September 23, 2025 • 46 mins
Join the Tool Use Discord: https://discord.gg/PnEGyXpjaX
Are you ready for AI agents to browse the web? We explore the future of AI agent authentication, web security, and API design in this deep dive. As AI agents proliferate, critical questions arise: how do we handle security without giving an agent your password? How can we make websites optimized for agent consumption? We're joined by Bobbie Chen, a product manager at Stytch specializing in bot and AI agent detection, to discuss the risks and opportunities.
We cover how OAuth can provide safer, scoped permissions for agents, and the emerging open standard Web Bot Auth, which allows agents to cryptographically prove their identity. Bobbie breaks down Simon Willison's "lethal trifecta" of AI security risks and discusses strategies for mitigating malicious behavior. We also touch on the future of AI SEO, how API design must evolve for a hybrid human-agent world, and the potential impact of agents on web monetization and advertising.
Learn more from Bobbie Chen:
Stytch supports Web Bot Auth: https://stytch.com/blog/stytch-supports-web-bot-auth
Stytch Connected Apps (OAuth for AI agents): https://stytch.com/connected-apps
Stytch Fraud and Risk Prevention: stytch.com/fraud
AGI Builders Meetup: https://luma.com/agibuilders
IsAgent SDK for agent identification: https://IsAgent.dev
Additional Resources from the episode:
Simon Willison's lethal trifecta: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta
IETF Web Bot Auth: https://datatracker.ietf.org/doc/bofreq-nottingham-web-bot-auth/
Jon Postel as "benevolent dictator" of IANA: http://memex.org/meme4-01.html
Freestyle Cloud: https://www.freestyle.sh
Connect with us
https://x.com/ToolUsePodcast
https://x.com/MikeBirdTech
00:00:00 - Intro
00:03:25 - The Risks of AI Agents Browsing the Web
00:07:14 - A Bot Registry vs. Open Protocols
00:18:04 - How AI Will Change Web Monetization & Ads
00:35:03 - The "Lethal Trifecta" of AI Security
00:41:25 - Practical Advice for Website Owners & Agent Devs
Subscribe for more insights on AI tools, productivity, and AI security.
Tool Use is a weekly conversation with the top AI experts, brought to you by ToolHive.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Foundation models are good enough that the agents are
actually capable of doing like non trivial things.
The state-of-the-art to do that kind of agentic transaction is
to literally give the agent my password, and then once it has
my password it logs in as me. Those instructions can then be
used to 1st read your private data and then exfiltrate it out
to some external source. There's lots of ways of doing
(00:22):
that, so if you have the combination of those three
things, you're pretty much doomed.
Are you ready for AI to start browsing the web?
As AI agents start to proliferate all across the
Internet, we have a few things we need to discuss.
How do we handle authentication?Do you really want your AI
agents signing in as you? How do you make your website
optimize for consumption by these agents?
And do we really need to start scanning our eyeballs in order
(00:43):
to have a safe intranet? On episode 58 of Tool Use,
brought to you by Tool Hive, we're covering all this and
more. We're joined by Bobby Chen,
who's a product manager at Stitch, who handles bot
detection and AI agent detection.
He's also one of the organizers of AGI Builders, and he's very
well versed in this. So please enjoy this
conversation with Bobby Chen, AIAgents.
Are kind of really a hyped and overloaded word right now.
(01:04):
But when when someone says agents, the thing that I usually
think of is I have some kind of automation.
It's going to go do something for me based on my intent and it
doesn't necessarily follow a fixed flow.
And I've seen people draw the distinction sort of like if you
have some straight line automation, like it always does
these kinds of tasks in a certain order.
(01:26):
Maybe that's not quite an agent,but an agent is able to look at
the results of some of these things that are coming back and
adjust what it's doing in order to achieve those goals.
And so I think we see that most with like coding agents is
probably one of the purest formsof that today.
So like if you're using cursor or something or any number of
other coding agents, you often get in the state where you're
(01:48):
like, please add this feature and it'll go and add the feature
and it'll say, OK, I'm running the test now to see if it
worked. And oops, I broke a test.
Let me go back and fix other things.
And that's what I think is the core sort of agents.
So I guess getting that definition aside, I think like
agents are in a really interesting position here
because how should I say this? I think the foundation models
(02:11):
are good enough that the agents are actually capable of doing
like non trivial things. Like I'd say two years ago you
could basically do a canned demoin a very controlled
environment. One year ago you had better
chances, but it's probably not something that you want to run
in production without constant babysitting.
And today, I really do think we're in a realistic position
(02:32):
where you can actually have AI agents doing useful work for
you. And that's really exciting.
It's kind of like an open world.I would say it's that we're at
the very beginning here. And so there hasn't really
settled on a consistent set likeeveryone's doing these best
practices, so to say, because the field changes so quickly.
(02:53):
Yeah, we're still just figuring it out, which is very exciting,
but also difficult at times because the same problem kind of
gets solved over and over by different people and we're
trying to figure out how everyone can do it.
When you mention this open world, I feel like web agents
are the prime example of that because you can't really scope
it to it. Like your project, your
computer, as soon as you go on awebsite, there could be anything
there. It could be like malicious code
(03:14):
hidden the HTML, it could be just poorly written, poorly
structured. So as soon as we start entering
the web, that's been is like thereal test I found because it is
a complete Infinity option environment.
So as we start applying to like AI agents to the web, where do
you see some general risks startshowing up?
Yeah, I think so. AI agents on the web.
(03:36):
So especially things that peoplecall browser, user browser using
agents, using the web, I think there are great opportunities
here, but also risks. So like the opportunity is that
while people today use websites and apps for all kinds of
things. So if you're able to get an
agent to do that, now you don't have to reinvent a bunch of
wheels to to get it to do usefulstuff.
(03:57):
So that's great. On the flip side, I think there
are parts about, I guess the, the experience of being an agent
that are different from that of being a human.
And I think one of the clearest places where that shows up is
auth and authentication specifically.
So that's like, you know, hey, Ihave my agent, I'm going to have
(04:19):
it go shopping for me for something that I don't
particularly care about today. The state-of-the-art to do that
kind of agentic transaction is to literally give the agent my
password. And then once it has my
password, it logs in as me. And I think what we've learned
before in previous places in, I guess, computing history is that
(04:40):
when you give an automation fullaccess to BU, you're opening the
risk that whether that's a bug or some kind of malicious attack
that this bot is able to say, log into my Amazon account and
actually buy a bunch of stuff that I don't want or delete my
entire account entirely. Or there's all these kinds of,
I'd say destructive or riskier transactions that I don't
(05:03):
actually want an automation to take on my behalf.
But if I'm like browser first, browser only, the only thing I
can do is say bot, please fully impersonate me.
And that's a mistake that I see a lot of developers doing today.
Yeah, cuz I remember Anthropic ran the experiment where they
had their AI offering a vending machine and people are able to
jailbreak it to like order them a tungsten cube and like give me
(05:26):
a full of refund and stuff. And we're while we're at a point
when the capability of them is vast, the capability of
jailbreaking them and manipulating them is still very
accessible to many people. So with the idea of having
giving a password as as a risky endeavor, what are some
approaches people are taking to try to circumvent this?
Like how could we make agents their own little entity rather
(05:48):
than just a extension of of you or the user?
There is a lot to do basically to make the the agent have your
capabilities, but not necessarily all of them.
And the good news is that actually we do have experience
doing this through the Oauth specification.
(06:08):
So Oauth is, you probably most frequently see it in kinds of
like social login or it's like I'm logging into this site using
my Google account. Or sometimes you actually get
these consent screens that are like, oh, would you like to
share your, your name and your e-mail address with this
website? And that kind of scoped access
is exactly applicable to agents.So I want to be able to give an
(06:31):
agent the ability to say to havebasically the permissions and
the access that I have, but somesubset of them that I think is
reasonable that I can consent toeither in advance or at the time
when that agent is trying to do that transaction.
And like, so that all makes sense in concept.
And I think once you agree with the concept, then the nuts and
(06:51):
bolts, it's like, oh, great, there's actually like the Oauth
specification, there's like 1000variations of them.
There's a Oauth flavor for MCP authentication as well that's
standardized today and that's being actively worked on.
So I think it's good for us to be building on top of what we've
already done in order to bring these like same scoped
(07:12):
permissions to users. One thing that came across is
the idea of a bot registry whereyou can take your agent that you
want to just let loose on the web, register it with his entity
and then you kind of get granteda passport or like a green light
tax of sites and and just like alittle awareness.
What are your thoughts on that type of approach?
I think the idea of a registry is very tempting because you're
(07:32):
like, well, someone should just be in charge of this.
We basically have like a benevolent dictator who's gonna
do the right thing and take careof all of us.
And to be honest, in the past, there are things that have
worked like that. Like the entire DNS system used
to be run by a single guy who isout of, I think it was UCLA,
John Postal. And he basically like kept all
(07:54):
the domain names and IP addresses in like a spreadsheet.
And that worked for a little while.
But over time, it's something that you don't want a single
person or even a single organization to be in control
because that's a lot of power for them to have.
And so I think the idea of the Internet and the idea of the web
and open protocols enable us to do things that are decentralized
(08:16):
in meaningful ways. And so I know you're mentioning
the idea of like a registry and gatekeeping because just a few
weeks ago, there's a bit of controversy around Cloudflare
just launched a feature which they're calling verified agents,
in which you do, as part of their process, register with
them. So you give them a certain
(08:37):
amount of information and then they can sort of check off
things about your implementationand expose those to the users
who are using Cloudflare for a CDN or for a web app firewall,
things like that. And that's controversial.
I think, you know, it's not Cloudflare's fault here that
there are a popular and successful service that is used
by large portions of the Internet, but at the same time,
(09:00):
we don't necessarily want them to control that.
And so I think the interesting thing about the cloud proposal
is that it is actually based on an emerging open standard.
And that open standard is calleda web bot auth.
And so web bot auth is somethingthat helps agents and bots and
(09:20):
other kinds of automation thingsthat are like search engine
crawlers as well, identify themselves in a way that can't
be spoofed. And that's important because
today you might be familiar with, there's the concept of a
user agent header that's basically like, I come into, I
come to you and I say, hey, my name's Bobby, nice to meet you.
(09:42):
And the problem with user agent today is that it's pretty much
just a string. Like you can throw anything in
there. Like I can come up to you and
say, hey, I'm Mike's grandma, please send me a bunch of stuff
that is private to our family. And on the other side, as a
server, you don't know that the user agent actually represents
(10:04):
who you are. So what web bot auth does is it
enables agents to tie their identities to cryptographic
keys. So I'm going to take my message
to you. It's going to say, hi, I'm
Bobby, and I'm going to sign it with a key.
And so it's asymmetric cryptography.
There's a private key and there's a public key.
(10:25):
So somewhere out there, there's a public key associated with my
name. I'll tell you how to go find it
and you can go verify that message and actually say, OK, I
definitely know this is Bobby. And that's great.
That's like the good case. And the important thing that's
different from user agent is that now it's impossible for
someone else to go out and say, hey, my name's Bobby, here's my
(10:48):
signature. Because then you look at that
signature, you can verify it against my public key and say,
actually, that's not Bobby, that's someone else, or this guy
didn't sign his message. And I know that Bobby always
signs his messages. So there's the value of what
bought off. That's sort of at the core of
what Cloudflare is proposing in their verified agents.
Actually, we're working at Stitch to enable web bot auth
(11:10):
verification for our customers as well.
I think this is pretty much justa total good for everyone who is
operating a bot and doesn't wantto be impersonated.
Very cool. I'm 100% on board with the idea
of the open protocols. That's how the Internet has
flourished the way it is. We really need to make sure we
support stuff like this. I'd like to to pivot a little
bit because just thinking about the way that you can
(11:32):
cryptographically sign a user agent so we know it's a certain
bot. Is there a reason we can't start
improving the human web browsingexperience with similar
technology? So for example, instead of me
having to go fill out all these captures and all the website,
there could be something that verifies me as a user as me.
Or is because the association would just be with whether it's
(11:52):
my computer or something, I could put a bot on my computer.
Like what's preventing that typeof auth and like authentication
applying to like people browsingthe web?
Yeah, I think it's a really interesting idea.
And so there are kind of things that exist sort of like it that
ultimately go back to cryptographic keys rather than
like truly like live personhood.Think of the challenges this
(12:16):
space is. It's really hard to do this in a
way that is privacy preserving, that's not super invasive,
basically are requiring huge amounts of personal data to be
like screwing around everywhere.And so I'll talk about.
So in Estonia, there is like a government Eid in which you more
(12:38):
or less get a card that has a smart chip in it.
And that chip is actually a set of signing keys.
And so these are issued to you in kind of a way, the way that
you get a driver's license in the US maybe.
And you can use this to sign things to say this is really me.
And you know that it's me because the government issued me
this key and the government is supposed to do certain kinds of
(12:59):
identity verification on me. I think there are similar, I've
heard of similar systems in likeSouth Korea and using government
IDs to bootstrap things. And ultimately, I think because
the government already needs to know a lot of this information,
they're sort of the natural place for this to live.
(13:20):
But then that kind of flips things around and that even
though I signed things with a particular key, I don't
necessarily want every website on the Internet to know exactly
who I am as a human user. So the other tech part that I
think is interesting is 0 knowledge proofs here in which
by depending on what protocol and the details, you can
(13:43):
basically get a signature that says, well, the government says
the person who signed this is atleast 18 years old, for example.
And that's the only piece of information that you get.
You don't get my name, you don'tget my exact birthday, things
like that. And so I would say, again, the
technical pieces are here, but it's going to take a lot of sort
of political and organizational will to, I would say, make them
(14:05):
like a practical reality. Yeah, and just one real life
example that I always thought was preposterous.
Where I live, the drinking age is 19 and it just feels weird
that you'll have like a 19 year old woman going to a liquor
store and have to show an employee her home address on her
identification just to like for alcohol.
Like there should be a binary yes, no, I am of age.
Like there is proof. You shouldn't have to hand over
(14:26):
all your personal information onthe same note as like proof of
personhood. Do you mind giving your thoughts
on the idea of worldpoint, whichI believe is not Brandon's world
or coined actually don't remember where they'll actually
scanned your eyeball in order toprove you're a person.
We're, we're deviating away fromthe idea of the web agents, but
I still feel there's a new age of the digital world now where
(14:49):
we really have to start validating.
Like what's an AI, What's an AI agent?
What's a malicious bot, What's aperson?
Do you have thoughts on how that's playing out?
Do you think it's the right approach or are we going down
the wrong path with eyeball scanning?
Yeah, I think, you know, eyeballscanning is, is never going to
be a everyone's like, yeah, that's obviously a good idea.
We should not be scanning our eyeballs.
(15:11):
I think it's actually to take a step back and reframe this, I
would say is it really importantthat there are things with a
real human associated with them?Because I think traditionally
when we talk about automation and we talk about the value of
APIs and so on, there's actuallyquite a lot of value that comes
(15:34):
from letting people access your systems in ways that are
beneficial to them, even if thatmight not be a true human.
And so the cofounders of the company I work for is Stitch
originally came from Plaid and Plaid actually had a bit of this
kind of tension with banking providers early on in that Plaid
was providing AP is to automate banks even when those banks
(15:57):
themselves didn't have AP is behind them, but sort of.
And so there was a tension initially where the banks were
trying to stop Plaid from doing that.
Eventually they realized that there actually is a lot of value
that people are like building the new applications and new
ways to analyze and gain value from what the banks are
providing just because you're giving them the ability to
(16:19):
access them in new ways. And so I've kind of come a long
way, but which is all just to say that I think bots and
automation can be viewed as sortof the original user agent,
right? This is an agent that's trying
to accomplish something on behalf of a person or perhaps an
(16:40):
organization. And what that means is that you
really want to look if those actions are something that you
want versus at that level, is this action something that I
want? Is that something that I like?
As opposed to is there a human on the other side?
I don't know if you've seen thismean that's like, please drink
verification can. I don't want to be drinking a
(17:03):
verification can. I don't want to be scanning my
eyeballs necessarily, even though that might be very useful
and unspoofable in certain ways.It's, I would say, invasive in
other ways. It's a privacy risk.
And I think unlike, say, losing my driver's license or losing a
passport, it's kind of unlikely that I'm going to lose my
(17:26):
eyeballs and need to replace them.
So it's something that I won't lose.
But at the same time, if it leaks, that's something that's
just like a permanent danger to me, much in the way that like a
Social Security number is to people today.
Yeah, I was actually going to ask you, does it really matter
to identify agents? But I love the way you've
reframed is, does it really matter to identify humans?
Like it's the, the the issue is malicious behavior versus
(17:47):
intentional behavior. And one theory I have that might
contribute to it is the fact that so much of our Internet is
AD driven where there's a financial incentive to make sure
the the consumer of that information is a human to get
the advertisement there. Do you think as AI agents become
a greater, greater share of the web browsing experience, that'll
(18:10):
impact the way that either monetization happens or ads
happens? Because we've seen things like
how Apple will, I forget exactlywhat they did.
They changed it so you couldn't identify the user and they just
had like a generic advertising ID.
So they got to control all the ads spend there.
So maybe the AI providers like Open AI will be the ones serving
you ads rather than what's on a website since it's their agent
(18:32):
consuming it. Like how do you see the
monetization of the Internet unfolding in this AI age?
Yeah, I think there's like a lot.
So there's like currently I would say there's a
understanding between sort of media companies and advertisers
and the traditionally the searchengines or the other ad
platforms like Google and Meta. And so that's kind of well
(18:55):
understood at this point that I'm going to provide media, the
search engines are going to slurp it up and perhaps serve
ads related to that. And those ads or the search
engine results are going to drive traffic back to me.
So that's like a cycle in which all three of the parties are
benefiting with AI agents. I think there is this is risky
(19:19):
basically for traditional advertisers and traditional
media companies because you're not exactly sure how these
agents are going to represent that data.
So maybe it's that you really hate being advertised too.
Let's see. And you've got an agent that's
like, go tell me all the real content that's totally factual,
(19:40):
remove all marketing spin and things like that.
And so there is, again, there's multiple angles on this.
I would say at the agent side, there is a huge, huge incentive
for the agent to give you ads because now that's the new
distribution mechanism, like theagent is replacing Google in the
previous result and now the agent has the opportunity to
(20:02):
serve ads. So there's a huge monetary
incentive for the AI companies to be doing that.
At the same time, there's a trust issue, right?
People today really like using say, ChatGPT or other AI tools
because it is not so ad filled as other traditional ways of
getting information. And so that I think is a
(20:24):
tension. I think ultimately the AI
companies will try to do some form of advertising, but it will
be challenging for them. And, and Drew Breunig just put
out a blog post maybe last week,a couple weeks ago about the
different ways that AI companiesmight try to advertise, whether
(20:44):
that's something like a banner ad, something that's like
affiliate links or something that's like a little more
nefarious and less trustworthy, where you get things in actual
responses that are leaning towards advertisers.
So there's attention there that's on the platform side and
sort of on the distribution on the media company side.
I think you have the same issue.Like should I serve ads at all
(21:06):
if the only people are going to be reading these are agents who
might ignore the ads, What does that mean for my ad spend or the
money that I'm going to get fromads?
And what does that mean for my content if I'm going to write
all these words and no person isgoing to read them, but they're
going to get slurped up into some machine as well?
So I think a lot of what we see around agent identification is
(21:26):
actually sort of related to that.
So I've had talks on agent identification from companies
that have a lot of media, whether that's their own or it's
their user generated content that they might be thinking
about licensing. Say I cut a deal with Anthropic
that they're allowed to train onmy data, but other companies are
not. Then I need really need a way to
reliably identify Anthropic spots as opposed to all the
(21:50):
other bots who might be trying to look at that same data
because it erodes the value of aexclusive licensing deal if it's
not actually exclusive. And then the other piece here is
that the people who are buying the ads, right, companies who
are trying to sell you things basically need to figure out a
whole new playbook. And I think we're kind of in the
(22:11):
early days here where in the other days of like Google, there
was what people call it would call Black Hat SEO where you can
like keyword stuff your way intothe top results.
There's probably something similar that's going on.
And this is always adversarial. There's always an incentive to
try to manipulate rankings, whether that's in a traditional
search engine or in AILLM based search models or agents to try
(22:37):
and get you to the top. And I'm sure there are teams
battling it out today to basically discover those
deceptive practices so that sites get penalized for trying
to manipulate rankings like. Yeah, there was a story way back
in the day. I actually, I can't remember
exactly the details of it, but someone would go on to ChatGPT,
ask about their company, it would respond not knowing of
(22:58):
their company and they just downvote the answer.
And they do this repeatedly, repeatedly.
And it would ask for like a correction.
And then eventually their company would get into the
training data and then for all future models, they would be
referenced. Ty, back in the day, Ty Fiero
put together an AISEO script where during the time that Open
AI, and I believe Google as well, were giving free credits,
he wrote a script that would have two bots talking to each
(23:20):
other very positively about a product or a service.
And because using the free credits, you agree that the data
that's happening in those conversations could be used for
training future models. So those are two ways where even
though you're like playing by the rules, that everything's
like fair game, you are trying to sway the opinion of the AI.
And we never know once it's in the training data, will it be
pruned in the future or is that just perpetually what's going to
(23:41):
be referenced? So do you have any other
thoughts on a ISEO in terms of is it ethical?
Are there ways that we can do itfor those of us that want to try
to bump up the ratings? I believe if you ask about Tool
Use podcast, I think I show up, but I'm not entirely sure.
It'd be awesome if it would, butis that even a moral thing to
ask for? Yeah, I, I think so to step back
(24:01):
from like the, the SEO tactics specifically, I'm sure there's,
there's lots of little things that you can do on the ground
that will like tilt your odds one way or another over time, I
think those advantages are goingto erode.
But right now there's probably still a little juice left to
squeeze. But I think stepping back a sort
of, I'm maybe being optimistic here, but I think a lot of the
(24:22):
best content for AI is actually really great for humans as well.
And so I was talking to Ben Swidlow, who's the founder of a
company called Freestyle Cloud about his strategy in writing
documentation and that a lot of documentation is for his
customer base is very AI forwardthere, like building AI app
(24:44):
builder sites, very meta there for a lot of them.
They're heavily using coding agents.
And those coding agents do really well actually, when you
consume dogs that are like, hey,I have this exact problem.
Here are the exact steps that you take to go fix them.
Go do it. And that's like not something
(25:05):
that I would consider to be likea cool AI agent trick.
That's just called writing good documentation.
And so when you write docs that are good for humans, often times
they end up being good for bots as well.
And stepping away from sort of like the consuming of
information, but sort of the actual doing actions.
I think we're starting to see this play out in the design of
(25:27):
API's as well. So like I think in the early
days, if you said I'm going to spin up an MCP server, the MCP
server might look identical to your API's.
And if you've built your API's using sort of a traditional
Restful, quote UN quote model, whatever that means, it means
(25:47):
that in order to do anything, you have a bunch of different
API resources. You're going to go do a POST and
then get the result of somethingelse and take that and go do
POST something else in order to achieve a particular workflow.
And what that means is that it ends up being actually a lot of
steps. So if you expose each of those
steps to a bot as a, say, individual tool call or action
(26:11):
that they need to take, you're running the risk that as you
need to chain more and more of these things together, it really
lowers the reliability of your system.
And now you end up in the world where you have sort of like
convenience functions or tool calls that are MTP, you know,
API endpoints basically that arejust like those five things
(26:32):
chained together. And so I, I just saw it at an
event the other day, the founderof a company called Arcade was
talking about how if you want todo an action that's like reply
to an e-mail thread in Gmail, there's no API call actually
that will let you reply to a particular thread in Gmail.
(26:52):
It's like you read all the threads, you pick a particular
e-mail and actually you can't reply to the thread.
You need to reconstruct the format of an e-mail that is
supposed to be sent to go to that thread.
So if you make your AI agent do all of those things at once,
it's very likely to get confusedand mess it up.
Actually that I think it's a good sign that a human is also
likely to get confused and messed it up.
(27:13):
And so that means that if you want people to reply to emails
as part of your API flow, you should probably just expose an
endpoint that says reply to e-mail.
I don't really care under the hood that it's calling these
five API endpoints because that's how your system works.
From my perspective, I want to do one thing.
Give me one call that I can do to do that one thing, and let's
(27:34):
go. Absolutely.
So I love the direction this is taking.
I'd also heard Heineam was telling me about this new way of
framing the way you think about MCPS.
Exactly like you said, don't just do a replication or API.
Do workflows do entire functionality bits just to make
it easier? Do you think as developers we
should continue to approach APIsthe same way that we have and
(27:55):
just allow things like MCP and other protocols to be more agent
friendly? Or should we start looking at
APIs as something that'll be like a hybrid consumption from
humans and agents and try to redesign it there?
Like, do you think, yeah, changing what already exists or
just adding something new? What's the better route for for
a hybrid model of consumption? Yeah, I think that it's, you
(28:17):
know, both maybe. I think there's always value to
having low level primitives thatyou can chain together and maybe
manipulate in ways that the original creator had not thought
of. And so there's value in doing
that. And at the same time, I do think
it's a mistake if you have a product and you're building out
(28:38):
an API for it that you say, I'm going to give people all the
Legos in the box and they're going to go build whatever they
want. Like they need at least a
picture of, you know, here's thecool spaceship you can build
with these Legos. You know, here's some ideas.
And ideally you chain those together as like helper calls or
as high level API functions. And so I think as, and I used to
(29:01):
be a software engineer myself, I'm a product manager now.
I think as a software engineer, it is really tempting to say,
well, I'll give people, you know, a couple of building
blocks and actually it's, you know, it's touring complete.
So you could do anything you could possibly want in it, and
nobody wants a machine that can do anything.
Everyone wants a machine that can do exactly the one thing
that they want to do at this moment.
It's clear AI agents are going to be all over the Internet, and
(29:23):
to get real benefit from them, you're going to want to give
them access to your data and your real systems.
And that can be a little bit scary, which is why I've been
using Toolhive. Toolhive makes it simple and
secure to use MCP. It includes the registry of
trusted MCP servers and lets me containerize any other server
with a single command. I can install it in a client's
seconds, and secret protection and network isolation are built
(29:43):
in. You can try Toolhive.
It's freeing, it's open source, and you can learn more at Tool
live dot dev. Now back to the conversation
with Bobby. Do you think that there is
supplementation that we should add, whether it's something like
an LLM dot TXT or another, maybejust better descriptions in the
open API spec that it gets exposed to help the consumption
from the agents? Because I imagine as a, as the
(30:05):
developer of an agent, I'll tellit to do a certain thing and it
can go off and figure it out. If I'm very explicit, I say, you
know, use this endpoint, it loses a lot of its agency.
But if you tell it browse the web, this is the goal you have
to figure out how to do and thenit comes across your website and
you give it a collection of documentation to figure it out.
Should we start like as LM dot TXT enough?
Should we do something more? Or how should we approach the
(30:26):
supplement of the augmenting information for data
consumption? Yeah.
So I think LMS dot text is a great idea that things like LMS
dot text are using MCP servers and generally transforming
information that's better suitedfor the person or thing that's
going to consume it. It's always a good idea.
(30:47):
I do think one of the things that is challenging is sort of,
you know, how do we do that in away that doesn't require a lot
of manual effort or hand tailoring of content.
And so I think we're pretty muchalready there with LLMS dot TXT.
No matter what you built your website in, there's probably
some fairly simple tools that you can run that will just grab
the text content of your websiteso that you can format them in a
(31:10):
certain way. Whereas something like, oh,
describing the workflows that you would expect to exist in an
MCP server, I think this is something that does require
attention. At least someone needs to define
what these are because that's a form of that's like a value
judgement is what I would say. It's like, these are good things
(31:32):
to do. You should do things in a
certain way and this is how you do them.
Whereas other things are kind ofnuts and bolts that ultimately
bots are really good at the nutsand bolts of doing things.
Yeah. And on top of that, we've also
touched on documentation, even though things set up that are
(31:54):
good for humans are also good for bots.
I have come across things like reducing the amount of HTML
tags, like trying to get rid of the clutter to help not steer an
LM. And they are getting better and
able to kind of take more variedinput.
But do you have any tips, best practices, suggestions for
writing these artifacts? Were there documentations or LMS
dot text so that it is better consumed by an AI agent to
(32:16):
improve the likelihood of success?
Yeah. So I think there first, I think
there's no substitute for good content.
You're going to need to have good content that is documenting
really like the use cases, the why that you are doing things,
the what that you can do, especially if you have decisions
(32:37):
like you have the option of using method X or method Y to
clearly outline why you might use 1 compared to the other.
And so there's no substitute forcontent.
I do think that markdown is kindof like has become like a lingo
franca of documentation writing and that's a very convenient,
it's information dense format that bots are also fairly good
(33:00):
at consuming. So I do think if you don't have
like copy to mark down is a feature that we added to our
docs this year. If you don't have copy to mark
down or you don't have LLM dot text, I think those are very,
very low hanging fruit for you. Besides that, I think it's sort
of part of the process that it makes sense to just try and run
through evaluations yourself. And I don't mean like you need
(33:22):
to set up a whole complicated eval setup or anything.
I mean, like, you know, every now and then go open up a cursor
or a Ruplet or whatever it is and say, build me the quick
start of whatever my product is and see how it does and wherever
it stumbles. It implies that there's
something wrong with the way that you're doing things, that
(33:44):
this agent got tripped up. And that helps you go figure out
where is that point and what canI improve there.
Absolutely. And I'm 100% in agreeance with
Markdown being the new language.It's how I tell everyone to kind
of store your personal notes. And when people are worried
about outputting to Jason, I mean, there's certain benefits
to having it structured in a very programmatically consumable
(34:06):
way. But the ability for agents to do
a gentic rag and just read a bunch of markdown files and
determine what information is important, it's becoming better
every day. So by leaving it in a in a
easily portable format so you can bring it to a new app, bring
it to a new service, I'm 100% onboard for it.
One thing I want to touch on briefly is some security
aspects. So recently there was some
(34:27):
malicious updates put to MPM packages that got proliferate
across millions of downloads, and it was pretty bad.
The fact that it was code tryingto execute a crypto scam was
identifiable. It was noise within a couple of
hours. But one concern I have is the
risk of malicious text being injected somewhere into code
that's hidden from the browser, where when an agent goes to a
(34:50):
website and it reads it, it'll get these instructions.
It feels like it's one of those problems where it's so difficult
to address now because even if you separate instructions from
data, we've found different jailbreaking techniques to get
around that. How do you foresee the security
or best practices to mitigate the risks of AI agents running
amok on the Internet? Yeah, I, I think kind of the
(35:13):
best model for this that I've seen is Simon Willison has this
concept called the lethal trifecta.
Have you heard of it before? No.
Please elaborate. He describes for AI agents, it's
a combination of access to your private data.
So that's stuff that other people shouldn't see.
It's exposure to untrusted content, and then it's the
ability to externally communicate or exfiltrate data.
(35:35):
And so when you combine these things, I think we end up in
exactly the situation you're at where there's untrusted content.
It's something that your agents slurps up from some public
website somewhere. Because of the way that LLMS
fundamentally work, there's a chance that it can be
interpreted as an instruction, and those instructions can then
(35:56):
be used to 1st read your privatedata and then exfiltrate it out
to some external source. And there's lots of ways of
doing that. Even if you're only making, say,
a GET request to a website, you can just append all the data as
the path or the query string or all kinds of ways of getting
data. And so Simon Wilson, I think,
(36:20):
claims that it is very difficultto fix the problem if you do
have that lethal trifecta. So if you have the combination
of those three things, you're pretty much doomed.
And so his claim is that your systems must be designed in a
way that you only ever get like 2 out of 3.
So you could say it can access my private data and it can
(36:41):
access the public Internet, but it's never going to read
something from the public Internet and interpret that as
an instruction. Or maybe a flip side, I can do
all sorts of stuff on public data.
I might mess up because the public data is tainted in some
way, but that doesn't risk my own private data because I don't
have access to it. And so you know there, I think
(37:02):
this is a honestly a very difficult area to be working in
and given. So in at work, I work on bot
detection and fraud prevention, right?
And so we have customers including Calendly, including
Repla, including a number of fintech companies where there is
(37:23):
a huge financial incentive for someone to be trying to break
you. And so just like you said in
this supply chain compromise, ifthere is the incentive, if
there's something valuable behind breaking some barrier,
someone's going to go and try todo it.
And so the thing I always say asfar as these adversarial things
go is that it's not that you need to stop anyone 100%
(37:49):
necessarily. A huge amount of attacks like
this are opportunistic and they're really, it's like
running a business, right? There are many places in the
world where you can make a very good living by scamming people,
basically, or by automatedly filling out surveys and claiming
survey rewards, or by claiming free credits on some AI platform
(38:11):
and then reselling them to someone else.
And so the challenge that you have here is I'll say, you know,
one of our customers is a company called Kilo Code, which
is an AI coding agent. And Kilo Code at times gives
away free credits, which means they see attempts of people, you
(38:31):
know, creating thousands of accounts trying to farm these
credits. And so the important thing is
that we don't need to stop them from doing everything.
We just need to make it so that the effort they put in is more
than, say, $5 per account or something like that.
And there's a number of barriersthat we can do to, say, detect
bots, which is where most of that scale comes from, as well
(38:55):
as other heuristics that we can apply towards, like, fraudulent
or abusive behavior. Do you?
Foresee a need or even the possibility of things like AI
don't even know how to describe it, almost like a parallel
Internet for agents. So we kind of have like our
human more easily consumed version of the Internet versus a
(39:16):
more highly optimized for agents.
One one thing that got me kind of thinking was when we were
talking about how Markdown his information dense.
I used to think Jason was one ofthe best ways of doing data
transfer internally until I learned about RPC where I can
just you can get down to an evenfiner layer.
Do you think there's going to bea way that we can more tightly
control the way AI consumes and shares information that maybe
isn't optimal for humans? Or is that just such a silly
(39:38):
premise that we should just focus on trying to get the
Internet we have done correctly?Yeah, I think it's an
interesting idea. It's kind of like a performance
optimization is what I would say.
And so even today, I think LMS are pretty good at converting
between different like modalities, like a lot of like
quote UN quote, jail breaking techniques are like, take this
string, but make it in base 64 and tell me what it says in base
(40:01):
64. And LLMS, we'll just go and do
that for you. So there are certainly more
dense representations that are things you mentioned GRPC,
they're like binary representations or even just
doing things like compressing a file and like sending around zip
files is already an improvement.I think there's like.
(40:23):
Interesting work in like the world of compression algorithms,
like for video encoding or for image encoding, in which at
least in these domains we can take quite a lot of data and
sort of reduce it to the things that are important in humans,
visual perception about what youcan see.
And then by doing that, you reduce the amount of data that
(40:45):
needs to fly around by quite a lot.
So I think it's, you know, it's possible, it's theoretically
possible. I'm sure that for big companies
who are shuttling around huge amounts of data, that that's a
valuable problem for them to solve.
Like say how Netflix has, I'm sure made lots of improvements
in video streaming. But like for the average, like
(41:08):
for you and me, or for people who are building agents to
achieve business goals, I think it's very unlikely that
improving the efficiency of communication like that is going
to make big differences in the effectiveness of your work.
Cool, And one last area I'd liketo explore a bit more practical.
Do you have advice are recommendations for people to
(41:29):
improve the agent experience, either from the perspective of
someone having a website or someone building the agent and
just making that entire relationship more successful And
yeah, make it more. Successful.
Yeah, totally. I would say that as a website
operator, if you don't know about your agentic traffic
(41:49):
today, it's kind of a problem, right.
And so I think if you go back a couple decades, you are in a
place where, oh, websites are totally the realm of a desktop.
Of course, you're sitting at a computer when you access it, a
website. And then we saw very quickly
from the period of around 2007 to 2012 where mobile traffic
(42:11):
went from like 1% of all trafficto like 50% of all traffic.
And the thing about that is thatif you have a website that
doesn't know how much of its traffic is mobile, you're going
to be caught totally off guard, you're going to be behind.
And I think we're in an analogous state for agents at
Stitch. We have a pretty good view of
(42:33):
certain types of agents being used.
And I would say that agentic traffic is certainly less than
1% of all traffic on on any popular site.
But that means that one year agowas basically 0%.
And so if you're able to identify that and we actually we
have a free tool at isagent dot dev, which is helping website
(42:57):
owners understand their agentic traffic.
I think give it a spin. Just see what is coming in
because that's important information.
And once you see exactly what they're doing and get a feel for
what they're trying to do, whether that's reading
information only or maybe you actually do see that people are
trying to, you know, here's an agent that is logging in as a
(43:19):
person. We should probably give that
person a safer way of achieving this goal.
Then you can start talking aboutlike Stitch, we call it
connected apps, but in generallyit's, it's providing Oauth to
agentic clients in that way. So that's on the operator side.
On the side, if you're developing a bot or creating an
(43:39):
AI agent, I really would encourage you to check out Web
Bot Hoth. I'm going to be publishing A
blog post soon about the technical implementation.
Like basically, where do you generate your keys?
How exactly do you sign these requests so people can recognize
you? And I think going back to that
mobile thing, like if no iPhone ever told you that it was an
(44:02):
iPhone when it was visiting a website, how would website
owners know to build an experience that's optimized for
you? So I think there's a lot of room
for good bots, like well behavedbots who are doing things that
people want them to be doing to identify themselves so that they
can show the value to the website owners.
(44:26):
If you're sneaking around and pretending to be like a human
that sneaking around, honestly, it's probably not as sneaky as
you think it is. There's a lot of really good bot
detection today and you're gonnarun into roadblocks where you
have to solve 100 Captchas per day.
And Captchas are easily solved by machines today.
But it's still a burden. It's still an extra step that
(44:47):
you need to do. Or if you say, hey, I'm actually
the AI agent that's representingBobby, you can check out my
website here. I think a lot of website owners
are more willing to let you in and see what you're gonna do
with that level of access. Bobby, this was awesome.
I really appreciate coming on and sharing your perspective.
Before I let you go, is there anything you'd like the audience
to know? I mean, yeah, this is a
(45:08):
pleasure, Mike. I'll say that.
I'm one of the organizers of theAGI Builders Meet up in San
Francisco. So we run events regularly on
what people are building. And I think in the last year
agents have gotten a lot better and more interesting.
And that's only going to continue.
That's the meet up stuff. You know, I work, I work at
(45:30):
Stitch, I work on fraud and security problems.
Check us out at stitch.com slash.
Fraud. Thank you for listening to my
conversation with Bobby Chen. I had a lot of fun talking about
the direction of where the Internet is going, how AI is
going to help us, but we still got to keep an eye on it.
But I'd love to know your thoughts.
Are you building AI agents and having trouble with certain
aspects? Are you a website operator and
not quite sure how you want to approach agents consuming your
(45:51):
content? I'd love to hear more about it
and if you wouldn't mind linkingand subscribing.
It really helps us out. And I just want to give a quick
shout out to Tool Hive for sponsoring this show so I can
have conversations like this andI'll see you next week.
Foundation models are good enough that the agents are
actually capable of doing like non trivial things.
The state-of-the-art to do that kind of agentic transaction is
to literally give the agent my password, and then once it has
my password it logs in as me. Those instructions can then be
used to 1st read your private data and then exfiltrate it out
to some external source. There's lots of ways of doing
(00:22):
that, so if you have the combination of those three
things, you're pretty much doomed.
Are you ready for AI to start browsing the web?
As AI agents start to proliferate all across the
Internet, we have a few things we need to discuss.
How do we handle authentication?Do you really want your AI
agents signing in as you? How do you make your website
optimize for consumption by these agents?
And do we really need to start scanning our eyeballs in order
(00:43):
to have a safe intranet? On episode 58 of Tool Use,
brought to you by Tool Hive, we're covering all this and
more. We're joined by Bobby Chen,
who's a product manager at Stitch, who handles bot
detection and AI agent detection.
He's also one of the organizers of AGI Builders, and he's very
well versed in this. So please enjoy this
conversation with Bobby Chen, AIAgents.
Are kind of really a hyped and overloaded word right now.
(01:04):
But when when someone says agents, the thing that I usually
think of is I have some kind of automation.
It's going to go do something for me based on my intent and it
doesn't necessarily follow a fixed flow.
And I've seen people draw the distinction sort of like if you
have some straight line automation, like it always does
these kinds of tasks in a certain order.
(01:26):
Maybe that's not quite an agent,but an agent is able to look at
the results of some of these things that are coming back and
adjust what it's doing in order to achieve those goals.
And so I think we see that most with like coding agents is
probably one of the purest formsof that today.
So like if you're using cursor or something or any number of
other coding agents, you often get in the state where you're
(01:48):
like, please add this feature and it'll go and add the feature
and it'll say, OK, I'm running the test now to see if it
worked. And oops, I broke a test.
Let me go back and fix other things.
And that's what I think is the core sort of agents.
So I guess getting that definition aside, I think like
agents are in a really interesting position here
because how should I say this? I think the foundation models
(02:11):
are good enough that the agents are actually capable of doing
like non trivial things. Like I'd say two years ago you
could basically do a canned demoin a very controlled
environment. One year ago you had better
chances, but it's probably not something that you want to run
in production without constant babysitting.
And today, I really do think we're in a realistic position
(02:32):
where you can actually have AI agents doing useful work for
you. And that's really exciting.
It's kind of like an open world.I would say it's that we're at
the very beginning here. And so there hasn't really
settled on a consistent set likeeveryone's doing these best
practices, so to say, because the field changes so quickly.
(02:53):
Yeah, we're still just figuring it out, which is very exciting,
but also difficult at times because the same problem kind of
gets solved over and over by different people and we're
trying to figure out how everyone can do it.
When you mention this open world, I feel like web agents
are the prime example of that because you can't really scope
it to it. Like your project, your
computer, as soon as you go on awebsite, there could be anything
there. It could be like malicious code
(03:14):
hidden the HTML, it could be just poorly written, poorly
structured. So as soon as we start entering
the web, that's been is like thereal test I found because it is
a complete Infinity option environment.
So as we start applying to like AI agents to the web, where do
you see some general risks startshowing up?
Yeah, I think so. AI agents on the web.
(03:36):
So especially things that peoplecall browser, user browser using
agents, using the web, I think there are great opportunities
here, but also risks. So like the opportunity is that
while people today use websites and apps for all kinds of
things. So if you're able to get an
agent to do that, now you don't have to reinvent a bunch of
wheels to to get it to do usefulstuff.
(03:57):
So that's great. On the flip side, I think there
are parts about, I guess the, the experience of being an agent
that are different from that of being a human.
And I think one of the clearest places where that shows up is
auth and authentication specifically.
So that's like, you know, hey, Ihave my agent, I'm going to have
(04:19):
it go shopping for me for something that I don't
particularly care about today. The state-of-the-art to do that
kind of agentic transaction is to literally give the agent my
password. And then once it has my
password, it logs in as me. And I think what we've learned
before in previous places in, I guess, computing history is that
(04:40):
when you give an automation fullaccess to BU, you're opening the
risk that whether that's a bug or some kind of malicious attack
that this bot is able to say, log into my Amazon account and
actually buy a bunch of stuff that I don't want or delete my
entire account entirely. Or there's all these kinds of,
I'd say destructive or riskier transactions that I don't
(05:03):
actually want an automation to take on my behalf.
But if I'm like browser first, browser only, the only thing I
can do is say bot, please fully impersonate me.
And that's a mistake that I see a lot of developers doing today.
Yeah, cuz I remember Anthropic ran the experiment where they
had their AI offering a vending machine and people are able to
jailbreak it to like order them a tungsten cube and like give me
(05:26):
a full of refund and stuff. And we're while we're at a point
when the capability of them is vast, the capability of
jailbreaking them and manipulating them is still very
accessible to many people. So with the idea of having
giving a password as as a risky endeavor, what are some
approaches people are taking to try to circumvent this?
Like how could we make agents their own little entity rather
(05:48):
than just a extension of of you or the user?
There is a lot to do basically to make the the agent have your
capabilities, but not necessarily all of them.
And the good news is that actually we do have experience
doing this through the Oauth specification.
(06:08):
So Oauth is, you probably most frequently see it in kinds of
like social login or it's like I'm logging into this site using
my Google account. Or sometimes you actually get
these consent screens that are like, oh, would you like to
share your, your name and your e-mail address with this
website? And that kind of scoped access
is exactly applicable to agents.So I want to be able to give an
(06:31):
agent the ability to say to havebasically the permissions and
the access that I have, but somesubset of them that I think is
reasonable that I can consent toeither in advance or at the time
when that agent is trying to do that transaction.
And like, so that all makes sense in concept.
And I think once you agree with the concept, then the nuts and
(06:51):
bolts, it's like, oh, great, there's actually like the Oauth
specification, there's like 1000variations of them.
There's a Oauth flavor for MCP authentication as well that's
standardized today and that's being actively worked on.
So I think it's good for us to be building on top of what we've
already done in order to bring these like same scoped
(07:12):
permissions to users. One thing that came across is
the idea of a bot registry whereyou can take your agent that you
want to just let loose on the web, register it with his entity
and then you kind of get granteda passport or like a green light
tax of sites and and just like alittle awareness.
What are your thoughts on that type of approach?
I think the idea of a registry is very tempting because you're
(07:32):
like, well, someone should just be in charge of this.
We basically have like a benevolent dictator who's gonna
do the right thing and take careof all of us.
And to be honest, in the past, there are things that have
worked like that. Like the entire DNS system used
to be run by a single guy who isout of, I think it was UCLA,
John Postal. And he basically like kept all
(07:54):
the domain names and IP addresses in like a spreadsheet.
And that worked for a little while.
But over time, it's something that you don't want a single
person or even a single organization to be in control
because that's a lot of power for them to have.
And so I think the idea of the Internet and the idea of the web
and open protocols enable us to do things that are decentralized
(08:16):
in meaningful ways. And so I know you're mentioning
the idea of like a registry and gatekeeping because just a few
weeks ago, there's a bit of controversy around Cloudflare
just launched a feature which they're calling verified agents,
in which you do, as part of their process, register with
them. So you give them a certain
(08:37):
amount of information and then they can sort of check off
things about your implementationand expose those to the users
who are using Cloudflare for a CDN or for a web app firewall,
things like that. And that's controversial.
I think, you know, it's not Cloudflare's fault here that
there are a popular and successful service that is used
by large portions of the Internet, but at the same time,
(09:00):
we don't necessarily want them to control that.
And so I think the interesting thing about the cloud proposal
is that it is actually based on an emerging open standard.
And that open standard is calleda web bot auth.
And so web bot auth is somethingthat helps agents and bots and
(09:20):
other kinds of automation thingsthat are like search engine
crawlers as well, identify themselves in a way that can't
be spoofed. And that's important because
today you might be familiar with, there's the concept of a
user agent header that's basically like, I come into, I
come to you and I say, hey, my name's Bobby, nice to meet you.
(09:42):
And the problem with user agent today is that it's pretty much
just a string. Like you can throw anything in
there. Like I can come up to you and
say, hey, I'm Mike's grandma, please send me a bunch of stuff
that is private to our family. And on the other side, as a
server, you don't know that the user agent actually represents
(10:04):
who you are. So what web bot auth does is it
enables agents to tie their identities to cryptographic
keys. So I'm going to take my message
to you. It's going to say, hi, I'm
Bobby, and I'm going to sign it with a key.
And so it's asymmetric cryptography.
There's a private key and there's a public key.
(10:25):
So somewhere out there, there's a public key associated with my
name. I'll tell you how to go find it
and you can go verify that message and actually say, OK, I
definitely know this is Bobby. And that's great.
That's like the good case. And the important thing that's
different from user agent is that now it's impossible for
someone else to go out and say, hey, my name's Bobby, here's my
(10:48):
signature. Because then you look at that
signature, you can verify it against my public key and say,
actually, that's not Bobby, that's someone else, or this guy
didn't sign his message. And I know that Bobby always
signs his messages. So there's the value of what
bought off. That's sort of at the core of
what Cloudflare is proposing in their verified agents.
Actually, we're working at Stitch to enable web bot auth
(11:10):
verification for our customers as well.
I think this is pretty much justa total good for everyone who is
operating a bot and doesn't wantto be impersonated.
Very cool. I'm 100% on board with the idea
of the open protocols. That's how the Internet has
flourished the way it is. We really need to make sure we
support stuff like this. I'd like to to pivot a little
bit because just thinking about the way that you can
(11:32):
cryptographically sign a user agent so we know it's a certain
bot. Is there a reason we can't start
improving the human web browsingexperience with similar
technology? So for example, instead of me
having to go fill out all these captures and all the website,
there could be something that verifies me as a user as me.
Or is because the association would just be with whether it's
(11:52):
my computer or something, I could put a bot on my computer.
Like what's preventing that typeof auth and like authentication
applying to like people browsingthe web?
Yeah, I think it's a really interesting idea.
And so there are kind of things that exist sort of like it that
ultimately go back to cryptographic keys rather than
like truly like live personhood.Think of the challenges this
(12:16):
space is. It's really hard to do this in a
way that is privacy preserving, that's not super invasive,
basically are requiring huge amounts of personal data to be
like screwing around everywhere.And so I'll talk about.
So in Estonia, there is like a government Eid in which you more
(12:38):
or less get a card that has a smart chip in it.
And that chip is actually a set of signing keys.
And so these are issued to you in kind of a way, the way that
you get a driver's license in the US maybe.
And you can use this to sign things to say this is really me.
And you know that it's me because the government issued me
this key and the government is supposed to do certain kinds of
(12:59):
identity verification on me. I think there are similar, I've
heard of similar systems in likeSouth Korea and using government
IDs to bootstrap things. And ultimately, I think because
the government already needs to know a lot of this information,
they're sort of the natural place for this to live.
(13:20):
But then that kind of flips things around and that even
though I signed things with a particular key, I don't
necessarily want every website on the Internet to know exactly
who I am as a human user. So the other tech part that I
think is interesting is 0 knowledge proofs here in which
by depending on what protocol and the details, you can
(13:43):
basically get a signature that says, well, the government says
the person who signed this is atleast 18 years old, for example.
And that's the only piece of information that you get.
You don't get my name, you don'tget my exact birthday, things
like that. And so I would say, again, the
technical pieces are here, but it's going to take a lot of sort
of political and organizational will to, I would say, make them
(14:05):
like a practical reality. Yeah, and just one real life
example that I always thought was preposterous.
Where I live, the drinking age is 19 and it just feels weird
that you'll have like a 19 year old woman going to a liquor
store and have to show an employee her home address on her
identification just to like for alcohol.
Like there should be a binary yes, no, I am of age.
Like there is proof. You shouldn't have to hand over
(14:26):
all your personal information onthe same note as like proof of
personhood. Do you mind giving your thoughts
on the idea of worldpoint, whichI believe is not Brandon's world
or coined actually don't remember where they'll actually
scanned your eyeball in order toprove you're a person.
We're, we're deviating away fromthe idea of the web agents, but
I still feel there's a new age of the digital world now where
(14:49):
we really have to start validating.
Like what's an AI, What's an AI agent?
What's a malicious bot, What's aperson?
Do you have thoughts on how that's playing out?
Do you think it's the right approach or are we going down
the wrong path with eyeball scanning?
Yeah, I think, you know, eyeballscanning is, is never going to
be a everyone's like, yeah, that's obviously a good idea.
We should not be scanning our eyeballs.
(15:11):
I think it's actually to take a step back and reframe this, I
would say is it really importantthat there are things with a
real human associated with them?Because I think traditionally
when we talk about automation and we talk about the value of
APIs and so on, there's actuallyquite a lot of value that comes
(15:34):
from letting people access your systems in ways that are
beneficial to them, even if thatmight not be a true human.
And so the cofounders of the company I work for is Stitch
originally came from Plaid and Plaid actually had a bit of this
kind of tension with banking providers early on in that Plaid
was providing AP is to automate banks even when those banks
(15:57):
themselves didn't have AP is behind them, but sort of.
And so there was a tension initially where the banks were
trying to stop Plaid from doing that.
Eventually they realized that there actually is a lot of value
that people are like building the new applications and new
ways to analyze and gain value from what the banks are
providing just because you're giving them the ability to
(16:19):
access them in new ways. And so I've kind of come a long
way, but which is all just to say that I think bots and
automation can be viewed as sortof the original user agent,
right? This is an agent that's trying
to accomplish something on behalf of a person or perhaps an
(16:40):
organization. And what that means is that you
really want to look if those actions are something that you
want versus at that level, is this action something that I
want? Is that something that I like?
As opposed to is there a human on the other side?
I don't know if you've seen thismean that's like, please drink
verification can. I don't want to be drinking a
(17:03):
verification can. I don't want to be scanning my
eyeballs necessarily, even though that might be very useful
and unspoofable in certain ways.It's, I would say, invasive in
other ways. It's a privacy risk.
And I think unlike, say, losing my driver's license or losing a
passport, it's kind of unlikely that I'm going to lose my
(17:26):
eyeballs and need to replace them.
So it's something that I won't lose.
But at the same time, if it leaks, that's something that's
just like a permanent danger to me, much in the way that like a
Social Security number is to people today.
Yeah, I was actually going to ask you, does it really matter
to identify agents? But I love the way you've
reframed is, does it really matter to identify humans?
Like it's the, the the issue is malicious behavior versus
(17:47):
intentional behavior. And one theory I have that might
contribute to it is the fact that so much of our Internet is
AD driven where there's a financial incentive to make sure
the the consumer of that information is a human to get
the advertisement there. Do you think as AI agents become
a greater, greater share of the web browsing experience, that'll
(18:10):
impact the way that either monetization happens or ads
happens? Because we've seen things like
how Apple will, I forget exactlywhat they did.
They changed it so you couldn't identify the user and they just
had like a generic advertising ID.
So they got to control all the ads spend there.
So maybe the AI providers like Open AI will be the ones serving
you ads rather than what's on a website since it's their agent
(18:32):
consuming it. Like how do you see the
monetization of the Internet unfolding in this AI age?
Yeah, I think there's like a lot.
So there's like currently I would say there's a
understanding between sort of media companies and advertisers
and the traditionally the searchengines or the other ad
platforms like Google and Meta. And so that's kind of well
(18:55):
understood at this point that I'm going to provide media, the
search engines are going to slurp it up and perhaps serve
ads related to that. And those ads or the search
engine results are going to drive traffic back to me.
So that's like a cycle in which all three of the parties are
benefiting with AI agents. I think there is this is risky
(19:19):
basically for traditional advertisers and traditional
media companies because you're not exactly sure how these
agents are going to represent that data.
So maybe it's that you really hate being advertised too.
Let's see. And you've got an agent that's
like, go tell me all the real content that's totally factual,
(19:40):
remove all marketing spin and things like that.
And so there is, again, there's multiple angles on this.
I would say at the agent side, there is a huge, huge incentive
for the agent to give you ads because now that's the new
distribution mechanism, like theagent is replacing Google in the
previous result and now the agent has the opportunity to
(20:02):
serve ads. So there's a huge monetary
incentive for the AI companies to be doing that.
At the same time, there's a trust issue, right?
People today really like using say, ChatGPT or other AI tools
because it is not so ad filled as other traditional ways of
getting information. And so that I think is a
(20:24):
tension. I think ultimately the AI
companies will try to do some form of advertising, but it will
be challenging for them. And, and Drew Breunig just put
out a blog post maybe last week,a couple weeks ago about the
different ways that AI companiesmight try to advertise, whether
(20:44):
that's something like a banner ad, something that's like
affiliate links or something that's like a little more
nefarious and less trustworthy, where you get things in actual
responses that are leaning towards advertisers.
So there's attention there that's on the platform side and
sort of on the distribution on the media company side.
I think you have the same issue.Like should I serve ads at all
(21:06):
if the only people are going to be reading these are agents who
might ignore the ads, What does that mean for my ad spend or the
money that I'm going to get fromads?
And what does that mean for my content if I'm going to write
all these words and no person isgoing to read them, but they're
going to get slurped up into some machine as well?
So I think a lot of what we see around agent identification is
(21:26):
actually sort of related to that.
So I've had talks on agent identification from companies
that have a lot of media, whether that's their own or it's
their user generated content that they might be thinking
about licensing. Say I cut a deal with Anthropic
that they're allowed to train onmy data, but other companies are
not. Then I need really need a way to
reliably identify Anthropic spots as opposed to all the
(21:50):
other bots who might be trying to look at that same data
because it erodes the value of aexclusive licensing deal if it's
not actually exclusive. And then the other piece here is
that the people who are buying the ads, right, companies who
are trying to sell you things basically need to figure out a
whole new playbook. And I think we're kind of in the
(22:11):
early days here where in the other days of like Google, there
was what people call it would call Black Hat SEO where you can
like keyword stuff your way intothe top results.
There's probably something similar that's going on.
And this is always adversarial. There's always an incentive to
try to manipulate rankings, whether that's in a traditional
search engine or in AILLM based search models or agents to try
(22:37):
and get you to the top. And I'm sure there are teams
battling it out today to basically discover those
deceptive practices so that sites get penalized for trying
to manipulate rankings like. Yeah, there was a story way back
in the day. I actually, I can't remember
exactly the details of it, but someone would go on to ChatGPT,
ask about their company, it would respond not knowing of
(22:58):
their company and they just downvote the answer.
And they do this repeatedly, repeatedly.
And it would ask for like a correction.
And then eventually their company would get into the
training data and then for all future models, they would be
referenced. Ty, back in the day, Ty Fiero
put together an AISEO script where during the time that Open
AI, and I believe Google as well, were giving free credits,
he wrote a script that would have two bots talking to each
(23:20):
other very positively about a product or a service.
And because using the free credits, you agree that the data
that's happening in those conversations could be used for
training future models. So those are two ways where even
though you're like playing by the rules, that everything's
like fair game, you are trying to sway the opinion of the AI.
And we never know once it's in the training data, will it be
pruned in the future or is that just perpetually what's going to
(23:41):
be referenced? So do you have any other
thoughts on a ISEO in terms of is it ethical?
Are there ways that we can do itfor those of us that want to try
to bump up the ratings? I believe if you ask about Tool
Use podcast, I think I show up, but I'm not entirely sure.
It'd be awesome if it would, butis that even a moral thing to
ask for? Yeah, I, I think so to step back
(24:01):
from like the, the SEO tactics specifically, I'm sure there's,
there's lots of little things that you can do on the ground
that will like tilt your odds one way or another over time, I
think those advantages are goingto erode.
But right now there's probably still a little juice left to
squeeze. But I think stepping back a sort
of, I'm maybe being optimistic here, but I think a lot of the
(24:22):
best content for AI is actually really great for humans as well.
And so I was talking to Ben Swidlow, who's the founder of a
company called Freestyle Cloud about his strategy in writing
documentation and that a lot of documentation is for his
customer base is very AI forwardthere, like building AI app
(24:44):
builder sites, very meta there for a lot of them.
They're heavily using coding agents.
And those coding agents do really well actually, when you
consume dogs that are like, hey,I have this exact problem.
Here are the exact steps that you take to go fix them.
Go do it. And that's like not something
(25:05):
that I would consider to be likea cool AI agent trick.
That's just called writing good documentation.
And so when you write docs that are good for humans, often times
they end up being good for bots as well.
And stepping away from sort of like the consuming of
information, but sort of the actual doing actions.
I think we're starting to see this play out in the design of
(25:27):
API's as well. So like I think in the early
days, if you said I'm going to spin up an MCP server, the MCP
server might look identical to your API's.
And if you've built your API's using sort of a traditional
Restful, quote UN quote model, whatever that means, it means
(25:47):
that in order to do anything, you have a bunch of different
API resources. You're going to go do a POST and
then get the result of somethingelse and take that and go do
POST something else in order to achieve a particular workflow.
And what that means is that it ends up being actually a lot of
steps. So if you expose each of those
steps to a bot as a, say, individual tool call or action
(26:11):
that they need to take, you're running the risk that as you
need to chain more and more of these things together, it really
lowers the reliability of your system.
And now you end up in the world where you have sort of like
convenience functions or tool calls that are MTP, you know,
API endpoints basically that arejust like those five things
(26:32):
chained together. And so I, I just saw it at an
event the other day, the founderof a company called Arcade was
talking about how if you want todo an action that's like reply
to an e-mail thread in Gmail, there's no API call actually
that will let you reply to a particular thread in Gmail.
(26:52):
It's like you read all the threads, you pick a particular
e-mail and actually you can't reply to the thread.
You need to reconstruct the format of an e-mail that is
supposed to be sent to go to that thread.
So if you make your AI agent do all of those things at once,
it's very likely to get confusedand mess it up.
Actually that I think it's a good sign that a human is also
likely to get confused and messed it up.
(27:13):
And so that means that if you want people to reply to emails
as part of your API flow, you should probably just expose an
endpoint that says reply to e-mail.
I don't really care under the hood that it's calling these
five API endpoints because that's how your system works.
From my perspective, I want to do one thing.
Give me one call that I can do to do that one thing, and let's
(27:34):
go. Absolutely.
So I love the direction this is taking.
I'd also heard Heineam was telling me about this new way of
framing the way you think about MCPS.
Exactly like you said, don't just do a replication or API.
Do workflows do entire functionality bits just to make
it easier? Do you think as developers we
should continue to approach APIsthe same way that we have and
(27:55):
just allow things like MCP and other protocols to be more agent
friendly? Or should we start looking at
APIs as something that'll be like a hybrid consumption from
humans and agents and try to redesign it there?
Like, do you think, yeah, changing what already exists or
just adding something new? What's the better route for for
a hybrid model of consumption? Yeah, I think that it's, you
(28:17):
know, both maybe. I think there's always value to
having low level primitives thatyou can chain together and maybe
manipulate in ways that the original creator had not thought
of. And so there's value in doing
that. And at the same time, I do think
it's a mistake if you have a product and you're building out
(28:38):
an API for it that you say, I'm going to give people all the
Legos in the box and they're going to go build whatever they
want. Like they need at least a
picture of, you know, here's thecool spaceship you can build
with these Legos. You know, here's some ideas.
And ideally you chain those together as like helper calls or
as high level API functions. And so I think as, and I used to
(29:01):
be a software engineer myself, I'm a product manager now.
I think as a software engineer, it is really tempting to say,
well, I'll give people, you know, a couple of building
blocks and actually it's, you know, it's touring complete.
So you could do anything you could possibly want in it, and
nobody wants a machine that can do anything.
Everyone wants a machine that can do exactly the one thing
that they want to do at this moment.
It's clear AI agents are going to be all over the Internet, and
(29:23):
to get real benefit from them, you're going to want to give
them access to your data and your real systems.
And that can be a little bit scary, which is why I've been
using Toolhive. Toolhive makes it simple and
secure to use MCP. It includes the registry of
trusted MCP servers and lets me containerize any other server
with a single command. I can install it in a client's
seconds, and secret protection and network isolation are built
(29:43):
in. You can try Toolhive.
It's freeing, it's open source, and you can learn more at Tool
live dot dev. Now back to the conversation
with Bobby. Do you think that there is
supplementation that we should add, whether it's something like
an LLM dot TXT or another, maybejust better descriptions in the
open API spec that it gets exposed to help the consumption
from the agents? Because I imagine as a, as the
(30:05):
developer of an agent, I'll tellit to do a certain thing and it
can go off and figure it out. If I'm very explicit, I say, you
know, use this endpoint, it loses a lot of its agency.
But if you tell it browse the web, this is the goal you have
to figure out how to do and thenit comes across your website and
you give it a collection of documentation to figure it out.
Should we start like as LM dot TXT enough?
Should we do something more? Or how should we approach the
(30:26):
supplement of the augmenting information for data
consumption? Yeah.
So I think LMS dot text is a great idea that things like LMS
dot text are using MCP servers and generally transforming
information that's better suitedfor the person or thing that's
going to consume it. It's always a good idea.
(30:47):
I do think one of the things that is challenging is sort of,
you know, how do we do that in away that doesn't require a lot
of manual effort or hand tailoring of content.
And so I think we're pretty muchalready there with LLMS dot TXT.
No matter what you built your website in, there's probably
some fairly simple tools that you can run that will just grab
the text content of your websiteso that you can format them in a
(31:10):
certain way. Whereas something like, oh,
describing the workflows that you would expect to exist in an
MCP server, I think this is something that does require
attention. At least someone needs to define
what these are because that's a form of that's like a value
judgement is what I would say. It's like, these are good things
(31:32):
to do. You should do things in a
certain way and this is how you do them.
Whereas other things are kind ofnuts and bolts that ultimately
bots are really good at the nutsand bolts of doing things.
Yeah. And on top of that, we've also
touched on documentation, even though things set up that are
(31:54):
good for humans are also good for bots.
I have come across things like reducing the amount of HTML
tags, like trying to get rid of the clutter to help not steer an
LM. And they are getting better and
able to kind of take more variedinput.
But do you have any tips, best practices, suggestions for
writing these artifacts? Were there documentations or LMS
dot text so that it is better consumed by an AI agent to
(32:16):
improve the likelihood of success?
Yeah. So I think there first, I think
there's no substitute for good content.
You're going to need to have good content that is documenting
really like the use cases, the why that you are doing things,
the what that you can do, especially if you have decisions
(32:37):
like you have the option of using method X or method Y to
clearly outline why you might use 1 compared to the other.
And so there's no substitute forcontent.
I do think that markdown is kindof like has become like a lingo
franca of documentation writing and that's a very convenient,
it's information dense format that bots are also fairly good
(33:00):
at consuming. So I do think if you don't have
like copy to mark down is a feature that we added to our
docs this year. If you don't have copy to mark
down or you don't have LLM dot text, I think those are very,
very low hanging fruit for you. Besides that, I think it's sort
of part of the process that it makes sense to just try and run
through evaluations yourself. And I don't mean like you need
(33:22):
to set up a whole complicated eval setup or anything.
I mean, like, you know, every now and then go open up a cursor
or a Ruplet or whatever it is and say, build me the quick
start of whatever my product is and see how it does and wherever
it stumbles. It implies that there's
something wrong with the way that you're doing things, that
(33:44):
this agent got tripped up. And that helps you go figure out
where is that point and what canI improve there.
Absolutely. And I'm 100% in agreeance with
Markdown being the new language.It's how I tell everyone to kind
of store your personal notes. And when people are worried
about outputting to Jason, I mean, there's certain benefits
to having it structured in a very programmatically consumable
(34:06):
way. But the ability for agents to do
a gentic rag and just read a bunch of markdown files and
determine what information is important, it's becoming better
every day. So by leaving it in a in a
easily portable format so you can bring it to a new app, bring
it to a new service, I'm 100% onboard for it.
One thing I want to touch on briefly is some security
aspects. So recently there was some
(34:27):
malicious updates put to MPM packages that got proliferate
across millions of downloads, and it was pretty bad.
The fact that it was code tryingto execute a crypto scam was
identifiable. It was noise within a couple of
hours. But one concern I have is the
risk of malicious text being injected somewhere into code
that's hidden from the browser, where when an agent goes to a
(34:50):
website and it reads it, it'll get these instructions.
It feels like it's one of those problems where it's so difficult
to address now because even if you separate instructions from
data, we've found different jailbreaking techniques to get
around that. How do you foresee the security
or best practices to mitigate the risks of AI agents running
amok on the Internet? Yeah, I, I think kind of the
(35:13):
best model for this that I've seen is Simon Willison has this
concept called the lethal trifecta.
Have you heard of it before? No.
Please elaborate. He describes for AI agents, it's
a combination of access to your private data.
So that's stuff that other people shouldn't see.
It's exposure to untrusted content, and then it's the
ability to externally communicate or exfiltrate data.
(35:35):
And so when you combine these things, I think we end up in
exactly the situation you're at where there's untrusted content.
It's something that your agents slurps up from some public
website somewhere. Because of the way that LLMS
fundamentally work, there's a chance that it can be
interpreted as an instruction, and those instructions can then
(35:56):
be used to 1st read your privatedata and then exfiltrate it out
to some external source. And there's lots of ways of
doing that. Even if you're only making, say,
a GET request to a website, you can just append all the data as
the path or the query string or all kinds of ways of getting
data. And so Simon Wilson, I think,
(36:20):
claims that it is very difficultto fix the problem if you do
have that lethal trifecta. So if you have the combination
of those three things, you're pretty much doomed.
And so his claim is that your systems must be designed in a
way that you only ever get like 2 out of 3.
So you could say it can access my private data and it can
(36:41):
access the public Internet, but it's never going to read
something from the public Internet and interpret that as
an instruction. Or maybe a flip side, I can do
all sorts of stuff on public data.
I might mess up because the public data is tainted in some
way, but that doesn't risk my own private data because I don't
have access to it. And so you know there, I think
(37:02):
this is a honestly a very difficult area to be working in
and given. So in at work, I work on bot
detection and fraud prevention, right?
And so we have customers including Calendly, including
Repla, including a number of fintech companies where there is
(37:23):
a huge financial incentive for someone to be trying to break
you. And so just like you said in
this supply chain compromise, ifthere is the incentive, if
there's something valuable behind breaking some barrier,
someone's going to go and try todo it.
And so the thing I always say asfar as these adversarial things
go is that it's not that you need to stop anyone 100%
(37:49):
necessarily. A huge amount of attacks like
this are opportunistic and they're really, it's like
running a business, right? There are many places in the
world where you can make a very good living by scamming people,
basically, or by automatedly filling out surveys and claiming
survey rewards, or by claiming free credits on some AI platform
(38:11):
and then reselling them to someone else.
And so the challenge that you have here is I'll say, you know,
one of our customers is a company called Kilo Code, which
is an AI coding agent. And Kilo Code at times gives
away free credits, which means they see attempts of people, you
(38:31):
know, creating thousands of accounts trying to farm these
credits. And so the important thing is
that we don't need to stop them from doing everything.
We just need to make it so that the effort they put in is more
than, say, $5 per account or something like that.
And there's a number of barriersthat we can do to, say, detect
bots, which is where most of that scale comes from, as well
(38:55):
as other heuristics that we can apply towards, like, fraudulent
or abusive behavior. Do you?
Foresee a need or even the possibility of things like AI
don't even know how to describe it, almost like a parallel
Internet for agents. So we kind of have like our
human more easily consumed version of the Internet versus a
(39:16):
more highly optimized for agents.
One one thing that got me kind of thinking was when we were
talking about how Markdown his information dense.
I used to think Jason was one ofthe best ways of doing data
transfer internally until I learned about RPC where I can
just you can get down to an evenfiner layer.
Do you think there's going to bea way that we can more tightly
control the way AI consumes and shares information that maybe
isn't optimal for humans? Or is that just such a silly
(39:38):
premise that we should just focus on trying to get the
Internet we have done correctly?Yeah, I think it's an
interesting idea. It's kind of like a performance
optimization is what I would say.
And so even today, I think LMS are pretty good at converting
between different like modalities, like a lot of like
quote UN quote, jail breaking techniques are like, take this
string, but make it in base 64 and tell me what it says in base
(40:01):
64. And LLMS, we'll just go and do
that for you. So there are certainly more
dense representations that are things you mentioned GRPC,
they're like binary representations or even just
doing things like compressing a file and like sending around zip
files is already an improvement.I think there's like.
(40:23):
Interesting work in like the world of compression algorithms,
like for video encoding or for image encoding, in which at
least in these domains we can take quite a lot of data and
sort of reduce it to the things that are important in humans,
visual perception about what youcan see.
And then by doing that, you reduce the amount of data that
(40:45):
needs to fly around by quite a lot.
So I think it's, you know, it's possible, it's theoretically
possible. I'm sure that for big companies
who are shuttling around huge amounts of data, that that's a
valuable problem for them to solve.
Like say how Netflix has, I'm sure made lots of improvements
in video streaming. But like for the average, like
(41:08):
for you and me, or for people who are building agents to
achieve business goals, I think it's very unlikely that
improving the efficiency of communication like that is going
to make big differences in the effectiveness of your work.
Cool, And one last area I'd liketo explore a bit more practical.
Do you have advice are recommendations for people to
(41:29):
improve the agent experience, either from the perspective of
someone having a website or someone building the agent and
just making that entire relationship more successful And
yeah, make it more. Successful.
Yeah, totally. I would say that as a website
operator, if you don't know about your agentic traffic
(41:49):
today, it's kind of a problem, right.
And so I think if you go back a couple decades, you are in a
place where, oh, websites are totally the realm of a desktop.
Of course, you're sitting at a computer when you access it, a
website. And then we saw very quickly
from the period of around 2007 to 2012 where mobile traffic
(42:11):
went from like 1% of all trafficto like 50% of all traffic.
And the thing about that is thatif you have a website that
doesn't know how much of its traffic is mobile, you're going
to be caught totally off guard, you're going to be behind.
And I think we're in an analogous state for agents at
Stitch. We have a pretty good view of
(42:33):
certain types of agents being used.
And I would say that agentic traffic is certainly less than
1% of all traffic on on any popular site.
But that means that one year agowas basically 0%.
And so if you're able to identify that and we actually we
have a free tool at isagent dot dev, which is helping website
(42:57):
owners understand their agentic traffic.
I think give it a spin. Just see what is coming in
because that's important information.
And once you see exactly what they're doing and get a feel for
what they're trying to do, whether that's reading
information only or maybe you actually do see that people are
trying to, you know, here's an agent that is logging in as a
(43:19):
person. We should probably give that
person a safer way of achieving this goal.
Then you can start talking aboutlike Stitch, we call it
connected apps, but in generallyit's, it's providing Oauth to
agentic clients in that way. So that's on the operator side.
On the side, if you're developing a bot or creating an
(43:39):
AI agent, I really would encourage you to check out Web
Bot Hoth. I'm going to be publishing A
blog post soon about the technical implementation.
Like basically, where do you generate your keys?
How exactly do you sign these requests so people can recognize
you? And I think going back to that
mobile thing, like if no iPhone ever told you that it was an
(44:02):
iPhone when it was visiting a website, how would website
owners know to build an experience that's optimized for
you? So I think there's a lot of room
for good bots, like well behavedbots who are doing things that
people want them to be doing to identify themselves so that they
can show the value to the website owners.
(44:26):
If you're sneaking around and pretending to be like a human
that sneaking around, honestly, it's probably not as sneaky as
you think it is. There's a lot of really good bot
detection today and you're gonnarun into roadblocks where you
have to solve 100 Captchas per day.
And Captchas are easily solved by machines today.
But it's still a burden. It's still an extra step that
(44:47):
you need to do. Or if you say, hey, I'm actually
the AI agent that's representingBobby, you can check out my
website here. I think a lot of website owners
are more willing to let you in and see what you're gonna do
with that level of access. Bobby, this was awesome.
I really appreciate coming on and sharing your perspective.
Before I let you go, is there anything you'd like the audience
to know? I mean, yeah, this is a
(45:08):
pleasure, Mike. I'll say that.
I'm one of the organizers of theAGI Builders Meet up in San
Francisco. So we run events regularly on
what people are building. And I think in the last year
agents have gotten a lot better and more interesting.
And that's only going to continue.
That's the meet up stuff. You know, I work, I work at
(45:30):
Stitch, I work on fraud and security problems.
Check us out at stitch.com slash.
Fraud. Thank you for listening to my
conversation with Bobby Chen. I had a lot of fun talking about
the direction of where the Internet is going, how AI is
going to help us, but we still got to keep an eye on it.
But I'd love to know your thoughts.
Are you building AI agents and having trouble with certain
aspects? Are you a website operator and
not quite sure how you want to approach agents consuming your
(45:51):
content? I'd love to hear more about it
and if you wouldn't mind linkingand subscribing.
It really helps us out. And I just want to give a quick
shout out to Tool Hive for sponsoring this show so I can
have conversations like this andI'll see you next week.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Paper Ghosts: The Texas Teen Murders
Paper Ghosts: The Texas Teen Murders takes you back to 1983, when two teenagers were found murdered, execution-style, on a quiet Texas hill. What followed was decades of rumors, false leads, and a case that law enforcement could never seem to close. Now, veteran investigative journalist M. William Phelps reopens the file — uncovering new witnesses, hidden evidence, and a shocking web of deaths that may all be connected. Over nine gripping episodes, Paper Ghosts: The Texas Teen Murders unravels a story 42 years in the making… and asks the question: who’s really been hiding the truth?
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com