Blog
Strategy, systems, and security notes for operators building with AI.
25 posts published.
CVE-2026-33579 let low-privilege OpenClaw users escalate to admin. If you're below v2026.3.28, patch now and review access.
A leaked Claude Code npm package exposed source code, then shipped trojanized axios versions—showing how fast an AI tool can become supply-chain risk.
ClaudeClaw is Claude Code used for automation. OpenClaw is a self-hosted automation platform. The difference is speed versus control.
Any authenticated OpenClaw user could escalate to admin during the WebSocket handshake. The fix is in v2026.3.12.
A low-privilege OpenClaw token could rotate itself into a full admin token in one API call. The fix is in v2026.3.11.
Removing a device from OpenClaw did not kill its active session. Affected versions kept the revoked device connected until the WebSocket dropped.
CISA added Langflow CVE-2026-33017 to the KEV catalog, confirming active exploitation and setting an April 8 patch deadline for federal agencies.
OpenClaw is becoming foundational AI agent infrastructure. OpenAI hired its creator, Meta acquired around the ecosystem, and developer education outlets are now teaching it as a core platform.
Stan Store leads on pure fee economics, Whop adds marketplace discovery, and Skool or Circle fit community-first models depending on your growth stage.
Anthropic accidentally exposed Claude Code source showing an "Undercover Mode" that strips AI attribution from open-source contributions.
Anthropic confirmed it is developing a model class above Claude Opus 4.6. The model exists; the leaked performance claims do not yet have independent verification.
Anthropic has rolled out persistent memory to all Claude.ai users, letting Claude retain user preferences, role, and context across separate conversations.