I just finished the Day 1 AIS challenge. Easy to start, as I'm a daily Claude code user and I've been building things for the last 6 months, but I am excited to expand my knowledge. My main goal now is to make my agents as independent as possible, as I am currently the bottleneck. I feel like I can manage $15-$20k a month by myself with the right infrastructure in place. Time for day 2!

I love it when this happens 😌 Got everything out of it.

I have started building OS yesterday. For what do you use AI OS guys? I wanna start business so AI OS will be my second brain

To preface, I run a security auditing service that seeks to address the technical debt that comes from building with AI tools in order to give founders additional peace of mind prior to shipping. That said, last week I scanned a total of 8 lovable built apps, since I noticed that with the Lovable platform specifically that its vulnerabilities always seemed to be structured in the same exact way across different apps. Furthermore, many of these products had actual user bases and live billing mechanisms in place, and thus the data that these apps were handling were particularly important. That out of the way, these are 5 of the most common findings that I came across among almost all of the Lovable built applications that i have audited thus far: 1. 8/8 apps had at least one HIGH severity finding; though, typically within a short 10-15 minute window, I was able to source multiple (even within some of the better built products, same idea). Many of these findings were able to be sourced with fairly rudimentary tooling. For instance, almost all of the apps I scanned seemed to have secrets of all kinds baked right into the front end; accessible through DevTools alone. Things ranging from JWTs, API keys, etc etc. However, it gets worse: 2. 7/8 apps had a hardcoded supabase token sitting in the front in JS bundle sitting in plain sight. This being the code that your browser actually downloads first before loading your app, what this means is that anyone can open devtools on their local machine, and search for this directly within the sources tab with next to no effort. This key, plus an unprotected database means that anybody online can utilize this to grant themselves direct read/write access to your data without even being logged in. 3. 7/8 apps had no rate limiting mechanisms configured on login. What this means is that there is absolutely nothing stopping someone from attemptions thousands of password guesses on any account that they choose. Configuring an automation tool to cycle through common password lists to target specific users is simple, and what this means is that anyone can access any account they desire by running said scripts overnight. So thus, rendering user passwords completely useless as safeguarding mechanisms. Furthermore, on these same apps there was a complete absence of other such mitigation methods (ie: CAPTCHA trigger, account lockout/slowdown mechanisms), so this confirms that anybody can log in wherever they choose to on these sites completely under the radar.

Hi guys, As I learn more about AI agents and everything we can do with Claude Code, I'm a bit concerned about security. I don't have the means to right now buy a separate computer just to run the agents. How many of you are using separate devices? For those of you using your personal computer, what are your best security practices to make sure that you're not allowing any kind of possibility for hacking or for malicious intent? Thanks!!