Ryan Rasti

🛑 Stop trusting system prompts. An agent with `execute_sql(string)` is one hallucination away from a breach. I built ExoAgent: a security layer for AI SDK where unsafe SQL is impossible. 💰 Steal the $1,000 BTC wallet inside the DB: exoagent.io/challenge

@joschelboschel Honored! Probably just a link and short description for now given it's an early PoC. TypeNix is based on tsgo, I know there's WASM ports of tsgo but still assume it would need some extra work. Would love to be included.

@ryantypes Wow, can I put that into the tour of nix? What would be required to do so...

Announcing TypeNix: full typing for Nix, based on TypeScript. The trick: map Nix AST -> TS AST: the typechecker never knows it's looking at Nix. Types all 42K nixpkgs files, 13s locally. Fixed-point patterns (`makeExtensible`, etc.) typed. Early PoC: github.com/ryanrasti/type… @typescript @grhmc @tweagio

Demo showing type errors, autocomplete, fixed-point handling in action:

Writing code is no longer the bottleneck. AI agents are already opening pull requests, monitoring repos, and writing meaningful code. The real bottleneck is validating that code safely against real infrastructure. Today we’re announcing what we built to fix that.

The power of AI agents comes from: 1. intelligence of the underlying model 2. how much access you give it to all your data 3. how much freedom & power you give it to act on your behalf I think for 2 & 3, security is the biggest problem. And very soon, if not already, security will become THE bottleneck for effectiveness and usefulness of AI agents as a whole (1-3), since intelligence is still rapidly scaling and is no-longer an obvious bottleneck for many use-cases. The more data & control you give to the AI agent: (A) the more it can help you AND (B) the more it can hurt you. A lot of tech-savvy folks are in yolo mode right now and optimizing for the former (A - usefulness) over the the latter (B - pain of cyber attacks, leaked data, etc). I think solving the AI agent security problem is the big blocker for broad adoption. And of course, this is a specific near-term instance of the broader AI safety problem. All that said, this is a super exciting time to be alive for developers. I constantly have agent loops running on programming & non-programming tasks. I'm actively using Claude Code, Codex, Cursor, and very carefully experimenting with OpenClaw. The only down-side is lack of sleep, and an anxious feeling that everyone feels of always being behind of latest state-of-the-art. But other than that, I'm walking around with a big smile on my face, loving life 🔥❤️ PS: By the way, if your intuition about any of the above is different, please lay out your thoughts on it. And if there are cool projects/approaches I should check out, let me know. I'm in full explore/experiment mode.

@AnnikaSays Love the Slack structure insight. Question: are you running OpenClaw on real accounts (email, personal files, etc.) or test data? Building a security layer for exactly this -- curious if you've hit any trust/privacy concerns.

2/ Run your agents like a startup, not a WhatsApp chat 🤳 With OpenClaw, I started on Telegram — one long thread, everything blending together Moving to Slack changed everything. Channels for specific workstreams. Deliverables waiting for me in threads I'd spun up.

A month ago, I started using Claude Code 👩‍💻 Ten days ago, I added OpenClaw 🦞 Since then, I've shipped vibecoded apps, built a research pipeline, run countless overnight tasks — and burned through an ungodly amount of API credits Zooming out, three big learnings:

@mitsuhiko Love it & completely agree we will see programming languages for agents. I'd add primitives for running untrusted/semi-trusted LLM generated code securely: - isolation - fine-grained access/delegation - data flow tracking (application of "flow context")

This weekend I was thinking about programming languages. Programming languages for agents. Will we see them? I believe people will (and should!) try to build some. lucumr.pocoo.org/2026/2/9/a-lan…

Yes and even sandboxing isn't enough either: you need fine-grained data access and data flow control within the sandbox. That's exactly what I'm building: exoagent.io If you're blocked on agent privacy/security, would love to hear your integrations/use-case.

I don't think all of claude's team is sitting around scanning your links for viruses before giving it to their models, and so is the case for openclaw contributors, this is a stupid argument Malicious prompt injections are an actual threat vector that cannot be solved by harnesses. Only AI alignment and sandboxing can

Openclaw seems overhyped to me. I can literally replicate 80% of it's value by just using Claude API and putting cron jobs on a vps. And by doing this I eliminate almost all of the security concerns.

@thoughtlesslabs Building exactly this: policy layer where "don't leak passwords" is enforced by the system, not a suggestion to the LLM. What integrations would unblock you?

I spent all weekend with openclaw and here are my thoughts. 1. If you are a little nerdy and a little technical there is a ton of enjoyment in setting it all up and having it do things. 2. To get real value from it, beyond being a new chatbot wrapper, you have to expose things to it that arent safe to be let out. No amount of "dont leak passwords" will ever stop it from leaking things 3. I dont really like not seeing how it does things without having to login to the backend. It ver frequently combined projects that I told it to keep separate. It commits all sorts of things it shouldn't to git, and generally gets confused. I believe you could probably fix some of this with many separate agents but overall it was not great. 4. It's mentally exhausting. There's a dopamine pull and it will consume your entire day with little to show for it. 5. I want to believe people are actually getting huge value from it, but I mostly found it to be a fun toy. I dont claim to be the expert on identifying value but I also just dont have a lot of automation needs it turns out. All in all. It's a fun, incredibly risky thing to use if you want it to do all the cool stuff. If anyone who reads this is open to showcasing their whole setup and showing me what they are doing, I would be happy to check it out.

@makowskid 100% - this is the most overlooked issue in agent security. I'm building deterministic policy for agents (e.g., "can't exfiltrate via calendar") enforced structurally, not via guardrails. What integrations would you actually want if security wasn't a blocker?

2. Your attack surface is only as small as your most connected app. OpenClaw plugs into WhatsApp, Telegram, Discord, your emails, your filesystem... all through one gateway. That means a prompt injection hiding in a calendar invite or an email can trigger shell commands on your machine. The attacker doesn't need to hack you. They just need to send you a message your AI will read.

Stop giving your AI assistant the keys to your entire digital life! Just read an excellent piece on XDA about OpenClaw (formerly Clawdbot, formerly Moltbot... this thing rebrands more than a failed startup at a pitch competition). Link in the comment. And I agree with pretty much every point made. Here's why: 1. Removing friction is not always a feature. OpenClaw makes it dead simple to connect an LLM to your emails, filesystem, shell, messaging apps, and trading bots. All at once. In one app. For technical folks, we could already do all of this with scripts and APIs. The difference? We understood the risks while doing it. OpenClaw hands this power to people who don't.

@sooyoon_eth @privy_io @openclaw Exactly and every connected tool is an exfiltration vector. I'm building an agent with capability-based security (i.e., "smart contract rigor") to fix this (ex-Google security, been in this space a while) What would it actually need to look like for you to trust it in prod?

@privy_io @openclaw love the security PSA at the end 👀 agents with wallet access need the same rigor as smart contracts but nobody's treating them that way yet excited to see this integration but please audit your prompt injection flows before going live

1/ Every Friday, we ship to make building on Privy better. Today, we’re releasing a new @openclaw skill that lets your agent create and use a wallet, turning agents from social into economic actors. 🚨 PSA: Please read the security docs before enabling anything.

@simonw @berman66 @runlayer That's the exact problem: we need invariants that make it impossible to exfiltrate credentials. The solution: deterministic policy with object-capabilities -- I'm building it now. "90%+" security = our $1K wallet would be hacked 200 times by now: exoagent.io/challenge

@berman66 @runlayer "90%+ Credential exfiltration caught" So there's a 1/10 chance of credentials being exfiltrated? What if an attacker tries 100 times in a row?

Today, we're launching OpenClaw for Enterprise. The IDEA of OpenClaw is excellent. That's why your employees already tried ClawdBot last weekend. They probably spent hours linking it to everything - email, Slack, Jira, you name it. They installed a giant security nightmare. 1/

@kellabyte Locality matters, and I'd argue even more so for the devex: even remote computation should *feel* local & fully integrated (low boilerplate, high composability, language compatibility). My take on this for Postgres: typegres.com/play/

For two decades, a loud class of architects & devs rejected stored procedures while ignoring a fundamental truth of computing: locality matters. A path forward to reach these folks is language native compute scheduled at the data layer. Kubernetes of data. Maybe WASM scheduling

Object-capability SQL sandboxing for LLM agents — $1K CTF bounty to break it ryanrasti.com/blog/object-ca…

Google is right about the chaos, but wrong that it's inevitable. We're giving agents "keys" (credentials) instead of object-capabilities (constrained handles) I built ExoAgent, the layer that fixes this. Its guarding $1K of my BTC. Come take it: exoagent.io/challenge

Security section hit different. When you give an agent database access, you're handing it the keys to your entire company. Prompt injection. Data exfiltration. Silent failures. Most teams treat this as an afterthought. Google's message: you're inviting chaos.

🚨 BREAKING: Every "AI agent" you've seen is basically fake. Google just exposed that 99% of agent demos are three ChatGPT calls wrapped in marketing. I read their 64-page internal playbook. This changes everything:

@dmshirochenko Nailed it. We need architectural guarantees, not "polite" system prompts. I built exactly that sandbox: it keeps the flexibility of SQL but enforces the scope via object-capabilities. Putting up a $1k bounty to prove it works: exoagent.io/challenge

Your clever system prompt won't stop injection attacks, just like regex won't stop SQL injection. This is an architectural vulnerability, not a prompt engineering puzzle. Fix it with structured inputs and sandboxed agent capabilities. #Security #AIAgents

@bygregorr @garrytan Love the analogy. And just as we didn't solve SQL injection with "better regexes", we're not going to solve Agent security with "better prompts." I built a runtime layer that solves this deterministically (hooks into AI SDK). $1K bounty to prove it: exoagent.io/challenge

@garrytan Prompt injection is the SQL injection of the AI era. We’re going to see a lot of breaches before companies take agent security seriously. Most teams are still in “ship fast, secure later” mode.

Wild exploit. Agent security will be the defining cybersecurity issue the next 10 years.

@ibuildthecloud Agree, as long as `execute_sql(<string>)` exists we're toast. The fix isn't removing SQL, it's constraining it with object-capabilities. I just released a deterministic layer that secures raw sql tools. Confident enough that I put a $1K bounty on it: exoagent.io/challenge

Now let's talk about SQL. You know how dangerous that crap is. Time we get rid of it.

@deusaquilus Wow -- super cool to see this! Wrangling complex SQL for years and resonate 100%. I've been building something very similar for TypeScript. Had very similar idea on translating operators, but starting in a different direction (class-based models): typegres.com/play/

Here's why I built ExoQuery I managed thousands of SQL queries. Debugging page-long monsters at 2 AM and ORMs with N+1 nightmares. What I needed: query composition that works like function composition So I built it. Full story + runnable code samples 👇 exoquery.com/blog/why-we-bu…