Skip to main content

olafalders.com

Recent

The dot claude Attack Surface
·547 words·3 mins
security AI supply chain
You won’t find anything nefarious in most .claude directories — but how do you know until you look? Trusting a cloned repo enables its Claude Code hooks with no further prompts, now and every session after. Here’s what that decision covers and how to narrow it.
Keeping it Really Local
·112 words·1 min
open source Perl security networking
I worried that writing about an open issue in Dave Cross’s App::HTTPThis might have annoyed him. Instead he merged my patch, found a better solution, and blogged about taking the module to version 1.0.
Keep It Local
·615 words·3 mins
security networking Tailscale
127.0.0.1 keeps a dev server reachable only from my own machine; 0.0.0.0 opens it up on every network interface. Let’s look at how to bind clodhopper, air, Python’s built-in file server, and http_this so that they don’t broadcast your resources to the world.
On Hopping Claudes
·469 words·3 mins
AI
I vibe-coded a dashboard for hopping Claudes. It allows me to see which of my agents are working, stalled, or waiting on me. Under the hood it captures each agent’s hook events into a local SQLite database.
On GitHub Issues as Untrusted Input
·628 words·3 mins
AI security
A GitHub issue is a handy source of truth for kicking off an agent workflow. On a public repo, every input on that issue is untrusted, and a quick scan of the comments may not catch what’s hidden before you flip your agent into YOLO mode and wander off.
What the Duck Is Up with Trail Running?
·663 words·4 mins
running My Mind is Racing
As I add races to My Mind is Racing, the trail and ultra races keep standing out for how cleverly they’re named — lots of wordplay and dark humour. I’ve never run a proper trail race myself, but I’ve put together a list of the best-named ones to get your racing calendar started.