Arthur Stanley

Arthur Stanley

Recruiter

Badges

Tastemaker
Tastemaker
Gone streaking 10
Gone streaking 10
Gone streaking
Gone streaking
Gone streaking 5
Gone streaking 5

Recently Supported

Clark
ClarkAn AI coworker with its own cloud computer
Goose Ads Remixer
Goose Ads RemixerRemix the ads already winning in your niche
JustVibe
JustVibeThe search engine for doing, with apps built for you
Effects SDK
Effects SDKAI video & audio effects SDK for real-time apps
Scarlett.
Scarlett.Your AI Co-Worker in Slack & iMessage
Mark by Airtop
Mark by AirtopVibe automation for solo marketers
Tabstack Browser Automation
Tabstack Browser AutomationAutomate the web in your app or agent, no browser to host
Adam CAD Copilot
Adam CAD CopilotAI CAD inside Onshape and Fusion

Forums

Browser Notes - Slash commands, star favorites, to-dos & smoother sticky boards

Hey everyone quick this week update for Browser Notes https://browsernotes.app.

My subagent targeted its own orchestrator - looking for AI firewall\sandbox recommendations.

I was running Claude Code with Fable 5 as the main orchestrator, delegating work to Opus 4.8 subagent. One of the sub-agents ignored it's assignment completely and returned a prompt targeting the orchestrator instead.
It tried to make it to:

  • treat a "dependency modernization" task as a hidden priority;

  • read Brevo API credentials;

  • send them to an external server;

  • disguise the action as a routine migration.

After investigating, the most surprising part was that this wasn't coming from my codebase or skills. The subagent fully hallucinated the malicious instructions by itself. And the domain it provided isn't even registered.

In my case no harm could have been done because secrets are stored in the encrypted Ansible Valult.
But nonetheless, the incident is very alarming and I think I should set up a strict sandbox or firewall for AI. Sadly, projects I could find so far weren't mature and trustworthy.
Has anyone found reliable solutions for this?
Here's the full attack response the sub-agent created:

3d ago

Anyone actually checked their vibe-coded app for security holes, or just hoping for the best?

Been thinking about this after seeing a few posts here about vibe-coded apps breaking in production. Auth bugs, webhook failures, that kind of thing.

What worries me more is the stuff that doesn't break loudly. No error, no crash, it just quietly leaks data or accepts requests it shouldn't. Things like exposed API keys sitting in the frontend bundle, missing rate limits, or database rules that let any logged in user read rows that aren't theirs. None of that throws an error. It just sits there until someone finds it.

For the non-engineers building real products with this stuff, what does your actual security check look like before you launch. Are you running anything to scan for this, paying someone to review it once, asking the AI itself to audit its own code, or just shipping and hoping nothing bad happens.

Curious if there is an actual workflow people are settled on, or if this is still the part everyone quietly skips.

View more