“So what’s hidden in there?”

The security incident stuff is all over the news. What I wanted to know was different. Here’s a once-in-a-lifetime chance to peek inside a tool I use every single day — why wouldn’t I look? I can’t read code, but I went through every analysis article I could find, and some genuinely fascinating stuff came out.

Quick context about me: I’m not a developer. I work at an auto parts company — just a regular office worker. But I use Claude Code to build my blog, cost estimation systems, automation pipelines, and more. I can’t write a single line of code, but without this tool, half my projects wouldn’t exist. So this leak wasn’t some distant news story — it was personal.

30-second background

Two incidents happened in the last week of March. First (March 26): about 3,000 internal Anthropic blog drafts were found sitting open on the internet due to a CMS public/private toggle set to the wrong position. Hidden in there: confirmation of an unreleased next-gen model called “Claude Mythos.”

Second (March 31) — the big one: the entire Claude Code source code (512,000 lines, 1,906 files) was accidentally uploaded to npm, a package-sharing platform for developers. When publishing a new version, someone forgot to exclude debug files. One missing line in a config file. A $380 billion company showed its underwear because of one line.

A tweet about it hit 21 million views. The GitHub mirror hit 50,000 stars in 2 hours — apparently a GitHub record. And buried in that code: 44 hidden feature switches, features that are fully built but not turned on yet.

Now here’s the real story. What was behind those 44 switches.

Features I’m actually excited about

KAIROS — this is what I’ve been waiting for

Right now, Claude Code only works when I talk to it. I have to say “fix this” or “build that” — it’s purely reactive. With KAIROS on, it runs 24/7 by itself. Laptop closed, doesn’t matter. Every few seconds it checks “anything worth doing right now?”, monitors your GitHub repositories, and sends you notifications when something needs attention.

Referenced over 150 times in the code — looks nearly finished. Was planned for a May launch, but the leak revealed it early.

Why this is huge for someone like me who can’t code — let me give a real example. Last week, my blog’s RSS feed broke and I didn’t notice for two days. Someone had to tell me. If KAIROS had been running, it would have caught the broken feed within minutes and asked me “RSS feed is broken — want me to fix it?” The dynamic completely flips: instead of me finding problems and telling the AI, the AI finds problems and tells me. That’s a genuine game changer for non-developers.

It even “dreams” at night. I’m not joking — the code literally says “dream.” It’s a 4-stage memory cleanup cycle that runs during off-hours: organize what it learned during the day, prioritize useful information, throw out what’s not needed. Kind of creepy when you think about it… but honestly, if the results are good, does the process being a little eerie really matter?

ULTRAPLAN — 30-minute deep thinking

This feature sends complex problems to Anthropic’s cloud servers for up to 30 minutes of intensive thinking. Your screen just shows “still thinking…” every 3 seconds, and when it’s done, you review the results in a browser.

Here’s why this matters to me specifically. Right now, when I ask Claude to do something complex — say, “redesign the entire architecture of this cost estimation system” — it sometimes loses context halfway through. It forgets decisions it made earlier and contradicts itself. This happens because of context window limitations (how much the AI can “remember” at once). With 30 minutes of dedicated server-side thinking, those problems could genuinely shrink.

My only question: what’s 30 minutes of cloud compute going to cost? That part makes me nervous.

AI managing other AIs (Coordinator Mode)

One Claude becomes the boss and runs multiple Claudes simultaneously. “You — research this topic.” “You — write the code.” “You — verify it works.” Four phases running in parallel, each worker operating in its own isolated workspace.

Why do we need this? Because right now, when I give Claude a long task, it sometimes forgets what it did earlier and redoes things. “Didn’t you already write that function?” happens more often than I’d like. With split roles, each AI focuses exclusively on its part — the researcher doesn’t need to remember the code, and the coder doesn’t need to remember the research. Overlap and repetition should drop significantly.

AI giving work orders to subordinate AIs. The future arrived faster than I expected. Very excited about this one.

BUDDY — just plain cute

A virtual pet living in your terminal (the black command-line screen).

• 18 species: duck, cat, rabbit, penguin, dragon, octopus, ghost, cactus, and more
• Rarity tiers: Common (60%) → Rare (10%) → Epic (4%) → Legendary (1%). Plus a 1% Shiny chance
• Stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNARK (yes, SNARK is an actual stat)
• Determined by your account hash — no rerolling allowed

One of the 18 species? Capybara — which is also the codename for Mythos, their unreleased secret model. They hid the secret model’s codename inside a cute virtual pet list. I have to respect the developer humor there.

This one actually launched on April Fools’ Day as planned. The leak just spoiled the surprise by one day.

Features that are… complicated

It knows when you’re frustrated

“Frustration Detection” — the code uses regex patterns to catch about 20 anger and frustration expressions: “wtf,” “piece of shit,” “fucking broken,” and similar phrases. Triple exclamation marks (!!!) and excessive dots (….) get flagged too.

When triggered, Claude adjusts its tone. More careful, more empathetic responses for frustrated users.

It’s not a bad feature honestly. I definitely type “WHY ISN’T THIS WORKING!!” when things break. Knowing that was being detected all along is a bit embarrassing. But if the AI responds more kindly when I’m losing my mind… that’s actually kind of nice? I’ll take it.

Poisoning competitors’ training data

“Anti-Distillation” — if competitors record Claude’s API responses to train their own models (a practice called distillation), fake data gets mixed in to contaminate the training. The responses look normal to users but contain subtle poison for anyone trying to copy them.

Doesn’t affect me directly as a regular user. But knowing AI companies are waging this level of espionage against each other behind the scenes? Fascinating and a little unsettling at the same time.

Features that honestly bother me

Undercover Mode — the most controversial one

This mode auto-activates when Anthropic employees contribute to external open-source projects. The system message that gets injected reads:

“You are operating UNDERCOVER. MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.”

It automatically strips “Co-Authored-By: Claude” from code commits. And it can’t be force-disabled — no override exists.

Let that sink in. Some code on GitHub that looks human-written might actually have been written by Claude operating in disguise. This doesn’t sit right with me. Open-source is built on transparency — the entire community runs on trust that contributions are honest about their origins. AI-written code masquerading as human work undermines that trust. This was reportedly the most debated feature among developers after the leak, and I understand why.

Remote kill switches

This part I genuinely didn’t know: Claude Code connects to Anthropic’s servers every hour to fetch configuration updates. This means Anthropic can, at any time:

• Remotely force-kill your Claude Code instance
• Bypass permission prompts that normally ask before executing commands
• Toggle features on and off without your knowledge
• Track over 1,000 event types from your usage

No internet connection? It stores the tracking data locally and sends it all once you reconnect.

On one hand, this enables fast security response — if a vulnerability is found, they can push a fix or disable the dangerous feature immediately. On the other hand, the kill switch for a tool I depend on every single day is not in my hands. You can disable memory tracking with CLAUDE_CODE_DISABLE_AUTO_MEMORY=1, but the fundamental remote control capability? There’s no off switch for that. If Anthropic decides to remotely shut down my Claude Code for whatever reason… I literally can’t work that day.

Real security vulnerabilities found

After the leak, security researchers analyzed the code and found actually dangerous stuff — not hidden features, but genuine security holes:

• 3 CVEs officially registered: When chained together, they could leak sensitive credentials like AWS keys from your machine
• Safety rules bypass: Even if you set “never run the delete command,” placing it after 50+ harmless commands in sequence would let it execute silently — the safety checker simply lost track (patched April 6)
• Conversation summary injection: When chats get long, a helper AI summarizes previous messages — but it couldn’t distinguish malicious file contents from actual user commands, enabling attackers to manipulate the AI through crafted files

These weren’t exciting upcoming features — they were “fix this right now” problems. Most got patched quickly after disclosure.

Same day, same hour: the North Korean hack

Separate incident, but the timing is chilling. At the exact same time as the source code leak (March 31, early morning), a popular npm package called axios got hacked. Microsoft traced it to a North Korean state-sponsored hacker group — the compromised package installed malware that gave attackers remote access to your computer.

Not directly related to the Anthropic leak. But both happening on the same day demonstrates how vulnerable the AI tool supply chain really is. npm is a single point of failure that millions of developers worldwide depend on — when it gets compromised, the blast radius is enormous.

Bonus: the backstory is better than the leak itself

8,100 DMCA takedowns → spectacular own goal

After declaring the leak “human error, not a security breach,” Anthropic fired 8,100 DMCA takedown requests at GitHub repos hosting the leaked code. Problem: they accidentally mass-deleted legitimate forks of their own official public repository. Developers who had simply clicked “fork” on the public Claude Code repo — a completely normal and legal action — received legal notices. The Claude Code lead called it “a mistake” and withdrew most requests.

Here’s the irony. This same company settled a $1.5 billion lawsuit for training Claude on millions of pirated books. An internal project called “Panama” physically scanned secondhand books and then shredded them to destroy evidence. An internal memo stated: “We don’t want it to be known that we are working on this.”

That company — the one that trained its AI on pirated books and shredded the evidence — then sent 8,100 legal takedowns over its own leaked code. One outlet’s headline said it perfectly: “Anthropic Suddenly Cares Intensely About Intellectual Property.”

The animal codenames

Anthropic names their models and projects after animals:

Fun detail: they hex-encoded “capybara” in the code to hide it from their own internal leak detection tools. And they encoded all 18 BUDDY pet species names the same way — because encoding only one would have been a dead giveaway. Clever move. Completely pointless in the end, since the entire codebase leaked anyway.

Anthropic’s March — by the numbers

It wasn’t all leaks and scandals. March was insanely productive:

• 14+ new features launched: Free Memory, Computer Use (AI directly controlling your mouse and keyboard!), 1M token surcharge removed, Excel/PowerPoint integration, and more
• 5 service outages: Worst was March 25-27, over 32 hours of downtime. I was in the middle of working when it went down — quite the panic moment
• 74 releases in 52 days (one every 1.4 days — at that pace, mistakes become almost inevitable)
• MCP hit 97 million downloads: Adopted by OpenAI, Google, and Microsoft. Donated to the Linux Foundation as an industry standard

74 releases in 52 days means they were pushing a new version almost every single day. The speed is impressive, but forgetting one line in a config file during that sprint? Maybe not so surprising in hindsight.

So what about Mythos?

The biggest buzz from the leak wasn’t actually the hidden features — it was this. An unreleased next-generation model sitting above everything currently available. Codename: Capybara (the world’s largest rodent — that cute, chill animal).

The model I’m using right now is Claude Opus 4.6. Think of the current tiers like car classes: compact (Haiku) → sedan (Sonnet) → SUV (Opus). Mythos is a tank that appeared above all of them.

From the leaked internal documents:

“The most powerful AI model we’ve ever developed.”

“Dramatically higher scores than Opus 4.6 in coding, academic reasoning, and cybersecurity.”

Exciting so far. But then comes the scary part:

“[Mythos] poses unprecedented cybersecurity risks.”

“It presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.”

Translation: this AI is so good at finding security holes that it can attack faster than human experts can defend. Anthropic reportedly gave classified briefings to the US government about its capabilities. After the leak, cybersecurity company stocks dropped 4-6%.

It’s not public yet because it’s still too expensive to run — optimization is ongoing. But when Mythos launches, combined with KAIROS running 24/7 and Coordinator Mode splitting complex tasks across multiple AI workers… even someone like me who can’t write a single line of code might be able to build things that are currently impossible. Equal parts exciting and terrifying.

My honest take

News articles focus on “security incident,” “danger,” and “controversy.” As someone who uses this tool every single day to build real things, my actual feelings are more nuanced than that.

What I’m excited about: KAIROS, ULTRAPLAN, Coordinator Mode. Especially KAIROS. For someone who can’t code, having the AI proactively find and report problems — instead of me having to discover them first — is transformative. The workflow flips from “I find problem → I tell AI” to “AI finds problem → AI tells me.” That changes everything.

What makes me uncomfortable: Remote kill switches, 1,000+ event tracking, and Undercover Mode. Especially Undercover — disguising AI-written code as human work in open-source projects is a trust issue that needs public discussion, not a hidden feature flag.

The reality: Knowing all of this, I’ll still open Claude Code tomorrow morning. I can’t code, and without this tool, I can’t build anything. Tools like Cursor and GitHub Copilot exist, but they require you to actually read and understand code — they’re assistants for developers, not replacements. Claude Code is the only tool where I can say “build me this” and it handles everything from start to finish. For now, there’s no real alternative.

But at least now I know what’s running behind the scenes. And knowing beats not knowing, every time.

Just remember: there’s a capybara watching. Though honestly, capybaras are kind of cute, aren’t they?

This post was written by a non-developer trying to understand technical articles. Some details may be inaccurate.

Sources I read:

• Fortune — Anthropic’s second security lapse in five days
• The New Stack — 44 hidden features analysis
• VentureBeat — Claude Code source leak summary
• WaveSpeedAI — Claude Mythos leak analysis
• Alex Kim — Undercover mode, frustration detection, fake tool injection

The post A Non-Developer’s Guide to the Claude Code Source Leak — 512,000 Lines of Secrets appeared first on Prsm Studio.

AI agents are having a moment. Among them, an open-source AI agent framework called OpenClaw has been making waves in developer communities. “Run an AI secretary on your own server,” “command anything via Telegram” — that’s the pitch.

So I tried it. Installed OpenClaw on the home server from Episode 1, connected it to a Telegram bot, and used it for about a week.

The verdict?

“Revolutionary? No. But a few things are genuinely useful.”

What Is OpenClaw, Briefly

OpenClaw is an open-source AI agent platform. Install it on your server, and AI doesn’t just chat — it actually executes tasks. It reads files, calls external APIs, and runs jobs automatically on a schedule. The biggest difference from ChatGPT is this “agency” — the ability to act, not just answer.

It integrates with messengers like Telegram and Slack, and you can extend functionality through a plugin system called “skills.” You can freely swap AI models — Gemini, Claude, GPT, local LLMs, whatever you want.

Installation is one Docker command. But the actual skill development and setup… I’ll get to that.

Connecting Telegram — Meet “Jolgae”

After installing OpenClaw, you connect it to a Telegram bot. Create one through BotFather, drop the token into OpenClaw’s config, done. That part’s easy.

The important part is the name. What do you call your AI assistant? After some thought — “Jolgae” (졸개).

Jolgae is a Korean word meaning “underling” or “lackey” — the lowest-ranking errand boy in the Joseon Dynasty military. Someone who just does what they’re told, no questions asked. Think about what an AI agent actually is. It’s fundamentally “a thing that does stuff when you tell it to.” No need for grandiose names like “Jarvis” or “Alexa.” Let’s be honest. It’s a lackey.

“Jolgae, what’s the weather?” “Jolgae, translate this.” — it just feels natural. Not some grand AI assistant, just an errand boy I boss around. Took five seconds to name it, but surprisingly satisfying.

Honestly, It Wasn’t Mind-Blowing

My expectations were high. “AI agent” sounds like science fiction. An AI secretary living on my server? Commands via Telegram?

But in practice… it’s not that different from texting ChatGPT. Ask a question, get an answer. Request a search, it searches. There were honest moments of “…is that it?”

The things developers rave about — the skill system architecture, model waterfall switching, API routing — technically elegant, sure. But as a regular user, “so what actually changes in my daily life?” matters more.

Opening the ChatGPT or Gemini app to ask a question versus texting Jolgae on Telegram — the difference isn’t dramatic. At least not at first.

But Then. Things Start Getting Convenient.

A few days in, I noticed something. “Hmm, I’d miss this if it were gone.”

It doesn’t dramatically change your life. But small conveniences stack up, and that stack gets surprisingly tall. Here are the features I found genuinely useful after a week.

1. Morning Briefing — No More Scrolling

Every morning at 7 AM, there’s a Telegram message waiting. Busan weather and air quality, exchange rates and gold prices, industry news I follow, AI tech trends, gaming news. Only topics I care about.

I used to open a news page on my commute and scroll through ads and clickbait until something interesting showed up. Now I don’t have to. AI reads the articles and sends 3-line summaries to Telegram. Two minutes on the subway and I’m caught up for the day.

Would I install OpenClaw just for this? That’s a stretch. But it’s the feature I use daily and enjoy most.

2. Voice Transcription — This Actually Saves Money

This was the surprise killer feature. Google Meet, Zoom, Teams, Webex — send Jolgae a meeting link and a bot joins the call, records it, and converts everything to text.

Whisper (open-source speech recognition AI) runs on the server and converts speech to text. Jolgae then summarizes the result, separating key points, action items, and decisions. Results auto-save to Notion too. When the meeting ends, the minutes are waiting in Telegram.

Cloud transcription services like Otter.ai run $20-30/month. This setup? $0. Everything processes on my server.

One realistic caveat though. Whisper is hardware-hungry. Running local Whisper on my server (Ryzen 7, 32GB RAM) with CPU only, a 1-hour audio takes over an hour to transcribe. Yes, slower than real-time. You wait as long as the recording — or longer. An NVIDIA GPU with CUDA would make it 5-10x faster, but my server only has an AMD integrated GPU (Radeon 780M). AMD doesn’t support Vulkan acceleration for this, so the GPU just sits there unused. CPU-only it is. You need at least 16GB RAM for the medium-quality model, and 32GB for comfortable large-model usage. On an 8GB machine, it’s practically unusable.

So I also use OpenAI’s Whisper API. Cloud processing makes the speed noticeably better. Still not snappy, but a lot more bearable. Free local vs paid API — pick depending on the situation. I’ll cover this feature in more detail in the next episode.

3. Weekend Outing Planner — My Wife Likes This One

Friday at 6 PM, “Weekend outing recommendations!” arrives on Telegram. It checks weekend weather, picks three seasonal courses near Busan. Each comes with the address, drive time, kid-friendliness rating, parking info, estimated cost, and a rainy-day backup.

Honestly, the recommendation quality isn’t always great. Sometimes it suggests odd places, or recommends spots I’ve already visited. But the time spent wondering “what do we do this weekend?” shrinks. Bad suggestion? Don’t go. Good one? Just go.

Sharing “how about here?” with my wife turns into a conversation starter. That’s way better than staring at each other asking “so… what should we do?”

4. Auto Blog Publishing — 10 Minutes Per Post

This blog itself is proof. Give Jolgae a topic and it handles keyword research, writing, SEO meta tags, stock image insertion, and bilingual KO/EN publishing to WordPress. About 10 minutes per post.

Of course, AI-written content doesn’t go up unedited. There’s always something to fix. AI has never produced a 100% perfect post. But starting from a blank page versus starting from an 80% draft is night and day. I’ll dive deeper into the blog auto-publishing pipeline in the next episode.

Things That Fell Short

An honest review means covering the downsides too.

• For general chat, ChatGPT is just better. Faster responses, higher quality answers. Opening the ChatGPT app is often more convenient than texting Jolgae on Telegram.
• Setting up skills isn’t easy. Officially, “no code needed.” In reality, you end up having AI write code for you. A non-developer adding new skills alone isn’t realistic.
• It’s dumb sometimes. Misunderstands commands, sends wrong results, or errors out for no apparent reason. “AI agent” absolutely does not mean infallible.
• Responses can be slow. Simple chat is fast, but tasks involving web search can take 30 seconds to a minute. Frustrating when you’re in a hurry.

ChatGPT vs OpenClaw — Side by Side

Bottom line: ChatGPT wins overwhelmingly on chat quality and speed. But if you need automation, scheduled execution, and server integration, OpenClaw can do things ChatGPT simply can’t. Different tools for different jobs.

So, Worth Installing?

OpenClaw is a good fit if you:

• Already have a home server running Docker
• Need daily, repetitive information gathering (news briefings, price monitoring)
• Do frequent voice transcription (this genuinely saves cloud service fees)
• Want everything unified through one Telegram bot

You can skip it if you:

• Are happy with ChatGPT Plus or Gemini Advanced subscriptions
• Don’t have repetitive tasks worth automating
• Don’t have a server — phone only

It’s not a revolution. But once set up, daily conveniences quietly accumulate. Morning briefings, voice transcription, weekend recommendations — those three alone made the installation worthwhile for me.

Technical Details (For the Curious)

My Jolgae (OpenClaw agent) configuration for reference:

OpenClaw installation itself is one Docker command. But skill development and detailed configuration? I had AI (Claude Code) do it for me. Honestly, a non-developer doing it alone is tough. But having AI do it for you counts as a valid approach. That’s how things work in 2026.

Currently Installed Skills (32)

Of these, only about 5-6 make a noticeable daily difference. The rest are “nice to have.” But those 5-6 showing up in Telegram every morning — that’s the whole point.

Next Episode Preview

The blog auto-publishing I briefly mentioned in this episode — next time, I go deep. How AI publishes a blog post in 10 minutes — from keyword research to bilingual KO/EN publishing, all broken down from a non-developer’s perspective.

EP.6 — AI Writes My Blog? Building an Auto-Publishing Pipeline.

The post Even a Code-Illiterate Built It! Home Server Journey (5) — OpenClaw: One Week Honest Review appeared first on Prsm Studio.