Nate

Do you know what actually happens when you hit "Connect" on a Claude integration? I looked into it. Here's what most people don't realize: When you connect an app to Claude — Slack, Google Drive, GitHub, whatever — you're not just granting access. You're handing credentials to a system that has no native concept of "need to know." In 2025 alone, 28.6 million secrets were leaked from config files and environment variables. That number went up 34% year over year. And that was before most companies started rolling out AI agents at scale. The way most of these integrations work today: • Your API keys and tokens get stored in a config file • The AI agent reads them at runtime • The agent holds them in memory while it works • There's no scoping. No time limits. No revocation. Here's the part that should make any CTO uncomfortable: Prompt injection, where malicious content tricks an agent into doing something unintended, isn't just a jailbreaking trick anymore. In agentic systems, it's a credential exfiltration mechanism. The agent doesn't know it's happening. No alert fires. The credentials leave through approved channels. As long as an AI agent can see your credentials, it can lose them. Companies aren't banning AI because they're paranoid. They're banning it because nobody's solved the credential question yet.

I went to São Paulo for @Fireblocks IGNITE thinking I'd have to explain why infrastructure matters. I didn't have to explain it once. Brazil's crypto regulators aren't asking surface questions. They're asking about zero-knowledge architecture, functional redundancy, BCR compliance. They've drawn a hard line between crypto companies and on-chain businesses, and they're examining the layer underneath. Firms I sat down with weren't starting from scratch. They already knew @Station_70. They already understood zero-knowledge backups. The conversations skipped the education phase entirely and went straight to evaluation. That caught me off guard. In most markets, the first meeting is "here's what disaster recovery means for key custody." In São Paulo, the first meeting was "here's our timeline." Huge thanks to Jorge Borges, @mikeshaulov, and @thoughtsofsteve at Fireblocks for putting together an event that brought the right people into the room. And to Nickole Dysk for being an amazing host and filling @rangoldi's shoes. The other thing that needs updating: the stablecoin narrative in Brazil. Pix is everywhere. 100% domestic card penetration. Street vendors, hole-in-the-wall restaurants, cabs. Crypto for everyday payments is not the opportunity here. Cross-border settlements and international B2B flows are. Local rails are solved. The use case that remains is strictly cross-jurisdictional. One expensive personal lesson: check your visa 30 days out. Not 7.

@LunarResearcher Are you concerned about getting prompt injection ? The agent can trade and has access to the private keys

Great catching up at DAS with @__kfm__ , @amoilsNisa , @ceci_rogers, @jerh17 , @JoshMSchwartz, Alexander Saleh, and Devin Errico. Should I do more of these?

@Hartdrawss This is why we built gatekeeper.station70.com

20 things that will get your VIBE CODED app HACKED in 24 hours : Bookmark this RIGHT NOW ! 1/ API keys hardcoded in frontend JS > anyone who opens devtools can read them > cursor does this constantly > move all keys to your backend, never the client 2/ no rate limiting on /login > bots can try 10,000 combos while you sleep > add rate limiting + lockout after 5 failed attempts > this is table stakes, not optional 3/ SQL queries built with string concatenation > "SELECT * FROM users WHERE id=" + userId > thats SQL injection waiting to happen > use parameterized queries, always 4/ CORS set to wildcard (*) > any website can make authenticated requests to your API > it uses your users own cookies to do it > whitelist specific origins only 5/ JWTs stored in localStorage > one XSS attack steals every token on your site > localStorage is readable by any script on the page > use httpOnly cookies instead 6/ JWT secret is "secret" or from a tutorial > attackers test common secrets first > yours is probably on a wordlist already > generate a 256-bit random secret, rotate it 7/ admin routes protected only in the frontend > the server doesnt care about your React Router guards > hit the endpoint directly and it opens right up > protect every route server-side, no exceptions 8/ .env committed to git even once > its in the history even if you deleted the file > git log --all --full-history -- .env finds it instantly > rotate every key in that file immediately 9/ error responses showing stack traces or DB table names > you're giving attackers a map of your infrastructure > log errors server-side, return generic messages client-side > never expose internals in a response 10/ file uploads with no MIME type validation > upload a server-side script, get full access > extension checks alone dont protect you > validate MIME type server-side, not the filename 11/ passwords hashed with MD5 or SHA1 > rainbow tables crack MD5 in seconds > no salt = no protection > use bcrypt or argon2, no exceptions 12/ auth tokens that never expire > stolen session = permanent access forever > set an expiry on every token you issue > implement refresh token rotation 13/ auth middleware missing on internal API routes > AI adds middleware to obvious routes and skips the rest > audit every single endpoint manually > assume nothing is protected until you verify it 14/ server running as root > one exploit = full system access > run your app as a non-privileged user > this costs nothing to fix 15/ database port exposed to the internet > your postgres on port 5432 should never have a public IP > put it behind a firewall or private network > this is a one-click fix in most cloud providers 16/ IDOR vulnerability on resource endpoints > change the ID in the URL > can you access another users data? most vibe coded apps: yes > validate ownership server-side on every resource request 17/ no HTTPS enforcement > credentials sent over plain HTTP can be intercepted on any public network > enforce HTTPS at the server level, not just the frontend > redirect all HTTP traffic automatically 18/ sessions not invalidated on logout > the old session token still works after the user clicks logout > invalidate sessions server-side on every logout event > client-side cookie clearing is not enough 19/ npm packages not audited since setup > run npm audit right now > count the criticals > schedule this as part of every deploy 20/ open redirects in callback URLs > used to send users to phishing sites through your trusted domain > validate and whitelist every redirect destination > never trust user-supplied redirect URLs bookmark this and run a security audit before you ship.

@itsalexvacca Repo pls :)

A day that will live in Miami 🌴 traffic infamy. Friday March 27th, 2026 🗓️ 4:00 pm - @Ultra Music Festival Begins 🎛️ 5:00 pm - @MiamiOpen 🎾 Men's Singles Semifinals, Doubles Semifinals 5:30 pm - Trump 🇺🇸 speaks at @FaenaMiami Forum in Miami Beach 7:10 pm - @Marlins home opener ⚾️ 8:00 pm - Mana @manaoficial 🇲🇽 concert at @KaseyaCenter (literally down the street from Ultra) Advice? Get a scooter 🛴

@tobi @EugenAlpeza @grok what is context engineering in this context engineer?

Running a company is just context engineering internally. Now that skill has even more value in the agentic world. Us tech founders have been doing reps to prepare for this.

@polyaivoice PolyAI

PolyAI has raised $200M from Nvidia, Khosla Ventures, and multiple top VCs. We're one of the fastest-growing companies in the UK, and we handle 500M+ calls for: • Marriott • PG&E • Gordon Ramsay's restaurants • And 3,000 more real deployments Which means that if you've ever called them, chances are you've talked to our voice agents. Every restaurant we onboard books thousands in revenue within 30 days. But how? Because PolyAI works 24/7, answering every call in <2 seconds, and we also: • switch between 45+ languages • handle payments & cancellations • verify identities • and even upsell your services If you want to try creating an agent with PolyAI, we built Agent Studio Lite to make it easy. Just enter any URL, and in 5 minutes it will analyze your website and build a working agent. We're opening early access to a limited number of people. Comment "PolyAI" and we'll add you to the waitlist and give you 3 months for free!

@bennettdougy @CoinbaseDev @grok Sounds like something worth looking into 👀

@CoinbaseDev @grok how do they do key backup for these wallets?

Introducing Agentic Wallets, our first ever wallet infrastructure built specifically for autonomous agents. Give your agent the power of a wallet. Let your agent manage funds, hold identity, and transact onchain without human intervention. 🧵

@MEnesKirca Meta

Ok.. AI can replicate your competitor’s meta ads instantly. Introducing "Meta Ads Creator - Chrome Extension" — the world’s first Just drag & drop any product to get META-ready ads in seconds! Retweet & comment “META” I’ll DM the full guide.

@tomcrawshaw01 ROADMAP

4 to 6 months. That's the real timeline from $0 to $10K/month selling n8n automations. Not 30 days. Not "overnight." And anyone who tells you different is either lying or they've already got a massive head start. Maybe they have an existing audience... Or years of sales experience... Or a network of warm leads ready to buy. That's not you. You're starting from scratch. No clients. No portfolio. No case studies. For someone in that position, 4-6 months is the path. It can be faster or slower depending on how much time you dedicate to making things happen. After generating $25M for my clients over 8 years, I've seen exactly what separates people who make it from those who quit in week 2. So I just recorded a complete walkthrough showing you: - The 4 stages from first client to consistent $10K months - Why most people get stuck at $2K-$5K (and how to break through) - How to price like an operator, not a freelancer - The real timeline: 4-6 months, not "30 days to 6 figures" This training covers what to build, when to build it, who to sell it to, and how much to charge at each stage. Want the complete roadmap? Follow + comment "ROADMAP" and I'll DM the complete walkthrough (must be following).

@julianivaldy @grok what is this ?

We just hired our Head of Distribution. He will run our farm & reposter network. Now we have: - 60 accounts across 15 phones (farm) - 40 accounts led by 20 reposters We’re in the multiple accounts era. This role will be key going forward.

@LoganTGott Tool

I just wrote 30 posts in 30 minutes. All optimized for my industry and LinkedIn's algorithm. Most people spend hours creating content. Staring at blank screens. Fighting writer's block. Trying to figure out what the algorithm wants. I got tired of it. So I built an AI tool that does it all: • Generates 30+ posts in under 30 minutes • Automatically optimized for your specific industry • Built-in LinkedIn algorithm best practices • Creates hooks, stories, and CTAs that convert • No more writer's block or wasted time This isn't generic AI output. It's trained to understand your niche and what actually performs on LinkedIn. Want access to the tool? 1. Connect with me 2. Comment "TOOL" below I'll send you the link to get going!

@mikefutia REELS

This Instagram Reels AI agent is absolutely wild 🤯 It scrapes trending Reels in your niche, analyzes them with AI, and extracts every creative insight you need. All inside n8n + Airtable. Perfect for DTC brands & agencies who need to know what's working on Instagram before they create content. Here's the problem: Manual Instagram research takes forever. You're scrolling for hours, screenshotting videos, manually noting hooks, trying to remember what worked. And by the time you act on it, the trend is dead. This n8n automation solves it: → Enter a keyword (e.g., "skincare", "fitness", "productivity") → AI scrapes trending Instagram Reels automatically → Writes all videos to Airtable with views, likes, comments → Click "Analyze Video" button in Airtable → Gemini watches each video and extracts: Hook, Proof Point, Theme → Click "Analyze Comments" for instant comment insights No manual scrolling. No spreadsheets. No missing trends. What you get in Airtable: → Video URL, creator handle, performance metrics → AI-extracted hooks (what stopped the scroll) → Proof points (what built credibility) → Creative themes (the narrative structure) → Comment insights (what the audience is asking) Built 100% in n8n. Want the complete n8n template + Airtable base? > Comment "REELS" > Like this post And I'll send it over (must be following so I can DM)

@Zephyr_hg NEWS

I never run out of content to post anymore. Built an automation that monitors 50+ news sources, scores articles for relevance, and writes social posts automatically. It finds trending topics in my niche before they explode everywhere else. Saves me 15-20 hours monthly and keeps me ahead of every trend. Comment "NEWS" and I'll DM it to you (must be following)

@WillOchoX @cursor_ai @vercel @supabase @clerk Any reason I can’t just use @lovable to replicate all of the stacks ?

Woke up at 1am last night with SaaS idea. Got out of bed. Immediately started prompting plan mode /w @cursor_ai(which is 🐐’d now). By 4am MVP was built for testing. Used: @cursor_ai for code + planning(now) @vercel for hosting @supabase for database @clerk for auth(also goated)

Protected his crypto from everyone… Including his own family

Markets crash, and we ride it out. But some crashes you don’t come back from. Make sure your crypto doesn’t end with you.

when the founder is bald you know the tek is good