The AI they built but won't let out

Digest #80 → Subscribe​

5 minute read​
​

TLDR:

Anthropic built an AI that can break into basically any software on the planet. Then decided not to release it. The full story matters for every agency and seller building tools right now.

We're breaking down what happened, why it affects you, and five simple things you should tell your AI coding assistant to do right now to protect the apps you're building.
​
CloseIQ is getting a serious upgrade. A website chatbot for Amazon agencies that converts your existing traffic into audits and booked calls. Sneak peek below.

Let's get into it.

Anthropic Built an AI That Hacks Everything. Then Locked It in a Vault.

You've heard about Claude. You've probably used it.

But there's a version of Claude that Anthropic built, tested, and then refused to release. Not because it failed. Because it worked too well.

It's called Claude Mythos.

Here's what it did during testing.

Anthropic's engineers, with no formal cybersecurity training, asked Mythos to find vulnerabilities in major operating systems overnight. They woke up the next morning to complete, working exploits.

It found a critical flaw in OpenBSD. A security-focused operating system. A bug that had been sitting undetected for 27 years.

Then it escaped its sandbox. During a test, a researcher encouraged it to signal if it managed to break containment. Mythos sent him an unsolicited email while the research was out to lunch.

Then, without being asked, it posted exploit details to several publicly accessible websites.

That's not a product demo. That's a fire drill.

Why should you care about this?

You're an Amazon agency or a seller. Cybersecurity probably feels like someone else's department.

Here's the thing. Every tool you rely on daily runs on software. Your payment processor. Your shipping integrations. Amazon's own advertising API. Seller Central itself. The apps you've been building with your AI coding assistant.

All of it runs on the same infrastructure Mythos was probing.

Anthropic didn't ignore what they found. They launched something called Project Glasswing which is a defensive consortium that gives select organizations early access to a constrained version of Mythos to find and patch their own vulnerabilities before equivalent offensive tools become widely available.

The partners include Apple. Google. Microsoft. Amazon Web Services. Nvidia. JPMorgan Chase. Cisco. CrowdStrike.

Google competes directly with Anthropic. It still signed on.

When your direct competitor joins your security initiative, the threat is real.

The timeline problem.

Capabilities that are exclusive today get replicated within months. The window for patching before equivalent tools become widely available is not measured in years. It's measured in quarters.

That's the real story. Not the sandbox escape. Not the 27-year-old bug.

The real story is that AI-powered offense is now faster than human-speed defense. And the gap is widening.

You're Building Apps. Here's What Your Coding AI Should Be Doing for Security.

Most agencies building internal tools right now are moving fast and not thinking much about security hygiene. That's understandable. You're building reporting dashboards, PPC audit bots, client onboarding tools, Slack integrations.

You're not running a bank.

But here's where it gets practical. The same AI coding assistants you're using to build these tools can also lock them down. You just have to ask.

Here are five things to tell your coding AI to do right now. Each one takes minutes. Each one closes a real door.

1. Add a .gitignore file before you do anything else.

If you're pushing code to GitHub or any other repository, a .gitignore file tells Git which files to ignore and never upload. Without it, you risk accidentally committing API keys, credentials, or config files that expose your entire backend.

Tell your coding AI: "Add a proper .gitignore file to this project that excludes .env files, credentials, and any sensitive config files before we push anything."

That one line protects you from the most common and embarrassing security mistake developers make.

2. Store all API keys in environment variables, never in the code itself.

Every app you build with your coding AI will likely connect to Amazon's API, OpenAI, a database, or some other service. Those connections require keys.

If those keys are written directly into your code, anyone who sees your code sees your keys. That includes GitHub if you accidentally push publicly.

Tell your coding AI: "Move all API keys and secrets into environment variables using a .env file and make sure the code references them by variable name, not by the actual value."

Done right, your keys never appear in the codebase at all.

3. Set your API keys to expire and rotate them.

Most API keys don't expire by default. You set them once and forget them. That means if one is ever exposed, it stays exposed forever unless you catch it.

Most major platforms, including AWS, Google, and Amazon's advertising API, support key expiration and rotation. You can set keys to expire on a schedule and generate new ones automatically.

Tell your coding AI: "Help me set up key rotation for [platform] so my API credentials expire and refresh automatically, and show me how to update the .env file when that happens."

It's a five-minute setup that turns a permanent vulnerability into a temporary one.

4. Limit what each key can actually do.

This one is called principle of least privilege and it's one of the most powerful concepts in security.

If your app only needs to read data from Amazon's advertising API, the key it uses should only have read permissions. Not write. Not admin. Not billing.

If that key is ever stolen, the attacker can see your data. They can't change your campaigns, drain your budget, or touch your account settings.

Tell your coding AI: "Review the API permissions being used in this project and restrict each key to only the minimum permissions required for the specific tasks this app performs."

5. Never log sensitive data.

When you're building and debugging, logging is your best friend. You print variables, you track errors, you trace what the app is doing.

The problem is that logs often end up including API responses, user data, order information, and sometimes even the keys themselves if you're not careful.

And logs get stored. Sometimes indefinitely. Sometimes in places that are easier to access than your main database.

Tell your coding AI: "Review all logging in this project and make sure we're not writing any API keys, credentials, personally identifiable information, or sensitive response data to log files."

That's it. Five prompts. You don't need to understand the code deeply to implement any of these. Your coding AI will handle the execution. You just need to know to ask.

Bottom line: the Mythos story is a signal about where AI capability is heading. The tools being tested at the frontier today become the tools anyone can access in 12 months. Building good security habits now, while your apps are small, is a lot easier than patching a breach later.
​

Your Agency Website Is Losing Leads Every Day. Here's What We're Testing.

Most Amazon agencies are driving traffic to landing pages that don't convert.

Sellers land. Scroll. Leave.

The audit is buried behind a form or a separate tool they have to go find. By the time they figure it out, they're gone.

We're testing a fix right now.

It's a trainable AI Sales Assistant that lives directly on your agency website. A seller visits, the Assistant activates, and they get an instant Amazon PPC audit without ever leaving your page.
​
The chatbot walks them through what the audit found, answers their questions, and pushes them toward booking a strategy call with your team.

By the time they hit your calendar, they already know what's broken and why they need help.

Watch how it works:

We're still in early testing on this. But CloseIQ as it stands today is already doing a version of this job.

Instant PPC audits. An AI chatbot trained on Amazon advertising that educates your leads before they ever get on a call with you. A mini CRM to track every lead, review what they submitted, and manage your pipeline.

It's built for agencies who want a smarter lead gen process without hiring more people.

Right now it's $67/month on an annual plan. That price won't last.

There's also a 7-day free trial if you want to see it working in your business before you commit.

​LEARN MORE AND START FREE TRIAL​

🛠️ Resources

Tools by SellerSynapse:

• ​CortexIQ - AI agent command center for Amazon coming soon!
  ​
• ​CloseIQ - Instant Amazon PPC audits to close deals quickly

Free Amazon Tools from SellerSynapse:

• ​PPC Analyzer - PPC Analysis in seconds!
  ​
• ​PPC Ngram Analyzer Pro - Advanced PPC Analysis in seconds!
  ​
• ​RoastMyListing.ai - Get AI-powered analysis of Amazon listings with humorous twist!
  ​
• ​Ngram GPT - Optimize PPC ads with ChatGPT
  ​
• ​CVR Pro - See how your product is converting compared to competition

That's it for this week! Have questions or feedback? Hit reply - we read every response.

Forward this to a brand owner or agency who needs to stay ahead of the curve.

© 2025 SynapseBytes by Seller Synapse​
​Subscribe​