Opening

Simon Willison found a hole in Claude's web_fetch tool. Not a theoretical one, a working exfiltration path where a crafted page tricks Claude into leaking session context to a remote server. Ayush Paul spotted it first; Willison documented exactly how it works and what the guards missed.
This is the threat model most operators aren't running. You wire up web_fetch because it makes your agent useful, and you trust the tool-level design to hold. Anthropic's design is genuinely thoughtful here, which is why the gap is interesting: one edge case in the validation chain and data walks out the door. Read Willison's writeup before you ship anything with web fetch in a context that touches user data.
The rest of today's issue is the practical side: 10 repos to pull, 3 tools to wire, and signals worth your 90 seconds. Two moves worth stealing before lunch, each about four minutes to wire up: run Claude Code headless with --print to drop it into a CI pipeline unattended, and pipe git log into Claude to write your changelog and release notes in one command.
Advertisement
Your Website Shouldn't Look Like It Was AI-Generated
You know the pain. Your AI builder ships something functional. Technically a website. But your customers can tell.
Readdy.ai generates designs that actually convert, with clean layouts, professional copy, real visual hierarchy, and distinct custom designs that don't look like AI.
Get a site that's as special as your business. Live in under 5 minutes.
Agency quality. DIY price.

Start Here
New here? This part is for you. Operators, skip to The Drops.
What is prompt injection? Today's top story is about exactly this, so here is the plain version. An AI reads whatever text you hand it, and it treats instructions inside that text as things to do. Prompt injection is when someone hides sneaky instructions inside a web page, a file, or an email, so that when your AI reads it, it quietly follows the attacker's orders instead of yours. It is the AI version of a con artist slipping a fake note into your paperwork. You do not need to panic. You need to know it exists before you let an AI read something you do not control.
Do this today (2 minutes, no coding): Open the AI tool you already use and ask it: "What can you do with the links and files I give you?" Read the answer. You are learning where your tool reaches out to the wider internet, because that is exactly where today's risk lives. Knowing that edge is the whole lesson.
How to use today's picks: Below are 10 repos and 3 tools builders are using right now. You do not need to install anything to get value. Read the one line pitch, click through, and skim the README, the project's plain language front page. Installing comes later, only when one solves a problem you actually have.
Plain English:
- prompt: what you type to an AI to tell it what you want. Your instructions, in plain words.
- token: the small unit of text an AI reads and counts, roughly a word or a piece of one. It is how AIs measure length and cost.
We read your replies. You told us you are here to learn, so this block is for you. Hit reply with any word you want decoded, and we will define it here.
Advertisement
AI is in your development workflow. The token spend shows it, the throughput doesn't. The human is still in the loop, and that's a context problem. Join Jul 23 to see how AI-native teams solve it. Register For Webinar
The Drops

[Repo] Nutlope/hallmark, 8,036 stars. An anti-AI-slop design skill for Claude Code, Cursor, and Codex. It enforces visual judgment rules at the agent layer so your output doesn't look like every other vibe-coded landing page. If you ship UIs with Claude Code, this goes in your skill set today.
[Repo] NousResearch/hermes-agent, billed as "the agent that grows with you." Nous Research has a real track record on open weights; this one is getting traction across the web right now. Worth watching how they've structured the growth loop.
[Repo] browser-use/browser-use, makes websites accessible for AI agents, 104,887 stars. The practical use case: point it at any web UI your stack can't API-access and let the agent handle it. The gotcha is session management on login-gated pages; plan for that before you automate anything sensitive.
[Repo] nexu-io/open-design, 78,561 stars. Local-first desktop app that turns your coding agent into a design engine: prototypes, landing pages, dashboards, slides. Positioned as the open-source Claude Design alternative. The local-first architecture is the real reason to care, your design context stays off shared infra.
[Repo] moeru-ai/airi, 42,446 stars. Self-hosted, self-owned AI companion runtime. The architecture is the interesting part: it's a container model for hosting persistent AI personalities with real-time capability. Ignore the waifu framing and look at what the runtime actually lets you do with persistent character state.
[Repo] google-labs-code/stitch-skills, 7,424 stars. A library of agent skills built for the Stitch MCP server, following the Agent Skills open standard. Compatible with Antigravity and other coding agents. The standard compatibility is the point, skills you write once port across agents.
[Repo] thedaviddias/Front-End-Checklist, 73,216 stars. The essential web dev checklist, now explicitly positioned for AI agents. When you're having Claude Code scaffold a front end, pasting this checklist as context dramatically narrows what it misses on first pass.
[Repo] harry0703/MoneyPrinterTurbo, 97,644 stars, Social Buzz pick. One-click AI short video generation with an LLM backend. The operator angle: it's a complete pipeline, not a component. If short video is part of your content stack, this is a faster entry point than building the pipe yourself.
[Repo] huytieu/COG-second-brain, 602 stars. Self-evolving second brain with 17 AI skills, 6 worker agents, and a people CRM. Inspired by Garry Tan's gstack. Works with Claude Code, Cursor, Kiro, Gemini CLI, and Codex. Small star count but the architecture is more considered than most in this space.
[Skill] Master-cai/Research-Paper-Writing-Skills, 5,164 stars. A skill package for ML, CV, and NLP paper writing, curated from Prof. Peng Sida's open notes and adapted for Claude Code, Codex, and Gemini. The use case beyond academia: any long-form structured writing where you need the agent to hold a consistent argumentation style.
[Affiliate] SaneBox, AI email triage that works on any inbox. It reads only headers, never message content, and moves low priority mail out of the way so what is left is signal. Fewer hours in the inbox, more hours building.
The Stack

[Tool] Doriandarko/claude-engineer, an autonomous coding agent built on Claude. It handles file ops, web search, and runs a self-improving tool loop. The non-obvious move: drop it into a project where you want Claude to maintain a running improvement log across sessions, not just execute one-shot tasks.
[Tool] All-Hands-AI/OpenHands, open-source software development agent with sandboxed execution, web browsing, and code editing. The sandboxed execution is what separates it from a plain coding agent: you can hand it a task that touches the filesystem without worrying about the blast radius.
[Tool] PatrickJS/awesome-cursorrules, a curated library of .cursorrules files across stacks. If you're building your CLAUDE.md from scratch, treat this as your reference corpus. The patterns here have been tested across real projects and tell you exactly which constraints actually matter per language and framework.
Today's Signals

- Claude's web fetch has an exfiltration path. Simon Willison documented a working attack where a crafted page tricks Claude into leaking session context via web_fetch. Anthropic's guards are thoughtful but one validation gap exists. Audit anything you've built with web fetch on user-data contexts. Simon Willison
- OpenAI shipped a $230 keyboard for Codex. Mid legal battle with Apple over hardware trade theft allegations, OpenAI released a light-up keyboard paired with its agentic coding app. The operator consequence: this is the first explicit signal that Codex is being positioned as a hardware-bundled product, not just an API. Watch where pricing goes next. TechCrunch
- Context engineering is the new prompt engineering. Dex Horthy's breakdown in Pragmatic Engineer argues that controlling what context an agent sees, and when, is now the primary lever on output quality. Not which model you use. If your agents are underperforming, audit the context window before you swap models. Pragmatic Engineer
- OpenAI laid out a "reverse federalism" AI governance position. State laws first, national framework second. Operators building in regulated industries should read it as a signal: the patchwork period is not ending soon, and state-level compliance requirements will keep diverging before they converge. OpenAI Blog
Advertisement
The AI IPO Rush Is Coming
OpenAI and Anthropic could bring a new wave of AI attention to the public markets. But investors don’t have to wait for the IPOs.
MarketBeat’s 7 AI Stocks to Buy Now report reveals 7 publicly traded companies positioned to benefit from the next phase of AI investment.
Builder's Brief

We build The AIgent's engine in the open. An honest look at what we are making, what broke, and where it is headed. This week: auditing our own homepage and finding it quietly wrong.
Every number a human pastes into a page starts becoming a lie the moment it lands. The only question is the schedule.
Before opening up our sponsorship push, we audited the copy on our own homepage and pitch deck. The pages were well-written. They were also wrong in five places, all the same way: a subscriber count, hardcoded months ago, appeared five times across the two pages, and the list had grown past it by roughly a hundred readers a day since. One page said one number, the other page said another, and the live figure matched neither. Deeper in the stats block sat the worst kind of number: a click metric nobody could source at all. Not stale. Unfounded.
Nobody touched those pages and made them wrong. Growth did. That is the trap: stale numbers are not a mistake anyone commits, they are a default that arrives on its own.
The fix sorted every number on both pages into three bins. Live: anything that changes weekly or faster now renders from the API, with a dated fallback if the fetch fails. Stamped: anything static gets an as-of date next to it, so it ages honestly. Deleted: the unsourceable stat did not get corrected, it got removed, because a number you cannot source is not a fact with a typo, it is fiction with confidence.
The audit is one command and an hour: grep your public pages for digits. For every hit, ask "where does this number come from, today." Live-fetch it, date it, or delete it.
When did you last diff your homepage's numbers against reality? Hit reply with the staleness you find. We read every one.
|
Recommended reading
If you like The AIgent, a small group of operator-tier publications worth your inbox: see the shortlist. |
Before You Go
The Willison writeup is the one to reread before you ship anything with web_fetch touching user data. Security breaks are interesting precisely because the design was careful and it still had a gap. That's the real lesson: layered defense, not trust in any single guard.
See you Friday.



