Robert Rounsavall

Tried Claude Design on two small landing pages. Burned through all my usage in half an hour, but the output was a great starting point. Give it a reference page to look at if you don't want it to look like a baby Anthropic page out of the box.

@hwm2n0 😂😂😂😂😂

@robrounsavall This was funny…

Needed to update a session through the MCP in my app but no update tool existed, just create new. I added an "update session" to the code, and instead of waiting for a restart, Claude just pulled the Auth0 M2M creds from .env, made a token.txt, and called the API directly, impersonated and bypassed the MCP. The API can't tell the difference. I feel like Wile E. Coyote. Great hardening plan implemented, then another box of TNT blows it up...

Used Claude to build a janky thing that pulls in X, YouTube, and vendor sites through the last30days skill. It mostly works but its really bad. Why bother with RSS when you can build some junk that doesn't work and makes it more complicated?

No fun AI building stuff today, only GMLE labs today...

At the end of February I read some LLM security guidance from OWASP or the Cloud Security Alliance and realized I didn't have a clue what was going on. I've been trying to get a clue every day since. Still don't have a clue, but maybe in a year I will. Have been learning from all of you on this platform, thank you!

Thought the MCP setup I did was secure. Any user can run any GraphQL query through it. At least it's M2M authenticated while all the data is stolen then the database destroyed... ugh...

Almost took the bait and started playing with another tool in the LM coding space that looked interesting, but managed to pull myself back off the ledge. The focus is to get REALLY good with @cursor_ai and @claudeai. Nice try, but not today Satan!

I still haven't quite figured out the Cursor app, I've only been using the IDE, but am getting the sense that I should start figuring that part of it out.

@jordan_ross_8F STACK

The agency owners who fix their AI tech stack in the next 90 days are going to look like geniuses in 2027. The problem is every tool markets itself with the same words.. Agents Copilots. Memory. Automation Read about three and you can't tell which one to pick. So my team built a 105-page field manual that does the categorization for you. Inside: — The 8 software roles every modern agency stack collapses into (brand names change, roles don't) — The 5-question decision model that ends every "which tool should we buy" debate in under a minute — Specific picks by revenue band — what to run at $1M, $5M, $10M, and $20M+ — A task-to-tool matrix across marketing, sales, ops, fulfillment, reporting, and exec — 6 setup quickstarts including the $400/mo warehouse you can stand up in a weekend Comment STACK and I'll send it.

First time using --dangerously-skip-permissions today. Told Claude: "Finish everything in X project directory." It looked one level up, saw eight projects, and started to finish all of them. The plan saved me. Enjoying it so far, but you have to be super careful or bad things will happen...

@gadievron May be a dumb question but with regard to cursor, sounds like they were using Opus within cursor. Same thing could have happened with the Claude plugin for vscode? If this happened to me would I be focused on the model I was using rather than Cursor? Nice write up, thank you!

Another case where an agent deleted code/production. Coding agents are constructed to have unrestricted access to control plane. We built Knostic not only to detect malicious, but to stop stupid. Prevent destructive actions so that engineers can feel safe using them.

@HappyGezim Ok I'm going to have to dig into this a bit more, amazing!

Who is actually for real coding from their phone? OpenClaw only? I am only productive at my desk, and sometimes not even very productive from my desk. Teach me this dark magic...

Every time I say "I'm just going to do 10 or 15 minutes" of messing around with AI tools, it turns into 2-3 hours.

There has to be tools that already do this. Just trying to get a little better at securing this junk. MCP logging in place with the LLM Client, User, and Auth method and even session id. It shows up in the UI at the moment but wired to go to a SIEM.

Spent the evening adding data tagging to my "hardened" app because a friend asked if I had implemented it. I didn't even know what it meant. Now I can see the request ID on each MCP call and have a roadmap full of stuff I didn't know I needed...

Got audit logging almost working on the MCP for the "learning app" now that Auth0 M2M authentication works. Every tool call sends a security event: who ran, which tool, success/failure, how long. Still only local events. Trying to build the right things rather than add on later.

@JBizzle703 Let me think, will ping u!

@robrounsavall You know any Tenable engineers looking for a new role?

Not much AI today, playing around with the Wazuh SIEM.