~/blog
Blog
Articles and thoughts on web development, architecture, and technology.
An open MCP server is worse than an open database
Censys found 12,500 MCP servers on the public internet and 40% accept unauthenticated requests. We spent fifteen years learning not to expose databases. MCP re-ran the whole mistake in eighteen months, except this endpoint has verbs.
read →Skill, subagent, hook, or slash command? Pick the right one
Claude Code now gives you seven ways to steer it, and most people reach for the wrong one. The same task built four ways, and a decision tree you can actually follow.
Build an MCP server, then ask whether it should exist
A working MCP server is twenty lines of FastMCP. That is exactly the problem. A build tutorial, and the test for whether your server earns a place in the tool list at all.
The MCP supply chain is the new npm, and it is already poisoned
A config-to-command RCE is baked into every official MCP SDK: 7,000+ servers, 150M+ downloads, and Anthropic calls it expected. The npm playbook just found your agent tool list.
The agent is just a loop
An agent is a loop around a model with tools. If you use Claude Code you are already inside one, and you can drive it with hooks and slash commands, no SDK required.
The off-switch was never yours
Fable 5 did not crash. It was recalled. A US export directive pulled Anthropic's top model worldwide on June 12, for every customer at once, and no amount of retries or fallbacks would have saved you.
The Ferrari has a limiter: a day with Claude Fable 5
Anthropic shipped its most powerful public model yesterday, then flagged the exact work I needed it for and routed it to a weaker one. A day with Fable 5, the benchmarks, the bill, and the limiter nobody asked for.
The friction was the feature: Microsoft just handed an agent your inbox
At Build 2026 Microsoft made Windows the agent platform: OpenClaw in the OS, and Work IQ giving agents your email and calendar, on by default, GA June 16. An agent that reads your inbox and acts on your files is the dream payload for prompt injection. The friction everyone wants gone was a safety feature.
Nobody was driving: the first breach run by an agent, not a person
Sysdig caught an LLM agent driving a full intrusion, CVE to exfiltrated database, four pivots, under an hour, with no human typing a single command. Our defences assume someone is on the other end. That assumption just expired.
Your coding agent has no world model. You built it one.
Yann LeCun says the path to real intelligence runs through world models, not LLMs. He's probably right. And it explains exactly why your agent loop works.
overview
- Articles
- 52
- Read time
- 277m
- Words
- 49,977