Olivia
Online
@edwin 🌵📈
@edwin
urban chicken farmer; trying to figure out what LLMs think
SF via Penang
Joined September 2006
1K Following
2.3K Followers
298 Posts
Pinned Tweet
1/8
Mythos / Glasswing is clearly the main AI security story now: AI finding real vulnerabilities in existing production code.
For most teams, though, this question is more immediate:
Can an agent like Claude Code write a secure app in the first place?
8/8
The takeaway:
AI can absolutely help write mostly secure app code.
But if you care about security, you still need a scaffold:
figure out your framework's boundaries, conduct explicit review of auth primitives, implement infra controls, and conduct runtime testing.
Working code is not the same as hardened code
Full benchmark: https://t.co/r4hbqxLFXs
1/8
Mythos / Glasswing is clearly the main AI security story now: AI finding real vulnerabilities in existing production code.
For most teams, though, this question is more immediate:
Can an agent like Claude Code write a secure app in the first place?
7/8
Fourth result: runtime testing still matters.
Static review looked fine.
But DAST found that both agents exposed /openapi.json, and Codex also left /docs and /redoc on in production.
This is exactly why runtime DAST tools like @StackHawk, @veracode, and @rapid7 are useful!
Cybersecurity stocks dropped for Claude Code Security. Rallied for Project Glasswing.
Same category. Very different reactions.
The difference isn't capability. It's that code analysis still doesn't send requests to your running app.
Full breakdown 👇
@samlambert We track this @ scale via https://t.co/Z7mbg9NZGn. DMing you.
@bcherny any advice on how to be included as an allowlist MCP or pre-approved WebFetch site?
1/9
The most interesting thing about the Claude Code leak for devtool companies:
Anthropic hardcoded 120+ vendor names across 7 different systems in the source. Anthropic explicitly included your tool name in the code (or they didn’t 🤷🏻♂️)
Thread 👇
@lavanyaai Here are some tools that agents def know of!
https://t.co/nT3yIwBrJ3
1/9
The most interesting thing about the Claude Code leak for devtool companies:
Anthropic hardcoded 120+ vendor names across 7 different systems in the source. Anthropic explicitly included your tool name in the code (or they didn’t 🤷🏻♂️)
Thread 👇
@dhrumil_parekh @DnuLkjkjh FYI sentry's mcp is already hardcoded into Claude Code's source. https://t.co/VR4xoopdOd
@mal_shaik Nice analysis on the 11 layers!
Beyond internal tools, CC also hardcodes 120 external vendor and tool names: https://t.co/nT3yIwBrJ3
1/9
The most interesting thing about the Claude Code leak for devtool companies:
Anthropic hardcoded 120+ vendor names across 7 different systems in the source. Anthropic explicitly included your tool name in the code (or they didn’t 🤷🏻♂️)
Thread 👇
9/9
We extracted every tool and vendor name from Claude Code.
Full interactive report:
https://t.co/VR4xoopdOd
8/9 (Plugin Tips)
@vercel is the only third-party vendor with a proactive plugin install tip.
When Claude Code detects vercel.json or the Vercel CLI, it suggests:
/plugin install vercel@claude-plugins-official
No MCP collapsing, but a different distribution channel: your tool is recommended before the developer even starts.
7/9 (API Gateways)
7 third-party AI gateways are fingerprinted in analytics: @litellm, @helicone_ai, @portkeyai, @Cloudflare AI Gateway, @kong, @braintrust, @databricks, but no sigin of @langfuse, @OpenRouter, @LangChain's Langsmith.
Detected via headers or hostnames. Purely observational… but it means Anthropic *could* see how much Claude Code traffic flows through your proxy.
4/9 (WebFetch Preapproval)
89 documentation domains are preapproved for automatic fetching. Claude Code can read them without the user pasting a URL.
@reactjs, @nextjs, @djangoproject, @fastapi, @awscloud, @docker, @Docker, @vercel, @netlify, @pytorch, etc.
If your docs aren’t on the list (like @vite_js, @langchain, @rails), the agent only sees them when a developer manually shares a link.
6/9 (Secret Scanner)
36 credential patterns across 23 vendor families are blocked from entering team memory.
@gitlab, @slackhq, @stripe, @shopify, @openai, @railway, @render, @buildkite
GitHub alone has 5 specific rules (PAT, fine-grained PAT, app token, OAuth, refresh token).
A safety feature, but missing coverage means no vendor-specific protection.
5/9 (Environment Detection)
29 deployment platforms are detected by name in telemetry: @vercel, @railway, @render, @netlify, @flydotio, @cloudflare Pages, @awscloud, @googlecloud, plus @github Actions, @GitLab CI, @circleci, @buildkite.
If you’re not detected, your sessions just show up as “unknown-linux” in Anthropic’s analytics.
Last Seen Users on Sotwe
Kamakirukan
Seen from France
Tuấn
Seen from Vietnam
istanbul beyi
Seen from Turkey
tikis
Seen from Indonesia
SEX MEX.COM
Seen from Turkey
dcbrne (top 0.09% Onlyfans)
Seen from France
nf
Seen from Qatar
Cuckold. &. Swinger paylaşımlar
Seen from Turkey
عِعِݪيۅي
Seen from Oman
Indo bokep 18+
Seen from Indonesia
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers