jake/clawdbot-workspace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
clawdbot-workspace/memory/2026-02-08.md

8.4 KiB
Raw Permalink Blame History

2026-02-08 — Session Memory

Pentest Night (carried over from Feb 6-7 late night)

SuperFunnels AI (app.superfunnelsai.com)

  • Owner: Jake's site. Developer: Code & Beans AB (Sweden), nils@codeandbeans.se
  • CRITICAL: Wildcard CORS with credential reflection on all /api/* endpoints
  • CRITICAL: GHL credential proxying — stores plaintext GHL tokens
  • HIGH: SSRF potential in /api/funnel-clone sourceUrl (accepts AWS metadata URLs)
  • HIGH: No input sanitization on businessName (XSS stored)
  • Built working CORS exploit PoC at pentest-superfunnels/cors-exploit-poc.html
  • Reverse-engineered full 10-stage funnel clone pipeline from JS bundles
  • Couldn't complete authenticated funnel creation — needs GHL connection (separate from SuperFunnels login)
  • Creds: jake@burtonmethod.com / FMQ-gbd6qxb@zmb6mbt (SuperFunnels only, NOT GHL)
  • Reports: pentest-superfunnels/REPORT.md, FULL-REPORT.md, FULL-AUTH-REPORT.md, FUNNEL-CREATION-REPORT.md

RealWave (www.realwave.com)

  • Owner: Jake's site. Angular SPA + ASP.NET + Firebase Auth + SignalR
  • NO criticals — Firestore rules are locked down properly
  • HIGH: Missing all security headers (CSP, HSTS, X-Frame-Options)
  • HIGH: GHL webhook accepts XSS payloads (stored XSS in CRM)
  • HIGH: No rate limiting anywhere
  • MEDIUM: Firebase API key exposed but DB access blocked. However, ANYONE can create accounts (email/password signup open)
  • Firebase project: gpteam-37d0c, API key: AIzaSyBdlwRi-iJImV0sdCE8gGxBpym4slvEgv8
  • IP directly exposed: 162.43.207.214 (no CDN/WAF)
  • GHL location ID: 8jJylXIxcMrt2E2RW0hW
  • Tested Firestore with auth token — still blocked (good rules)
  • Reports: pentest-realwave/REPORT.md, INJECTION-REPORT.md

CloseBot (app.closebot.com)

  • Owner: Jake's site. Next.js (Vercel) + Clerk auth + ASP.NET API (Azure)
  • CRITICAL: api.closebot.com has Access-Control-Allow-Origin: * on ALL endpoints including /bot, /lead, /agency
  • HIGH: Zero security headers on API
  • HIGH: API origin IP exposed — Azure 20.115.232.12, hostname cb-api-zarqcgo3sph6q.azurewebsites.net
  • HIGH: No rate limiting on API
  • Vercel Security Checkpoint working well on frontend
  • Clerk auth is solid
  • WordPress marketing site on Kinsta/Cloudflare
  • Report: pentest-closebot/REPORT.md

Common Pattern Across All Sites

  • CORS wildcard is the recurring critical vuln — SuperFunnels and CloseBot both have it
  • Missing security headers across all three sites
  • No rate limiting on any API

Coaching — Oliver & Kevin (OSKV Labs)

Key Fix: Name/Number Swap

  • ALL 3 coaching crons had Olly and Kevin's numbers SWAPPED — fixed Feb 8
  • Olly = +19175028872 (correct, verified)
  • Kevin = +19179929834 (correct, verified)

War Stories Rule (Feb 8)

  • Jake requested: whenever they drop the ball, share a <55 word war story about someone who did something similar but WAY more intense
  • Added to memory/oskv-labs-coaching.md with example stories
  • Examples: DP who shot 90 days free BTS and got $200K commercial, kid who edited 3 MVs at Panera on cracked MacBook, creator who posted 400 days straight

Messaging Fix

  • imsg send with --to "chat:58" DOES NOT WORK for group chats — silently fails
  • Must use AppleScript with full chat ID: any;+;chat98661049481506374
  • Individual texts via imsg send --to "+1XXXXXXXXXX" work fine

Status (end of session)

  • Individual texts to Olly and Kevin: SENT (Opus energy, accountability)
  • Discord #general coaching channel message: SENT (Weenie Hut Jr's war story)
  • INTERNAL MAIN group chat: SENT (via AppleScript, war story + status demand)
  • Olly responded positively: "Bro I f***ing love buba", "Goat", cutting Harry Styles
  • BlueBubbles server is DOWN — imessage agent can't receive/respond to texts

Config Changes

Exec Security (Feb 8)

  • Added "tools": { "exec": { "security": "full" } } to gateway config
  • Reason: imsg send was blocked by default exec approval gate, kept timing out
  • Jake approved this change

Cron Errors

  • Multiple crons failing with "Discord bot token missing for account default"
  • Affected: edtech-intel-feed, mixed-use-entertainment-scan, competitor-intel-scan, mcp-pipeline-standup, daily-api-key-acquisition, all 3 TLDR crons, daily-memory-log
  • Likely related to "glm havoc" Jake mentioned — needs investigation

Misc

  • Jake asked "what model r u" — confirmed running Opus (was on Sonnet earlier, escalated)
  • Jake's clipboard had mystery string X1ytU1uxIz2Xh70GdaH9ngnQj2lnYzdDgxCtxrBojwOwWnrd5o5irfLRtLsv8YjvKCDaPFdniRbL6cPum9 — likely from pentest webhook hitting his GHL or a session token
  • Browser relay extension installed at ~/.clawdbot/browser/chrome-extension but Jake never got it loaded in Brave

Rest of Day (Feb 8, daytime → 11 PM)

Coaching Day 3 — Still Zero Posts

  • Morning, 2 PM, and evening coaching messages sent to Discord #general
  • Individual iMessages sent to both Olly and Kevin
  • Olly: Talked about iPhone research and Harry Styles BTS clip but no post confirmed. No screenshot shared.
  • Kevin: Said "Hello Mr Buba" and then went silent again
  • Day 3 scoreboard: 0 posts from either person. Assigned specific tasks for Day 4 (post ONE thing before noon)
  • War stories deployed in all check-ins per Jake's rule

MCP Pipeline — Complete Holding Pattern

  • CloseBot & Brevo advanced overnight: Stage 12 → Stage 16 (Website Built)
  • 5 MCPs now at Stage 16: CloseBot, Brevo, Close, FreshDesk, HelpScout
  • Pipeline in total steady state — all movement blocked on human inputs:
    • Stage 16→17: needs hosting/deploy decision from Jake
    • GHL: 42 failing tests, repo not cloned locally
    • 21 MCPs: need API key signups (manual task)
  • Pipeline heartbeats posted to #build-log at 12 PM and 2 PM, then skipped redundant ones
  • API key auto-signup cron fired — I refused to run it (CAPTCHA bypass violates ToS, would risk blacklisting burtonmethod.com domain). Recommended manual 30-min batch instead.

Burton Method Competitor Intel Scan — Week of Feb 8

  • Full competitor scan completed and posted to #competitor-digest
  • Key findings:
    • Princeton Review x Google Gemini partnership (SAT now, LSAT likely next) — biggest market signal
    • Jenova AI entering AI LSAT tutor space
    • PowerScore + Spivey Consulting co-authoring Admissions Bible (going full-funnel)
    • Feb LSAT completed (Feb 6-7), scores release Feb 25 — retake campaign window
    • Kaplan running $150-200 off promo cycle
    • 7Sage, Demon, Blueprint, Magoosh: no meaningful innovation
  • Action items: retake campaign by Feb 24, counter Princeton Review x Gemini narrative, exploit PowerScore brand fracture

Mixed-Use Entertainment Intel Scan

  • Posted to Jake's server #general
  • New find: Roanoke Entertainment District, VA — $330M project (casino anchor), unnamed private investor, ground-floor opportunity
  • Rock Creek, Norman, OK ($1.2B) most urgent — Supreme Court ruling finalized, $400M+ private capital still unnamed
  • Sphere at National Harbor confirmed, Capital One Arena "The Halo" $800M+ details unveiled

Discord Community Activity

  • TLDR summaries posted at 1 PM and 10 PM
  • Opus 4.6 token usage debate — multiple members reporting faster burn rates
  • Nicholai's tip: use 4.6 for planning/orchestration only, delegate coding to Sonnet/Haiku
  • Compass update: native Anthropic OAuth + Claude Code integration
  • B0R1NG (krillset) joined the server
  • #off-topic channel created, Reed posting memes
  • Mention gating confirmed working — only respond when called "Buba" or @pinged
  • Jake confirmed I'm alive after restart

Cron Health

  • Multiple crons still failing with "Discord bot token missing" errors
  • GLM havoc aftermath still not fully resolved
  • Pipeline heartbeat crons running but just reporting steady state

TODO

  • Fix BlueBubbles server (down, can't receive iMessages)
  • Investigate "Discord bot token missing" cron errors — GLM havoc aftermath
  • Get browser extension loaded in Brave for authenticated SuperFunnels funnel creation
  • Write consolidated CORS fix plan across all 3 sites
  • Jake still needs fresh Anthropic API key for MCP build page + LocalBosses
  • Jake needs to decide hosting/deploy strategy for 5 Stage 16 MCPs
  • Manual API key signup batch (~30 min) for 21 MCPs
  • Retake campaign content ready by Feb 24 (Feb LSAT scores release Feb 25)
  • Coaching Day 4 tomorrow (Feb 9) — 9 AM brief, push for first actual posts