Eran Sandler

@rauchg AgentSH - mostly Claude (and some codex) agentsh.org

Show me the thing you’ve built with AI you’re most proud of. Reply with a working product URL and what model / agent you primarily used.

@samuelcolvin @JordiMonPMM Like anything new in the market, there is some level of education. AI is moving so fast that it's hard even for those of us in the weeds to follow it all. While AI implications are not just technical, we are still at the point that understanding the tech and its piece matters.

If you showed them this tweet, they would nod. But when many of them don't know the difference between MCP and an agent framework, it's hard for them to identify what solution are actually valuable, so they go back to finding ways to get anthropic and openai shares, since that seems like it's not a bad idea.

ARR is cool because it's the last resort of the blind. Speaking to VCs at the moment, and the profound ignorance of many of them about how AI is actually being used is striking. The assumption is they're "all in", they're not - most VCs are doing the consensus thing because they know they don't know better.

@motatoeshq cooked with this. I've been hooked to clawputer over the last few days opencomputer.dev/clawputer uses: - opencomputer.dev as the computer - @pipedream for integrations - @browser_use for browser use (lol) - linqapp.com for imessage infra

@utpalnadiger it removes the "stealing secrets" attack vector, but not the "use the secrets and that API to access the info, exfiltrate it or do some other harm. That is why agent actions needs to be managed, regardless of the prompt (injected or not) - why we built agentsh.org

"Pattern 2: Isolate the agent. The entire agent runs in a sandbox with zero secrets. It talks to the outside world through a control plane that holds all the credentials. The agent becomes disposable. No secrets to steal, no state to preserve, you can kill it, restart it, scale it independently. The control plane holds the truth." 👀👀

Firecracker doesn't support live migration. It has snapshot/restore ie. pause the VM, save state, restore later. But it is not really the same thing. True live migration means serializing a running VM (CPU, memory, devices) and moving it to another host mid execution. QEMU has done this for 10+ years w iterative pre/post-copy + dirty page tracking. Firecracker was built for Lambda. Long running agents need both Lambda ergonomics WITH EC2 semantics. QEMU ftw.

@mitsuhiko @bentlegen It's harder to keep a mental image of the code when you don't spend the time writing it, however, speccing it hard can help with that. When I look at the code I wrote 7 years ago I don't remember every detail but I can read it - or ask my clanker :)

@bentlegen Fun fact: the people that build these things also increasingly can’t keep up with their own products. I had someone on a call ask their clanker about their own software because they did not know how it behaves.

it has become very hard to keep up with how all these products are changing

@rauchg Completely agree. From what I see super experienced developers get super boosted. Junior developers can also quickly ramp up and become useful. The main problem is those in the middle and they need to change their thinking.

If you become exceptional at managing agents, but are also exceptional in your understanding of the fundamentals, you will be unstoppable. We all prefer to work with masters of their craft. What’s new: you can’t afford to miss out on the amplification agents have on your output

The “spin it up, tear it down” sandbox model is very 2024. Agents don’t run for 200ms any more. They run for hours. Sometimes days.

I'm working on AgentSH (agentsh.org) which allows you also to do kernel level security. It's not easy to do that on an agent that parts of its appeal is doing everything - but you can mitigate things significantly like with @SocketSecurity integration before installing packages etc.

To a degree. Willison had it right. But Sanctuary doesn't pick "no network access." It gates the network leg at the kernel. Castle Wall is kernel-level egress filtering. Agent keeps sensitive data, reads untrusted prompts, AND makes network calls. Network calls have to go to operator-approved destinations. Even fully prompt-injected, the kernel drops anything else before it leaves the machine. Cooperative gates the agent can be talked out of. Kernel gates it can't.

The biggest alpha leak of 2026 is that you can tokenmax $10k/mo with OpenClaw/Hermes + GBrain and get the AI that everyone will have in 2028 for $100/mo, but you can get it now, and that is the biggest single unlock you can have vs your competition

@mitchellh There are other aspects worth thinking about here. Rust's compiler provenance is problematic compared to Zig's. How does that affect bun binaries in general?

It isn't unexpected that the focus of the Bun Rust rewrite is on the anti-Zig side more than anything, since the internet loves to hate. What is unexpected and unfortunate is that leadership within Bun hasn't tried to steer the conversation away from that at all. There are so many positive and interesting takeaways from this and I'm not really seeing any of them pushed as the primary message. A positive thing that hasn't been talked about at all is how far Bun came thanks to Zig. And even if you dump it now, its meaningful for how good Zig was to even build a product to this point and impact by any metric. I would've loved to see anyone in leadership say this. On the interesting side is how fungible programming languages are nowadays. Programming languages used to be LOCK IN, and they're increasingly not so. You think the Bun rewrite in Rust is good for Rust? Bun has shown they can be in probably any language they want in roughly a week or two. Rust is expendable. Its useful until its not then it can be thrown out. That's interesting! There's been a lot of talk about memory safety and no doubt Rust provides more guarantees than Zig. But I'd love to see a better analysis of why Bun in particular suffered so much rather than take the language-blame path. How could engineering as a practice been more rigorous to prevent this? What were the largest sources of crashes other programs should watch out for? How does Rust prevent them? How could Zig theoretically prevent them? That's interesting. I know the official blog post hasn't come out yet from Bun. But they're smart enough to know that that PR would stir up controversy the moment it opened, or they should've been. And plenty in the company have been tweeting and writing about it. Its somewhat telling to me in various dimensions what they chose to talk about first. I tend to think I'm pretty good at corporate PR/comms (especially when it comes to developer audiences) and I think appealing to the negative is never the right long term strategy; it does work to get short term eyes though.

Agentic AI’s blind spot is not just what agents can read. It’s what they can do after they read it: spawn processes, write files, call APIs, reach the network, and use credentials. That control point is the execution layer. That’s why we’re building AgentSH: agentsh.org

@TheHackersNews Good piece. The agentic AI blind spot isn’t just that agents read data — it’s that they act: files, tools, network, APIs, secrets. Policy needs an enforcement point where intent becomes side effects. That’s what we’re building with AgentSH: agentsh.org

🤖 Agentic AI is already running in production while security teams treat it as a policy issue. You can’t secure what you don’t understand. Three agent types — one now lets anyone build powerful agents with real access, no code needed. Read about it: thehackernews.com/2026/05/why-ag…

Removing .env closes one door, but attackers will move to tricking users into unlocking vaults—or abusing secrets managers from inside AI sandboxes, where the agent can make authenticated calls without ever stealing the secret. Part of why we build AgentSH (agentsh.org)

if you havent already it might be a good idea to delete every single .env file on your computer and move them into a secrets manager. did this earlier this year and feel pretty smug and superior about it, you could too!

Want to be a 1-person code factory? @timoreilly and I chatted all about how it works oreilly.com/radar/ryan-car…

same here. will bring nice things too.

Agents today are processes that live for hours. The substrate should match! Today, agents pause, resume, branch, retry, sit idle waiting for a human, then wake up and keep going. You can’t really run that on infra designed for stateless functions.

@mitsuhiko Agents make these attacks worse by running these multiple times on multiple envs (sandboxed or not). The key is to deal with the execution and its side effects. That where the model meets the real world. A bit of what we are trying to do at AgentSH (agentsh.org)

Published via OIDC trusted publishing btw. I hope this ends this absurd idea that OIDC is the silver bullet to supply chain issues.

buckle up. next 2-3 weeks at opencomputer.dev might be the most fun stretch we’ve had as a company. so much shipping. you’re going to love it.

@StockSavvyShay AI inside CrowdStrike raises a new question: how do you stop the model from being tricked into doing things it shouldn't? Models are probabilistic. AI workflow security needs outside enforcement. That's why we built AgentSH (agentsh.org).

$CRWD integrated Claude Opus 4.7 across Falcon to improve vulnerability detection, remediation and AI security workflows. Falcon is becoming more agentic with Charlotte Agentic SOAR and AgentWorks helping enterprises build and automate security agents.

@StockSavvyShay Containers aren’t enough for agents. Their code, deps, and sandboxes can all be ephemeral, so you need control at the execution layer. That’s why we built AgentSH (agentsh.org): to audit and protect what the model actually runs.

$NOW & $NVDA launched Project Arc which is an autonomous enterprise AI agent that can think, write code & execute complex work. It runs on Nvidia OpenShell and is governed by ServiceNow’s AI Control Tower giving enterprises a secure control layer for agentic AI.