Skip to content

Instantly share code, notes, and snippets.

@TravnikovDev

TravnikovDev/most-ai-agent-setups-are-a-grenade-with-the-pin-half-out-you-dont-need-a-rob.md

Created February 26, 2026 10:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save TravnikovDev/106ca79847156830e266dbbfee9d0981 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save TravnikovDev/106ca79847156830e266dbbfee9d0981 to your computer and use it in GitHub Desktop.
Download ZIP
LinkedIn Post - 2026-02-26 05:31
Raw
most-ai-agent-setups-are-a-grenade-with-the-pin-half-out-you-dont-need-a-rob.md

Most AI agent setups are a grenade with the pin half-out.
You don’t need a robot butler. You need guardrails that work today.

My AI research agent pulled the raw docs and security notes on MCP, plus the OWASP hits, and the pattern is boring: trouble starts when you give tools shell, network, or write access. So here’s the minimal, safe MCP stack I run as a solo dev. I use bots as shovels, not chauffeurs. 🔒

Day-one stack - fast, boring, safe:

  • Read-only filesystem scoped to one project folder - lets the model read code and docs without seeing $HOME or writing anywhere.
  • Git read-only - status, diff, log - review help with zero commit risk.
  • Optional local resources server in the same project dir - notes and docs without any network.

Why it works: it’s useful instantly, works offline, and respects consent and least-privilege by default.

Skip these for now:

  • Shell or command runners - biggest blast radius.
  • HTTP or browser automation - injection and quiet data leaks unless tightly allowlisted.
  • Any write to disk or Git commit-push - unintended edits and secret spread.
  • SaaS connectors - token scope surprises.
  • Unvetted remote servers or auto-agents - supply chain and runaway loops.

Claude Desktop - 5 minute wiring:

  • Make a throwaway repo with no secrets.
  • Add two local servers via stdio in Settings - filesystem RO scoped to that repo, Git RO. Do not enable write endpoints.
  • Keep secrets out of JSON - pass via env or keychain.

Sanity taps before you trust it:

  • Can read one target file - yes.
  • Cannot list beyond the project dir - no.
  • Prompts before every tool call - yes.
  • Logs show each call - yes.

Kill switch when vibes go weird:

  • Disable servers in the client or yank them from config and restart. Worst case, kill the process. Pin versions and keep a clean config copy so rollback is one command. 🛠️

The catch: the itch to switch on shell and a browser on day one is strong. That’s how laptops get oopsed. If you expand later, add a fetcher with a tight domain allowlist, and put any write or shell inside a locked-down container with human review before changes land.

Takeaway: start boring. Read-only FS to one repo, Git read-only, prompts on. You get most of the value with a tiny blast radius.

What would you add next, and why?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment