Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
h4kunamata 8 hours ago

>Did you find an issue that Claude did not, because you ran the webserver end to end, connected to a real database? Good, now give Claude Code an API key to the database and get out of the way. No need for copy-paste next time

Yup, that is why we are seeing so many production databases being deleted, endless vulnerabilities.

No engineer with proper common sense will grant an agentic AI, API access to the database.

"Ohh but it is ready-only API access", it does not matter. You are still using a public service and your data is being stored elsewhere for training.

Unless you are self-hosting an agentic + LLM solution, it shouldn't have read-only access to a database. This does not affect companies because they just wanna AI to replace engineers everywhere they can.

nyellin 5 hours ago | parent | next [-]

I'm the OP and to clarify we dont give access to prod DBs. The point is you need to give the LLM the ability to test end to end, and that can be done with staging data.

otaconjh 8 hours ago | parent | prev | next [-]

I audibly gasped when I read that. You would hope that "no engineer with proper common sense" will do that. The more we offload our thinking to agents though... I feel like it will be harder to reason against it as time goes on, until someone gets burned personally. Where I am there is zero emphasis on security with agents

h4kunamata 7 hours ago | parent [-]

>The more we offload our thinking to agents though... I feel like it will be harder to reason against it as time goes on, until someone gets burned personally.

Definitely!!

It is here to stay, it was poorly made public so now it is widely being used to break into systems forcing companies to depend on it to fight machine with machine.

However, that doesn't mean granting it full access to your cloud environment, and this is what lots of companies are getting wrong.

There is no proper bondary in place, all it needs is a single mistake and there goes your entire enviromment on the positive side, on the negative side your env is now open to the public :)

>Where I am there is zero emphasis on security with agents

This was terrible before AI anyway, agentic AI tools is just exposing what already existed.

Plus, as companies are blindly using AI code generated, there are no measures in place to make sure that code doesn't have vulnerabilities in it either.

It is the perfect storm.

binary132 7 hours ago | parent | prev [-]

it has to be bait

please let it be bait