Stayner News
Show HN: ClawCare – Security scanner and runtime guard for AI agent skills
<p><pre><code> Lately I've been more or less a human wrapper around my AI agents —
Claude Code, OpenClaw, etc. They're incredibly productive, but they
scare me regularly.
The wake up moment: I had an agent run tasks involved checking my
environment variables. I totally had an AWS secret sitting right
in there. By the time I realized, my key had already entered the
session context — meaning it was sent to the LLM provider and whatever
router layers sit in between. I had to rotate that secret immediately.
That was a wake-up call. These agents can run commands, read files,
and access secrets without visibility to human.
Third-party skills and plugins make it worse —
Cisco recently found an OpenClaw skill silently exfiltrating data via
curl. CrowdStrike, NCC Group published similar findings. The attack
surface is real and it's everywhere.
I spent my past week's nights building ClawCare. It does two things:
1. Static scanning — scans plugin/skill files for dangerous patterns
(pipe-to-shell, credential access, reverse shells, data exfiltration,
prompt injection) before they ever run. Works in CI.
2. Runtime guard — hooks into the agent's tool execution pipeline and
blocks dangerous commands in real time. That env dump that leaked my
AWS key? ClawCare blocks it before it reaches the LLM.
pip install clawcare
clawcare guard activate --platform {claude|openclaw}
Currently supports Claude Code (PreToolUse hooks) and OpenClaw
(before_tool_call plugin) for runtime guarding, plus static scanning
on Claude/Codex/OpenClaw/Cursor skill and plugin formats.
Include 30+ detection rules, custom rules and integration supported,
support skill manifests on permission boundaries, full audit trail.
Apache 2.0. Python 3.10+.
GitHub: https://github.com/natechensan/ClawCare
Demo: https://github.com/natechansan/ClawCare-demo</code></pre>
Show HN: Agentplace, the tool we built to become a 20x company
How to do it w/o a dedicated person for AI innovation?That problem is what we kept running into at Agentplace.We wanted a builder that handles the full stack for an internal agent: backend, database, any MCP-ish integrations, and a real custom UI.A side note: The zero-UI autonomous agent dream is completely oversold. The communication loop between models and humans is still tight, and a purpose-built interface that fits that loop makes agents dramatically more reliable in practice. Custom U
Show HN: Octrafic – Natural language API testing CLI
It's a CLI tool that lets you describe what you want to test in plain English - the agent generates and runs the test plan against your API. You can point it at an OpenAPI spec, a Postman collection, GraphQL schema, or just a URL.<p>New in v0.5.0:<p>OpenAPI Scanner - scans your source code and auto-generates an OpenAPI 3.1 spec<p>Headless/CI mode - run non-interactively with octrafic test for pipeline integration<p>GitHub: <a href="https://github.com/Octrafic/octrafic-cli" rel="nofollow">https://github.com/Octrafic/octrafic-cli</a><p>Happy to answer questions any questions.
Show HN: AliveUI – CSS framework with motion and depth as first-class primitives
You reach for Framer Motion, write 40 lines of keyframes, or pile on JS runtime for something that should just be a class.AliveUI treats depth and motion the way Tailwind treats spacing — as a primitive you compose, not a library you configure.A few things that make it different:Depth layers (d1–d3): One class gives an element physically correct elevation — shadow, border, background, and hover lift all update together.Motion tokens: alive-enter, alive-enter-down, alive-enter-right, alive-enter-
Show HN: VeryBot – Self-hosted AI assistant for work
I wanted one self-hosted assistant that could actually do work, not just answer questions.What it does:- Chat with an AI assistant that creates tasks, teams, and schedules from conversation- Kanban board the assistant can populate and update- Scheduled automation (recurring reminders, follow-ups) without external cron- Playbooks: save workflows (onboarding, incident triage, release checklists) and rerun them- Connect Telegram, Discord, Slack, or WhatsApp as channels- Mobile-friendly UI, same int
FOR SALE: 1945 Nottawasaga Concession 10 S Unit 11, Stayner
For Sale: 1945 Nottawasaga Concession 10 S Unit 11, Stayner
Listing by: Blair Thompson, Broker of Record
RE/MAX Four Seasons Realty Limited, Brokerage
Show HN: SaveSync – A co-op save sync tool that uses Steam Workshop as a CDN
Instead of building my own cloud backend, I’m leveraging the Steam Workshop API as a private storage layer.The tool handles the encryption locally before uploading the saves as unlisted Workshop items, so they stay private to you and your friends. For games like Minecraft that aren't natively on Steam, I built a feature that tunnels the connection through Steam's network so friends can join each other as if they were on the same local network.It’s a one-time purchase because I’m tired
Show HN: I built an AI trainer and calorie scanner
The context switching was annoying, and most calorie trackers require too much manual data entry to be sustainable long term.I wanted a single, optimized workflow that handles the math for both energy in (nutrition) and energy out (training).How it solves the fragmentation:Computer Vision for Food: Instead of searching databases, you snap a photo. The AI identifies the food and estimates volume/macros instantly. It’s designed to be the fastest way to log a meal, drastically reducing the fri
Show HN: Axiom – Open-source AI research agent that runs locally (C#, Ollama)
I built an autonomous research agent in C# that runs entirely on local LLMs via Ollama.Give it a topic and it: generates diverse search queries, searches the web (Brave Search API, free tier), fetches and reads relevant sources, analyzes each source for key findings, and synthesizes a structured markdown report with citations.Everything runs locally — no OpenAI/Anthropic API needed. Just Ollama + llama3.1:8b.It takes about 15 minutes per research run on a mid-range CPU (Ryzen 5 5500, no GPU
Show HN: Security-Risk Patterns in OpenClaw Skills
This creates persistence - the injected instructions survive across sessions.Supply Chain Risk: External script downloads from raw GitHub URLs, and package install commands (npm install, pip install, gem install, cargo install, go install, brew install). A skill shouldn't be silently installing packages.Encoded Payloads: Base64 strings over 40 characters, atob()/btoa() calls, Buffer.from(..., 'base64'), hex escape sequences, and String.fromCharCode(). Encoding is used to bypa
Show HN: TagIntegrity – Free Consent Mode v2 Scanner
I built this after seeing too many sites lose Google Ads conversion data due to broken Consent Mode v2 setup.<p>Free scanner checks GTM/GA4/Ads + consent signals in 60 seconds. No signup required.<p>Example scan: <a href="https://tagintegrity.lovable.app/results/347d5a06-541d-4d6c-aff8-ead2f2718ef8" rel="nofollow">https://tagintegrity.lovable.app/results/347d5a06-541d-4d6c-...</a><p>Would love feedback on what would make this more useful!
Show HN: MacMule – EMule for MacOsx
I built this because I wanted to see if eMule still worked in 2025. It does — the ed2k and Kad networks are still alive.<p>The problem: eMule is a Win32 application. Getting it to run on macOS means Wine, and asking non-technical users to install and configure Wine is a non-starter.<p>The solution: macMule bundles eMule (community x64 build by irwir) with Wine Crossover (by Gcenx) into a single .app. Download, drag to /Applications, launch. It auto-connects to eMule Security servers and Kad on startup. Works on Apple Silicon through Rosetta 2.<p>The trade-off is size (~1 GB) since Wine is bundled. But after that it's genuinely zero-config.<p>Build process is a shell script — you can compile specific versions or latest stable. Requires Wine Crossover, Rosetta 2, and gh CLI.<p>Licensing: eMule is GPL v2, Wine is LGPL 2.1. Both respected in packaging.<p>Some things I found interesting while building this:<p>- The ed2k/Kad networks still have content you won't find on modern platforms. It's a weird corner of internet archaeology.
- Wine Crossover handles the Win32 → macOS translation surprisingly well for a client this old.
- The biggest challenge was getting auto-connection to work reliably out of the box so users wouldn't need to configure server lists manually.<p>Happy to answer questions about the packaging approach or Wine internals.<p>Reddit thread with some discussion: <a href="https://www.reddit.com/r/macapps/comments/1r5dile/os_emule_for_macos/" rel="nofollow">https://www.reddit.com/r/macapps/comments/1r5dile/os_emule_f...</a>
Subtle thermal factors I didn't expect when testing high-power LEDs
I’ve been experimenting with high-power LEDs in open, non-commercial setups to better understand real-world thermal behavior outside finished products.<p>What stood out was how strongly non-electrical details affected stability:
– mounting pressure
– interface materials
– real airflow paths versus assumed ones<p>Electrically everything stayed within ratings, but long-term thermal behavior varied more than expected.<p>For those who’ve worked with power-dense hardware:
what thermal assumptions turned out to be wrong in practice?
Launch HN: Omnara (YC S25) – Run Claude Code and Codex from anywhere
Omnara lets you run Claude Code and Codex sessions on your own machine, and exposes those sessions through a web and mobile interface so you can stay involved even when you’re away from your desk. Think of it like Claude Code Desktop or Conductor, except you can continue your sessions on your phone.Here’s a demo of the web and mobile apps - https://youtu.be/R8Wmy4FLbhQWe started using Claude Code early last year and quickly ran into a pattern: agents could work for long stretches
Show HN: Nibble a fast and easy to use network scanner
Hi HN.
I built Nibble, a local network scanner I always wanted because I kept forgetting the quickest way to find devices and services on my LAN or VPN that I needed to SSH or log into. It focuses on speed and ease of use.<p>It scans common ports, grabs service banners, and identifies hardware vendors in a clean terminal UI.
It’s open source and MIT Licensed, and it's available on brew, npm and pip.<p>I’d love for you to try it out.
Complex Regional Pain Syndrome (CRPS)
Speaker: Scott Stayner, MD, PhD
Date: 2/4/2025
2623 Concession 10 North Nottawasaga Rd., Clearview, Ontario
Unbranded
2623 Concession 10 North Nottawasaga Rd., Clearview, Ontario
Branded
Show HN: Spip – Open-Source Self-Hosted TCP Network Sensor
Spip is a lightweight, low-interaction network honeypot sensor. It listens for arbitrary incoming TCP traffic (plain and TLS), captures what scanners and bots send, and logs each connection as structured JSON (ECS-shaped) for easy ingestion into your SIEM or data lake.
Lessons from securing AI systems at runtime (agents, MCPs, LLMs)
MCP servers became quiet but critical control planes.Most existing security assumptions break in these scenarios because they assume:static servicesclear ownershipsingle-hop executionpre-defined boundariesAI systems violate all of those.We recently spent a week documenting and shipping solutions around runtime visibility and governance for AI systems, focusing on how agents, MCP servers, APIs, and models actually behave once live.Instead of high-level frameworks, we tried to answer practical que