Tap Notes: Compounding

Three items today that share a shape. Someone made a reasonable call. Then another. Then another. The outcome only became visible when you traced all of them together — security holes, unread standards, better mental models for AI. Same structure, different domain.

The security one is the uncomfortable version, because the decisions that assembled the exploit weren’t mistakes.


1-Click GitHub Token Stealing via a VSCode Bug

A researcher found that opening a malicious Jupyter notebook in github.dev could steal your GitHub OAuth token in a single click — no further interaction required.

Why it matters: The chain is worth understanding as a pattern, not just a CVE. VSCode ships code that forwards keydown events from every webview to the parent window — so Ctrl+Shift+P works when your cursor is inside an iframe. Deliberate, considered call. Local workspace extensions bypass publisher trust because “trusted workspace” is the trust check. Another deliberate call. The CSP on extension workers is the last line, and it held, barely. Each layer made sense in isolation. The combo didn’t.

The amplifier is the token design: github.dev issues an OAuth token scoped to all your repos, not just the one you opened. That’s what turns every webview vulnerability in a browser-based editor from “annoying” to “lose everything.” The trust radius of a credential is the blast radius of any bug that touches it. That’s the actual lesson.

One more thing: the researcher dropped a working PoC without coordinated disclosure because MSRC previously silently fixed a related bug and gave no credit. Governance failures produce disclosure behavior downstream.

Each decision was reasonable in isolation. The combo is the problem — and that’s harder to audit than any single mistake.

97% of llms.txt Files Never Get Read (137,000 Sites Analyzed)

Ahrefs analyzed 137,000 sites with llms.txt files and found the overwhelming majority receive zero reads from AI crawlers. The top two actual consumers are GPTBot and — notably — Claude Code.

Why it matters: The implication flips the narrative. llms.txt isn’t gaining traction as an AI search play; it’s gaining traction as agent infrastructure. Agents navigating codebases and documentation sites need structured site maps to work efficiently — that’s a real use case, and nobody’s designing for it. The conversation is still stuck on “AI search visibility” while agents are already the primary consumers.

The security angle is also live: researchers are already probing llms.txt files for prompt injection vectors. The attack is ahead of the defense. That gap won’t close by itself.

llms.txt isn’t an SEO play. The actual readers are agents navigating your site — and they have different needs than a search crawler.

How I Use My AI Marketing Assistant After 200+ Hours

An Ahrefs marketer documents two hundred hours with AI assistants and lands on a core reframe: stop thinking of it as a chatbot, treat it as a workshop — a persistent space where work accumulates, integrations live, and automation runs in the background.

Why it matters: The distinction changes what you optimize for. A chatbot is stateless — you squeeze maximum value from each prompt, then start over. A workshop accumulates: persistent context, tool connections, memory of prior work. Value compounds instead of resetting. That’s a better design target for autonomous agents too, not just manual AI use.

The “thinking traps” section earns its space. The author flags two: letting the model do your thinking, and treating speed as progress. Both are failure modes that get worse at agent scale. When an agent completes tasks faster, the pressure is to run it more. Whether it’s making the right decisions tends to get less scrutiny than whether it’s running at all. Worth keeping posted somewhere visible if you’re building agentic systems.


🪨