> I don’t know how many people are involved in managing the ClawHub registry, but there is no evidence that the skills listed there are scanned by any security tooling. Many of the payloads we found were visible in plain text in the first paragraph of the SKILL.md file.
I shouldn't still be shocked by the incompetence and/or negligence of these people, and yet I am.
The person who wrote the article probably does not benefit from lying, I don't think it was the intent. It is a bad post, don't get me wrong, but maybe there is no need to insult the author just for that.
When called out, they deleted the TODOs. They didn't implement them, they didn't fix the security problems, they just tried to cover it up. So no, at this point the dishonesty is deliberate.
Days after the fake story about Cursor building a web browser from scratch with GPT-5.2 was debunked. Disbelief should be the default reaction to stories like this.
Btw, after I wrote that initial article ("Cursor's latest "browser experiment" implied success without evidence"), I gave it my own try to write a browser from scratch with just one agent, using no 3rd party crates, only commonly available system libraries, and just made a Show HN about it: https://news.ycombinator.com/item?id=46779522
The end result: Me and one agent (codex) managed to build something more or less the same as Cursor's "hundreds of agents" running for weeks and producing millions of lines of code, in just 20K LOC (this includes X11, macOS and Windows support). Has --headless, --screenshot, handles scaling, link clicking and scrolling, and can render basic websites mostly fine (like HN) and most others not so fine. Also included CI builds and automatic releases because why not.
This project is awesome - it really does render HTML+CSS effectively using 20,000 lines of dependency-free Rust (albeit using system libraries for image rendering and fonts).
A poc that would usually take a team of engineers weeks to make because of lack of cross disciplinary skills can now be done by one at the cost of long term tech debt because of lack of cross disciplinary knowledge.
> Yes, this is what Ai assisted coding is good at.
This is where I wish we spent more energy, figuring out better ways to work with the AI, rather than trying replace some parts wholesale with AI. Wrote a bunch more specifically about that, while I was watching the agent work on the browser itself, here: https://emsh.cat/good-taste/ (it's like a companion-piece I guess)
Would be interested to know what people think of the locking implementation for the net worker pool.
I’m no expert but it seems like a strange choice to me - using a mutex around an MPSC receiver, so whoever locks first gets to block until they get a message.
Is that not introducing unnecessary contention? It wouldn’t be that hard to just retain a sender for each worker and just round robin them
I haven’t looked at the code, but what you’re describing doesn’t sound that bad. If the queue is empty then it doesn’t matter whether a worker is waiting on the lock or waiting on the receiver itself. If the queue is non-empty then whoever has the lock will soon complete the receive and release the lock. It would be better to just use an actual MPMC channel, but if the traffic on the queue isn’t too high then it probably doesn’t make a significant difference. With round robin in contrast, the sender would risk sending a job to a worker that was already busy, unless it took additional measures to avoid that.
I suspect this is just an LLM hallucinating generic thread-safety boilerplate. In an async serverless runtime like Workers this pattern creates blocking risks and doesn't actually solve the distributed consistency problem.
The outrageous part of this is nowhere in the blog post or the repository indicates it's vibe coded garbage (hopefully I didn't miss it?). You expect some level of bullshit in AI company's latest AI vibe coding announcements. This can be mistaken for a classical blog post.
> A production-grade Matrix homeserver implementation
It's getting outright frustrating to deal with this.
Fine, random hype-men gets hyped about stuff and tweets about it, doesn't mind me too much.
Huge companies who used to have a lot of good will putting out stuff like this, seemingly with absolutely zero reviews before hitting publish? What are they doing? Have everyone decided to just give up and give in to the slop? We need "engineering" to make a comeback.
You jest, but I was listening to a podcast episode today by the Changelog, and this guy was effusive how AI will replace SaaS, etc. and when asked about reviewing, said no one can do it well, so they don't/won't do it for key internal software they vibecoded.
I sure hope these people don't call themselves engineers, it's so backwards from how we need to build software as everything around us turns into slop that barely works. So frustrating.
As long as you take ownership, test your stuff and ensure it actually does what you claim it does, I don't mind if you use LLMs, a book or your dog.
I'm mostly concerned that something we used to see as a part of basic "software engineering" (verify that what you build is actually doing what you think it is) has suddenly made a very quick exit from the scene, in chase of outputting more LOC which is completely backwards.
I review every line of code I generate, and make sure I know enough that I can manually reproduce everything I commit if you take away the LLM assistant tomorrow.
This is also what I ask our engineers to do, but it's getting hard to enforce.
If you take ownership of the code you submit, them it does not matter if it was inspired by AI, you are responsible from now on and you will be criticized, possibly you will be expected to maintain as well.
Vibing is incompatible with engineering and this practice is disgusting and NOT acceptable.
I get vibe coding a feature or news story or whatnot but how do you go about not even checking if the thing actually works, or fact checking the blog post?
Optics is the only thing that matters, there are people genuinely pushing for vibe coding on production systems. Actually, all of the big companies are doing this and claiming it is MORE safe because reduces human error.
I'm starting to believe they are all right, actually. Maybe frontier models surpassed most humans, but the bar we should have for humans is really really low. I genuinely believe most people cannot distinguish llms capabilities from their own capabilities, and their are not wrong from the perspective they have.
How could you perceive, out in the wild, an essence that scapes you?
Coming to the comments to brag about ignoring something you clearly didn't ignore (given that you're here in the comments) is actually pretty abnormal behavior.
Normal people don't jerk themselves off about being edgy in public. Hope this helps!
It's clear that on Hacker News many people have made absurdly deep investments into this "technology." There's going to be a long period of pearl clutching we have to dig out of until we get back to the standard hacker ethic of not believing anything published by corporations.
it seems as if literally everyone associated with "AI" is a grifter, shill (sorry, "Independent Researcher"), temporarily embarrassed billionaire, or just a flat out scammer
Everyone (not really, but basically yes) associated with $current_thing is a rent seeking scammer.
Even if Blockchain has tremendous impact, even if transformers are incredible (really) technology, even if NFTs could solve real world problems...you could basically say the same thing and be right, rounding up, 100% of the time, about anything technology related (and everything else as well). This truly is a clown world, but it is illegal to challenge it (or considered bad faith around here)
I would not rule out that sometimes they are just incompetent and believe their own story, because they just don't know it better. Seems this is called a "bad apple"?
The version that was live on GitHub the day they published their blog post was missing compilation instructions, didn't cleanly compile and didn't pass GitHub Actions CI.
The project itself did compile most of the time it was being developed - the coding agents had been compiling it the whole time they were running on it.
The "it didn't even compile" criticism is valid in pointing out that they messed up the initial release, but if you think "it never compiled" you have an incorrect mental model.
It used cssparser and html5ever from the Servo project, and it used the Taffy library for flexbox and CSS grid layout algorithms which isn't officially part of Servo but is used by Servo.
I'd estimate that's a lot less than 60% of the "actual work" though.
My bad, I was misinformed, thanks for correcting me, I thought it used the renderer, not just the parser. Thats honestly way better than what I thought.
I believe it was basically a broken, non-functioning wrapper around Servo internals. That’s what I’d expect from a high schooler who says “i wrote a web browser”, but not what I’d expect from a multi-billion dollar corporation.
They aren't really a multi-billion dollar corporation. A lot of it is them just pumping up their valuation. Stuff like this proves that in a lot of ways.
The political radicalization and the divorces. The strips he created after being fired by his syndicate are a bleak insight into his mindset in his final years. https://x.com/WyattDuncan/status/2011102679934910726
Taking his anodyne setup-punchline-sarcastic quip formula and applying it to aggressively unfunny shock material is actually low key brilliant, albeit unintentionally so.
It’s like if Norm MacDonald didn’t posses a moral compass.
reply