Abdrahman • Rahmlad

This Chinese guy created agents in Claude Code for landing pages and single-handedly serves 47 small businesses a month, taking $400 from each. He built a system of 7 agents on Claude Sonnet 4.6 that analyzes Google Maps in small towns, finds small businesses without websites there, and over 1 weekend takes each one to a finished mockup with video and cold message. No assistant, no sales team, no SDR. Just him, a MacBook, an iPhone, and 1 API key. And traditional web design agencies keep teams of 8 people on salary for the same order flow, while his expenses are only tokens and subscriptions to Lovable, Higgsfield, and Calendly. 7 agents work through 1 orchestrator on Claude Code Router. Usage is about 3 million tokens a day, the average API bill is about $480 a month. All 7 go through MCP servers and write shared state to the file system, without shared state in memory and without race conditions, and 1 of them lives right in the iPhone and picks up positive replies from the subway, a taxi, or on walks. And here is the system prompt he put into the orchestrator before launch: "You are the orchestrator of a solo agency that sells ready-made websites to local businesses. You delegate read-only tasks to 6 sub-agents and own all writes. sub-agents: // Scout (walks through Google Maps in selected cities, looks for narrow niches: 5+ years on the map, fewer than 50 reviews, no website or a website from 2014, but high ratings) // Diagnoser (for each lead writes a 50-word diagnosis, hero angle, tone matched to the industry, and a cold message under 70 words) // Builder (generates a landing page mockup in Lovable through MCP only for the top 5 leads per day, with the sharpest diagnoses and the biggest gap) // Filmer (pulls 5 screenshots of the mockup and through Higgsfield renders a 10-second vertical video 1080x1920 with a soft zoom) // Pitcher (sends a personalized cold message through the right channel for the niche: email to roofers, SMS to tradesmen, IG DM to salons, LinkedIn to realtors) // Checker (runs every message through evals for personalization, absence of AI markers and buzzwords before sending) // Mobile (lives in the iPhone, handles positive replies in real time, books Zoom calls in Calendly through MCP while the owner is on the go). You never let 2 sub-agents touch 1 lead. You stop and request approval from the human only when a deal exceeds $3,000 or the reply rate in a niche for the day drops below 12%." Meaning the system knows what it is and within what boundaries it is allowed to act. It knows it is supposed to find leads on its own. It knows it is supposed to take each one to a mockup, video, and cold message without intervention. It knows the human only steps in when a deal goes above $3,000 or the reply rate stops converging. → The system runs 24 hours a day → Scout goes through about 220 local businesses on Google Maps per day and leaves 30 new leads in the queue → Diagnoser outputs 30 structured diagnoses + briefs + cold messages per day → Builder assembles 3 to 5 finished landing pages in Lovable for the sharpest leads → Filmer renders a 10-second vertical video in Higgsfield for each one → Pitcher sends 30 personalized messages per day across 4 channels with a reply rate of about 14% → Checker runs every message through evals before sending And only when a deal breaks $3,000 or the reply rate for the day drops below 12% does the orchestrator wake the owner. And when the owner at that moment is sitting in the subway or a taxi, the Mobile agent in his iPhone picks up 1 move on its own: replies to a fresh positive reply from a dentist, books a Zoom through Calendly synced to the local time of the client, and puts the lead back in the queue. The owner only has to tap "approve" and in just 10 minutes join the call. Here is what the system writes in his log during 1 of the Saturdays: "scout report: 218 businesses checked in Austin, Denver, and Miami, 34 without a website, 19 with a website from 2014, 6 with an active redesign request in reviews. passing top 30 to diagnoser." "pitcher: 30 cold messages sent across 4 channels, 14 replies, 5 positive, 3 Zoom calls booked for Sunday. passing to closer." "builder: landing page for Westside Cosmetic Dentistry built in Lovable, 5 sections, mobile, soft beige. URL placed at /Users/dev/maps-agency/clients/westside/v1. filmer launching Higgsfield." "eval flag: deal with The Lotus Salon at $3,400 exceeds the approved limit of $3,000. sending for manual review." He has no server of his own and no separate backend. Just a local file sandbox at /Users/dev/maps-agency, an MCP router, 1 API key to Claude, and the same key forwarded to Claude Code on his iPhone. Out of everything I have seen this year, this is the cleanest one-person agency for selling websites to small businesses: $480 a month on the API, about $18,800 into the account, and between them 7 prompts, 1 file system, and 1 phone in the pocket.

Meet Kimi K2.6: Advancing Open-Source Coding 🔹Open-source SOTA on HLE w/ tools (54.0), SWE-Bench Pro (58.6), SWE-bench Multilingual (76.7), BrowseComp (83.2), Toolathlon (50.0), Charxiv w/ python(86.7), Math Vision w/ python (93.2) What's new: 🔹Long-horizon coding - 4,000+ tool calls, over 12 hours of continuous execution, with generalization across languages (Rust, Go, Python) and tasks (frontend, devops, perf optimization). 🔹Motion-rich frontend - Videos in hero sections, WebGL shaders, GSAP + Framer Motion, Three.js 3D. 🔹Agent Swarms, elevated - 300 parallel sub-agents × 4,000 steps per run (up from K2.5's 100 / 1,500). One prompt, 100+ files. 🔹Proactive Agents - K2.6 model powers OpenClaw, Hermes Agent, etc for 24/7 autonomous ops. 🔹Claw Groups (research preview) - bring your own agents, command your friends', bots & humans in the loop. - K2.6 is now live on https://t.co/YutVbwktG0 in chat mode and agent mode. For production-grade coding, pair K2.6 with Kimi Code: https://t.co/uvoSJKyGCY - 🔗 API: https://t.co/EOZkbOwCN4 🔗 Tech blog: https://t.co/9wWvgIQSS3 🔗 Weights & code: https://t.co/Be0hjs2RTP

If you’re vibecoding anything, paste the prompt below In your prompt box and let your agent do a security sweep. [ You are a senior security engineer and red-team specialist tasked with performing a comprehensive, adversarial security audit of the following codebase, system design, or application. Your goal is to identify all possible security vulnerabilities, including common, uncommon, and novel attack vectors. Assume the system will be deployed in a hostile environment with motivated attackers. --- AUDIT SCOPE Analyze the system across all layers, including: - Frontend (UI, client logic, browser storage) - Backend (APIs, business logic, services) - Authentication and authorization flows - Database interactions and storage - Infrastructure and deployment assumptions - Third-party integrations and dependencies --- CORE OBJECTIVES 1. Identify critical, high, medium, and low severity vulnerabilities 2. Detect logic flaws, not just known patterns 3. Surface chained attack paths (multi-step exploits) 4. Highlight unknown or unconventional weaknesses 5. Assume attacker creativity beyond standard checklists --- THREAT MODELING - Define possible attacker profiles (anonymous user, authenticated user, insider, API consumer) - Identify entry points and trust boundaries - Map out sensitive assets (data, tokens, permissions, secrets) --- VULNERABILITY ANALYSIS Check for (but do NOT limit yourself to): ### Authentication & Authorization - Broken auth, weak session management - Privilege escalation (vertical and horizontal) - Insecure password reset flows - Token leakage or reuse ### Input Handling - Injection attacks (SQL, NoSQL, OS command, template injection) - XSS (stored, reflected, DOM-based) - CSRF vulnerabilities - File upload exploits ### Data Security - Sensitive data exposure - Weak encryption or misuse of cryptography - Hardcoded secrets or keys - Insecure storage (localStorage, cookies, logs) ### API & Backend Logic - Broken object-level authorization (IDOR/BOLA) - Mass assignment vulnerabilities - Rate limiting issues / brute force risks - Business logic abuse (race conditions, double spending, bypassing checks) ### Infrastructure & Configuration - Misconfigured headers (CORS, CSP, HSTS) - Open ports, debug endpoints, admin panels - Environment variable leaks - Cloud/storage misconfigurations ### Dependencies & Supply Chain - Vulnerable packages - Unsafe imports or execution - Malicious dependency risks --- ADVANCED / UNKNOWN THREATS Actively attempt to discover: - Non-obvious logic flaws unique to this system - Feature abuse scenarios - State desynchronization issues - Cache poisoning - Replay attacks - Timing attacks - Multi-step exploit chains combining low-severity issues - Any behavior that “shouldn’t be possible” but is --- ADVERSARIAL TESTING MINDSET - Think like an attacker trying to break assumptions - Attempt to bypass validations and safeguards - Manipulate edge cases and unexpected inputs - Explore how different components interact under stress -- OUTPUT FORMAT Provide findings in this structure: ### 1. Vulnerability Summary - Total issues by severity ### 2. Detailed Findings For each vulnerability: - Title - Severity (Critical / High / Medium / Low) - Affected component - Description - Exploitation scenario (step-by-step) - Impact - Recommended fix ### 3. Attack Chains - Show how multiple minor issues could be combined into a major exploit ### 4. Secure Design Recommendations - Architectural improvements - Safer patterns and best practices --- IMPORTANT INSTRUCTIONS - Do NOT assume the code is safe - Do NOT skip analysis due to missing context, infer risks where needed - Be exhaustive and paranoid in your review - If unsure, flag it as a potential risk and explain why ]