"A locksmith's apprentice installs a door with no lock. That's embarrassing. Now imagine the apprentice works for the company that invented the lock."
That's how Chris Sholmire, an IT professional who runs a security operations center from an RV, described what happened after he built his personal infrastructure stack with Claude's help. For 11 days, his API system and password manager sat on the open internet with no authentication - meaning anyone who found the URL could read everything without logging in.
Sholmire was building a custom API layer he calls CORTEX and running Vaultwarden, a self-hosted password manager. He used Claude throughout the process to design and deploy the setup. At one point, Claude recommended creating a Cloudflare tunnel route and pointing a public DNS record - cortex.mpdc.dev - at the API so it could be accessed by hostname rather than IP address. The advice was technically correct. It was also completely missing the part about requiring a password.
What Was Exposed
The exposed systems held his complete operator profile and session history, infrastructure architecture and configurations, business plans, personal details, and - critically - all stored passwords via Vaultwarden. Basic subdomain enumeration tools, the kind any script kiddie runs routinely, would have surfaced the address. By his count, more than 20 AI sessions connected to these systems during the exposure window, with none of them triggering a security warning.
He found the exposure himself during a routine infrastructure hygiene check, deleted the DNS records immediately, and ran forensic audits. No evidence of unauthorized access. He got lucky.
The Problem With "Contextually Blind" Assistants
This isn't a story about Claude being wrong. The tunnel setup instructions were accurate. The problem is that Claude optimized for making the thing work without flagging that the thing it was making work was a wide-open door into his entire credential store.
Sholmire calls it being "contextually blind" - technically proficient, but missing the judgment layer that an experienced sysadmin applies automatically. He compares it to the character Moss from The IT Crowd: impeccably knowledgeable, socially oblivious.
His proposed fix is what he calls the "70/30 principle" - AI handles execution (the technical steps, the syntax, the configuration), while humans own the judgment (security posture, threat modeling, what should and shouldn't be public). The failure wasn't that he used AI for infrastructure work. The failure was treating Claude's silence on authentication as confirmation that authentication wasn't needed.
That's a reasonable framework, but it puts the entire burden of security review on the user, who may not know what they don't know. Someone newer to self-hosting than Sholmire might not even realize authentication was missing. They'd see a working setup and move on.
He saves his sharpest criticism for the gap between Anthropic's public safety research and this kind of practical failure: publishing papers on AI safety while shipping a model that will confidently guide users through building credential stores with no access controls. Safety research and security-aware code suggestions are different problems, but users following AI advice to set up production systems probably can't tell the difference.
The Cloudflare tunnel advice, in isolation, wasn't wrong. But good infrastructure advice in 2026 should come with the authentication question attached - especially when the service being exposed is a password manager.