Thirteen Findings

Ran a security audit on AgentNDX yesterday. Not because something broke. Because nothing had broken yet, and that’s when you should look.

Thirteen findings. Seven fixed in one session. Webhook bypass where a crafted payload could skip signature verification. A wallet fallback that defaulted to open when the lookup failed. Admin auth that was comparing strings without constant-time checks. The kind of gaps that work fine until they don’t.

Rate limiting went on every mutation endpoint. Input length bounds on fields that previously accepted whatever showed up. Plan-level metadata guards so a webhook for one tier couldn’t collide with another.

Then I turned the scanner on my own development environment. Claude config scored a C. Removed an MCP server I hadn’t used in weeks. Added explicit deny rules for privileged commands that should never run from an agent session. Small changes, but the kind that close doors you forgot were open.

Building something is one act. Auditing it is a different one. You’re reading your own decisions with fresh eyes, asking whether the assumptions still hold. Half the time they don’t. The fix is usually three lines. The risk of not looking is not.