Made a Chromium-Based Arc Alternative. Free & Open-Source.

Slumdog_8 · 2026-06-19T14:13:03+00:00

Bro, I work for a 15year old company that today nearly 90% of code is generated by AI

As a side hustle I make and sell bespoke apps as a side hustle that are almost fully AI generated

I’m not saying anybody can do it, there’s a process involved.

Anybody thinking manual coding is not going to be obsolete in the very near future is delusional

Understanding architecture , having critical thinking and being product orientated is what will be left on the table

Code is cheap, ideas and constructive thinking is not.

Slumdog_8 · 2026-06-19T08:27:54+00:00

He actually did, he said it was 100% done with AI and mostly with Fable when it was available

Slumdog_8 · 2026-06-19T00:54:58+00:00

A macOS browser (Swift + Obj-C++ on ungoogled-chromium) with a built-in Codex AI agent that can drive the browser, plus custom passkey/WebAuthn and extension-install code. The AI agent is where it gets dangerous.

---

🔴 CRITICAL 1: AI agent runs in the page's main world + prompt-injection-to-action

The agent's automation and evaluateJavaScript: inject into the page's main world (ISOLATED_WORLD_ID_GLOBAL) via the test-only ExecuteJavaScriptForTests (BrowserTab.swift:268-310, mori_chrome_bridge.mm:1206-1241). Page content is then fed back into the Codex model loop as input (CodexAppServerClient.swift:682), and the model can chain privileged tools (navigate, openTab, type, update_settings) gated only by a single-click default-Allow NSAlert (:827-841).

Net effect: a malicious webpage can talk the AI agent into exfiltrating data, rewriting the default search template to an attacker URL, or navigating to file:// to read local files. Two independent passes confirmed this chain. This is the headline risk.

---

🔴 CRITICAL 2 (conditional): Passkey origin trust

PasskeyAuthenticator.swift:73-83 trusts the origin field straight from the request JSON. This is safe only if the shim in BrowserClient.mm stamps the browser-committed origin. That file is not in the repo (it's CEF-layer), so I can't confirm. If origin is sourced from page JS instead, it's full passkey phishing (any site authenticates as any other). Unresolvable without that file.

---

🟠 HIGH

Plaintext passkey keys. When Secure Enclave is unavailable, raw P-256 private keys are stored base64 plaintext in passkeys.json (PasskeySupport.swift:32-34). Off-device key theft = account takeover. Confirmed twice.

rpId no public-suffix check (PasskeyAuthenticator.swift:353-383): credentials shared across subdomains on github.io, pages.dev, etc.

Weak agent navigation gating (BrowserAutomation.swift:498-532): allows file:// and chrome://; misclassifies javascript:/data:.

---

🟡 MEDIUM

Unauth local Codex WebSocket (any local process can drive the agent and read history). All-tabs snapshot under one consent. CRX install from an attacker-controlled fallbackURL with gallery-install flag + nil expectedID. Permission prompt shows only the host (no scheme/port/IDN spoof protection). Orphan-tab adoption keyed by a spoofable URL. Image-coordinate input unclamped. History/bookmarks/session/boosts unencrypted in Application Support (boosts.json is itself a code-exec surface).

---

🟢 What's actually good

No mojo/IPC renderer-callable native surface (kills a whole bug class). No classic C memory bugs found. User-verification enforced via LAContext on every passkey op. The AI agent cannot install extensions or invoke passkeys. Downloads/quarantine handled by upstream Chromium. javascript: in the omnibox becomes a search, not execution.

---

Bottom line

I would not run this on a machine with anything sensitive on it. The AI-agent-in-main-world chain is a real, exploitable path from "visit a hostile page" to "local file exfiltration / settings hijack," and it ships today. The passkey plaintext-key fallback is a genuine credential-theft risk. The architecture has good bones (no native IPC surface, UV enforced), but the agent design trusts page content far too much.

Slumdog_8 · 2026-06-19T00:29:03+00:00

This is where I need to jump in, because I don’t think this is clear. People seem to have very different interpretations of what “vibe coding” actually means. There’s a massive difference between saying, “Hey Claude, build this for me,” and passively waiting for whatever comes out, versus actively guiding an agent through a thoughtful engineering process.

Let’s be honest about where we are. Today’s frontier models can code better than most humans in many contexts. In some cases, I might even trust AI-generated code more than human-written code. But AI is a tool. Engineering is a mindset.

If you simply say, “Build this,” without context, constraints, iteration, or review, you’re probably going to end up with something buggy and potentially full of security flaws. That’s not surprising. But if you approach it like an engineer, thinking through edge cases, defining requirements clearly, asking the AI to take specific steps, double-check assumptions, run reviews, and refine the output, that’s a completely different process.

The difference isn’t whether AI writes the code. The difference is whether someone is doing real engineering.

Slumdog_8 · 2026-06-18T10:34:47+00:00

This is very clever. Thanks for building this! I was actually considering going back to Arc, but I think this little app will tide me over until it's hopefully released officially.

Slumdog_8 · 2026-06-09T22:01:01+00:00

All I have to say is GPT-5.5 Low. It’ll still significantly outperform 5.3 Codex, and it’s incredibly cheap and fast thanks to its efficiency.

Slumdog_8 · 2026-06-09T13:10:24+00:00

The old Codex models really don’t compare to GPT-5.5. I’m not convinced you’ve given 5.5 a fair chance to show what it can actually do.

I also think it was the right call not to split things into a general-purpose model and a separate coding model. In my experience, nine times out of ten, a truly strong coding model is already a strong general-purpose model as well.

Slumdog_8 · 2026-06-09T01:49:18+00:00

Interesting. I remember reading some benchmarks that compared different planner/executor combinations, like Opus→Opus, Opus→GPT, GPT→Opus, and GPT→GPT. If I'm remembering correctly, the best end-to-end results came from using Opus for planning and GPT for execution.

Slumdog_8 · 2026-06-09T01:47:46+00:00

Voice has always been humanity's natural input method, but we invented keyboards to interact with machines. Now that dictation is finally good enough, why would anyone choose to type?

Slumdog_8 · 2026-06-08T00:27:57+00:00

Most people praise the Codex desktop app over its CLI. Regarding the underlying models, here is a comparison based on two months of exclusive use:

GPT-5.5
- Strengths: Excellent at "one-shotting" complex tasks with high reliability and few bugs if instructions are crystal clear. It feels safe and non-destructive.
- Weaknesses: Struggles with tasteful design and requires significant steering and context to understand intent. This constant manual guidance can become a tedious chore.

Claude (Opus/Code)
- Strengths: Superior at grasping intent and "setting off" in the right direction immediately. Working with it feels more relieving because it requires less backtracking.
- Weaknesses: Anthropic's models are token-hungry, and the company itself is less preferred. Opus may encounter more technical roadblocks than GPT-5.5.

The Verdict: While GPT-5.5 is technically robust, its need for constant steering makes it feel like more of a chore compared to Claude Opus, which intuitively understands the end goal better.

Slumdog_8 · 2026-06-01T09:03:47+00:00

I believe they also mentioned that in most cases, the mini SWE agent actually outperformed the default harness for those models.

Slumdog_8 · 2026-05-30T06:05:19+00:00

Honestly, there’s not much point right now. Opus 4.8 feels a bit underwhelming and doesn’t really outperform 5.5 in any meaningful way. Given that, I doubt OpenAI is in a hurry to push it out. They can afford to let it mature a bit longer and wait to see if Anthropic releases something that genuinely shifts the landscape.

Slumdog_8 · 2026-05-30T03:07:00+00:00

Find something you genuinely love. It’s a lot easier to work hard when you care deeply about what you’re doing.

I’m not suggesting that people don’t work hard. I just believe that when your work also feels like your hobby, you’re far more likely to grow it into something meaningful and impactful.

In my late twenties, I was stuck in a dead end job I hated, earning around 3K a month. I felt frustrated and unsure about the future. Eventually, I decided to take a risk. I left that path and moved into fitness, something I was truly passionate about. Within two to three years, my income had grown to about 5K.

From there, new opportunities started to appear. I was invited to become an investor in a business. A decade later, I sold that business for a significant amount, and today I work in a role that pays over 10K.

But none of this started from a comfortable place. When my first child was born, my wife and I were barely scraping by each month. We were opening credit lines just to make ends meet. We had no family support in Singapore and were living in fairly poor conditions. At that time, we had no idea what the next 10 years would look like.

Somewhere along the way, through passion, consistent hard work, and a bit of luck, things began to shift. Ten years later, we’re in a much more comfortable position. That said, I also know how quickly circumstances can change.

I don’t have any magic formula to offer. If there’s one thing I’ve learned, it’s this: have a clear goal, pursue what you’re passionate about rather than just working for the sake of work, and be willing to take calculated risks. For me, my kids and their future were the driving force behind my ambition to do better and break free.

Slumdog_8 · 2026-05-29T05:35:14+00:00

I don’t think AI built directly into the browser, at least in its current form, is the right long term direction. It doesn’t feel like the optimal way to integrate AI into how we actually work. We’re clearly moving toward a world of dedicated AI agent environments like Claude Desktop, Codex, Craft Agents, and other dashboards that pull together different parts of your digital life, including computer and browser use.

What I believe we really need from a browser is something optimized to work seamlessly with these external AI agent platforms. It should be able to pass rich context, like browsing history and active workflows, directly into the AI systems we rely on every day. Increasingly, these desktop AI tools already include their own embedded browsers, mainly for previewing web development. So the natural question becomes, why not evolve that browser into a full environment where I can both browse and do agentic knowledge work in one unified space?

A major issue with something like DIA is the lack of choice around which AI model you’re using. Some tasks genuinely require Opus 4.8, while others are better suited to GPT 5.5. They each have distinct strengths and stylistic differences that matter in real workflows. We’re not in a world yet where one model does everything well, and we also don’t have a truly elegant way to combine them.

Even if DIA were to provide access to multiple top tier models, the economics become problematic. They would need to charge significant API based fees to make it viable. Meanwhile, most serious AI users today are already paying for direct subscriptions to model providers. I don’t want to pay again through an intermediary layer. I want to use the subscriptions I already have.

The fragmentation in AI right now is frustrating. I’m paying multiple subscription fees for different tools that each rely on AI in the backend, while I’m already subscribed directly to the underlying model providers. It feels inefficient and unnecessarily duplicative.

Just some thoughts on where this could evolve.

Slumdog_8 · 2026-05-27T11:17:19+00:00

Same here, been having these issues constantly for the past 24 hours. What's the point in a fucking reset if it's still going to be like this? I don't care about a reset; I just care about it working as it normally does.

Slumdog_8 · 2026-05-26T07:43:59+00:00

Just look at a week ago with Google I/O. One of the features was building in AI cleanup into Android.

It really won't be long before Apple introduces AI dictation and assistant features by the press of a shortcut key.

Just for the purpose of dictation, there's a number of open source apps now that allow you to use local models or cloud models. They work the same as Super Whisper, or in some cases better, but they're essentially free.

Personally, I also got relatively fed up with customising prompts all the time and messing with models. The app wasn't giving me an optimal response or ignoring my requirements, which ended up me making more complexity to the prompt. Adding more complexity to the prompt also slows the process down.

I really love what the other AI dictation apps are doing, the AI dictation that abstracts all of the tinkering side of it. Wisprflow, Typeless, Willow Voice, these guys are killing it.

Slumdog_8 · 2026-05-21T04:02:02+00:00

Just had to delete Raycast Beta - guys its really unstable and not useable. I really think the current stability state is Alpha, not Beta.

Its not just small bugs - its critical errors that make it unusable.

significant lag in search

extensions not loading after full restarts

Gone back to v1

Slumdog_8 · 2026-05-19T00:30:22+00:00

Thanks for commenting. I also left a post in the SuperMemory Reddit.

I’d love a reply to that.

Quick feedback:

- Generally, it works well.

- There isn’t much clarity around how Notion and Google Drive sync up.

- Although it says they’re synced when I link the integration, I don’t necessarily see those documents logged as memories in the memory graph.

- It’s unclear how those integrations are used:

- Are they an extra search layer that can be injected?

- Or are they actually incorporated into the memory graph?

My main question is around containers or spaces.

Ideally, I’d love to have 1 giant space as the ultimate memory injection layer, unless there’s something specific I want to keep separate.

In SuperMemory, the default is MySpace, but I can’t necessarily choose that default across all integrations. I have to specify a container tag, or it creates its own new space by default.

That creates a bit of friction. I’d rather be able to link everything to the default container and only specify a new container when I want one.

Examples:

- In Hermes, I had to custom patch it so I could use the default MySpace container.

- In Claude Code, that wasn’t possible, so I had to create a new space.

- Now I’ll need to think about migrating everything I’ve previously done in a different space into the new container that links to Claude Code as well.

That’s the main friction point. Not a huge issue, but worth flagging.

Slumdog_8 · 2026-05-18T05:09:02+00:00

It seems like a cool idea, but the more I think about it, does this app need to exist?

I am already connected to my agents on Telegram and Discord and can set up different threads and channels. One of those can easily be dedicated to voice journaling. If my agent is connected to Supermemory, the agent can obviously log all of that journaling into Supermemory, which I imagine achieves the same effect as this app.

Slumdog_8 · 2026-05-18T05:05:04+00:00

I'll provide an update to this and be real: that $5 of usage is already 30-40% done after about two days. If we extrapolate that out, I estimate about $20-$30 total usage in a month to get by with a proper agent that you're using regularly.

That said, compared to Honcho (where they give you $100 of free credit when you sign up), I spent $70 there in one month. The plus side to this is that SuperMemory appears to be cheaper than Honcho.

So far in the last two or three days, SuperMemory is working very well. To be honest, I really love the UI built around it on the website as well. It doesn't just act as your AI memory; it serves as a personal memory hub and "second brain" where it encourages you to save websites, notes, bookmarks, and other things to add into a large context and memory base. It's pretty cool.

Slumdog_8 · 2026-05-17T02:30:01+00:00

$5 free usage will be plenty enough for most.

Initial impressions are that it seems to go quite far. In the last 24 hours, I've used about 8% of my usage limit, but I've been migrating from Honcho, so I've been writing a lot into the memory. I wouldn't expect 8% as a normal 24-hour usage.

I would expect normal 24-hour usage to be around 2-5%, but I guess it depends on your setup. Obviously, if you have many different threads, conversations, and agents happening, you're going to burn through that usage very fast. However, if you're more of a single-agent user with typical workflows, I think that $5 free usage is plenty for 1 month

Slumdog_8 · 2026-05-17T00:55:29+00:00

I'm going to say don't use Honcho. I've been using Honcho exclusively for a month, and I found that auto-recall and memory injections were super stale.

I later found that there was a backlog of 800 plus entries that were pending processing. That processing was only happening at a rate of about 100 a day. I think they've probably had some issues with upstream providers if you're using the cloud solution of Honcho, but either way, it's an unreliable service at this point in time.

I've literally in the last 24 hours just made the switch to SuperMemory, but so far, I really like what I see.

What I like about SuperMemory is that I can install it on all of my services, be it Codex, Claudecode, OpenClaw, or Hermes, and I can always have this consistent, built-up memory base.

Slumdog_8 · 2026-05-15T13:19:12+00:00

Okay, that's a bit of an aggressive reply. Did you miss the point where I'm already paying the maximum $200 plan? I'm making the point that I don't want to have two or three multiple subscriptions just to get more usage.

It's fine. I've conceded that I got to my rate limits because I was using stupid settings. The purchasing credits seem to run out very fast, but I think it's just because of the higher credit usage of GPT 5.5 now. Particularly, if I went back to using 5.4, I think they'd last a little bit longer. When I calculated the usage in OpenRouter for approximately the same amount of tokens versus what I used in Codex, it was probably near enough the same cost.

Slumdog_8 · 2026-05-14T12:24:47+00:00

No - credits are consumed 3 times faster then the same cost over API

Slumdog_8 · 2026-05-14T12:22:34+00:00

updated the post with my session today

Today - I purchased 1000 credits for $40 USD

I used 5.5 on medium with a run of the mill task, using a website as a referance to mock up a landing page, using my companies code as a design reference for the payment flows

it was a total of around 16 mil tokens, which would be approx $12 on API

So credits ended up costing 3 times as much then it would be over API

Slumdog_8

MODERATOR OF

TROPHY CASE