez0__ @ZackKorman @63green Zero trust. We all must assume they already had it. Assuming otherwise is folly and arrogance implying bad actors aren’t fast or smart enough to arrive at the conclusion on their own. Public disclosure prevents further compromise beyond the already compromised blast radius.

English

Joseph Thacker@rez0__·2d

@DanielSmithDev @ZackKorman @63green In this case he gave the bad actors the output of the bug so he achieved the very thing he was trying to prevent

English

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@rez0__ @ZackKorman @63green If you’re running with a zero trust approach then you need to assume that any info you have regarding compromise is already possessed by malicious parties Being obscure or delayed in reporting means not enough pressure on company to act while tipping off malicious actors as well

English

Joseph Thacker@rez0__·2d

@DanielSmithDev @ZackKorman @63green Do you think 23 day disclosure timelines make any sense? And do you think this could have been disclosed without the source of the vuln being posted? That’s my issue. Do the exact same thing but don’t say the db key was in the app

English

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@ZackKorman @63green @rez0__ There’s no excuse needed. There’s a difference between reactive and proactive security. It shouldn’t take a post going viral for you to be proactively looking out for possible issues. This should have been found by the team not a third party and then ignored for 25 days after.

English

Zack Korman@ZackKorman·2d

It’s not the 350k people’s fault either though. That’s the issue. Yea the company sucks but that doesn’t change the duty we owe these people. Saying it’s a lot of work, true, but so is finding this to begin with. Caring about these users means we owe that work, or owe it to hand to someone who will do that work. Saying “sorry it was too hard to get in touch” doesn’t excuse this.

English

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@ZackKorman @63green @rez0__ He didn’t have a LinkedIn account. It’s not his fault the company doesn’t have a security contact. If a company tells me the only way to reach them is TikTok and bluesky and you need to make a video tagging them, I probably wouldn’t do that either. Best practices matter always.

English

Zack Korman@ZackKorman·2d

@DanielSmithDev @63green @rez0__ Why wouldn’t you even try a LinkedIn message? Or a post like “hey I found something bad in reframe I need help getting in contact”. All of that is much lower risk to get this fixed. It’s because the goal wasn’t to get it fixed. It was to blast them online for attention.

English

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@ZackKorman @63green @rez0__ I would think it depends on how sensitive the data is. There’s a balance to be had. Are you familiar with zero trust security? With that you assume you’re always possibly compromised at any given moment. We should assume that if researcher had this then malicious actors do too.

English

Zack Korman@ZackKorman·2d

Yes and you’re absolutely right, sometimes you have no choice. Is “I sent two emails and a tweet reply saying check your email” enough to justify a full public dump? My view is definitely no. If his goal was to get it resolved without that risk, there are so many things to try prior to this. He didn’t do that because he was happy to post it publicly because, well, likes.

English

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@ZackKorman @63green @rez0__ You’re barking up the wrong tree. I myself have exploited smart contracts that were actively vulnerable to lock them down and prevent user compromise. Sometimes the company doesn’t want to listen and you need to take action even if those actions aren’t always perceived well. Life

English

Zack Korman@ZackKorman·2d

Why do you think I am defending the company? If your data was in that list, you’d greatly prefer the researcher found a way to get through to the company without having it posted publicly, given that increases the odds of a threat actor stealing the data. You’d not say “well he tried two emails so what else could he do”

English

Daniel Smith | Building ClawQL Agents@DanielSmithDev·2d

@ZackKorman @63green @rez0__ Because you’re taking an illogical position whiteknighting for a company that couldn’t care less about protecting its own vulnerable and substance addicted users by following best practices. Everyone else sees how horrible it is and you’re attacking the whistleblower. Nonsense.

English

Zack Korman@ZackKorman·2d

@63green @rez0__ This isn’t my company lol. Why does everyone think that? Are you all some bad bot army?

English

152

Daniel Smith | Building ClawQL Agents@DanielSmithDev·3d

@dabit3 I don’t think they’re here to build connections. I think they want to get as much engagement as possible to squeeze out money from the platform. Or build the account up and then sell it to a bot farm. Otherwise I don’t understand the logic behind it and can’t think of why else.

English

168

nader dabit@dabit3·3d

do people who run automated AI replies realize that most everyone is just blocking or muting them? what is the value proposition of doing this? they're just alienating the majority of the people who they are actually wanting to build a connection with

English

4.9K

Daniel Smith | Building ClawQL Agents@DanielSmithDev·4d

@theScottrHall @rwdaigle gRPC with code mode and graphql internal introspection to trim both request and response payloads. Reduces token usage which of course saves cost but more importantly leads to better average performance when context doesn’t bloat. Basically how I designed @ClawQL from beginning

English

scott@theScottrHall·4d

@DanielSmithDev @rwdaigle What is done right to you?

English

Ryan Daigle@rwdaigle·24 Nis

I was wrong MCP > CLI

English

50.5K

Daniel Smith | Building ClawQL Agents@DanielSmithDev·4d

It’s a skill issue. Use @ClawQL as an MCP to add the skills. We give you memory, efficient API interaction, and full end to end document pipelines to ingest and query anything. Cache your work for temporary multi-agent access to same data. Memory_ingest anything permanently.

Taelin@VictorTaelin

seriously, working with AI is MISERABLE for one and only one reason: having to re-explain the same thing "oh yeah this new session obviously doesn't know what proper case trees are, so let me explain it for the 5000th time in my life" I'm tired AGENTS.md doesn't solve this because it is impossible to fit the entire domain knowledge without nuking the context - it would be 1m+ tokens worth RAGs don't solve this, the agent won't search unknown unknowns SKILLs don't solve this unless I keep like a collection of 1750 skills with specific cuts of domain knowledge for each possible subset of my domain that I might need in a given chat, but that's a lot of manual work recursive LLMs or whatever don't solve this for the same reason, you can't dump a domain book and expect the AGENT will magically guess that it is supposed to search for a specific bit knowledge. unknown unknowns fine tuning doesn't solve this (OSS models suck and OpenAI / Anthropic gave up on user fine tuning) I honestly think a good product around fine tuning on your domain would be a major hit and an underdog lab should take this opportunity

English

Keşfet

@dabit3 @DevinAI @thedawgyg @yeahbutnahbut @ZackKorman @63green @rez0__ @weezerOSINT