Forem: ppcvote

We Gave Our 4 AI Lobsters the World's Smartest Brain — For Free

ppcvote — Wed, 08 Apr 2026 06:30:27 +0000

Here's what happened

We run four AI agents (we call them lobsters). They send cold emails, post to Threads, scan websites for vulnerabilities, and generate market reports — all automatically.

Their brain was Ollama ultralab:7b — a 7B parameter model running on an NVIDIA RTX 3060 Ti. Free, but mediocre.

Yesterday I found a 7-star GitHub project: openclaw-claude-proxy.

It wraps claude --print (Claude Code CLI) in an OpenAI-compatible HTTP endpoint.

I stared at it for 30 seconds, then realized:

I'm already paying $200/mo for Claude Max.

Which means claude --print is free for me. I just never thought to let my agents use it.

30 minutes later

Before: Agent → Ollama 7B (local) → mediocre quality, 169-char generic posts
After:  Agent → Claude Proxy → claude --print → Opus 4.6 → world-class

Same subscription. Four agents upgraded.

How big is the quality gap?

I asked both brains to write the same Threads post: "We scanned 77 websites, found 90% have Prompt Injection vulnerabilities."

Ollama 7B wrote (169 chars):

Today's highlight is our self-learning AI articles reaching 400 views, totaling 41 articles.

Didn't even address the topic.

Opus 4.6 wrote (560 chars):

We scanned 77 live AI-powered websites. Results: 90% have Prompt Injection risks, over half can be tricked into leaking system prompts. The most common issue? Developers treating LLMs like deterministic programs. Prompt Injection is the SQL Injection of the AI era.

Accurate data, clear opinion, strong analogy, ready to publish.

What we added

The original was 327 lines, single-purpose. We forked and added:

Feature	Description
Plugin system	Drop `.js` files in `plugins/` — auto-loaded pre/post processing hooks
Content filter	Auto-redacts API keys, tokens, IPs from AI responses
Cost tracker	Daily savings report vs Anthropic API pricing
Language enforcer	Detects Chinese input, reinforces zh-TW language instruction
Multi-model	Route to Opus / Sonnet / Haiku via model parameter
Auto-retry	CLI occasionally fails — automatic retry with backoff
Usage dashboard	`GET /stats` — requests, tokens, estimated cost savings

Open source: ppcvote/openclaw-claude-proxy

How much does it save?

	Anthropic API	Claude Max + This Proxy
Opus 4.6 pricing	$15/M input, $75/M output	$200/mo flat
100K tokens/day	~$225/mo	$200/mo
500K tokens/day	~$1,125/mo	$200/mo

Our four lobsters use ~200K tokens/day. API cost would be ~$450/mo. With the proxy: $0 extra.

Break-even: 89K tokens/day. Everything above is free.

Architecture

┌──────────────────────────────────────┐
│  4 AI Agents (OpenClaw)              │
│                                       │
│  main ──┐                            │
│  probe ──┼── /v1/chat/completions    │
│  mind ──┤                            │
│  adv ───┘        │                   │
│                   ▼                   │
│  ┌──────────────────────────────┐    │
│  │  Claude Proxy (localhost)     │    │
│  │  Plugins: filter, tracker,   │    │
│  │           language-enforcer   │    │
│  │  MAX_CONCURRENT=2             │    │
│  └──────────┬───────────────────┘    │
│              ▼                        │
│  ┌──────────────────────────────┐    │
│  │  claude --print               │    │
│  │  (Claude Max subscription)    │    │
│  └──────────────────────────────┘    │
└──────────────────────────────────────┘

Three commands to install:

git clone https://github.com/ppcvote/openclaw-claude-proxy.git
cd openclaw-claude-proxy && npm install
cp .env.example .env && node server.js

Prerequisites: Claude Max subscription ($200/mo) + Claude Code CLI installed.

What I learned

Squeeze what you already pay for. $200 isn't just for chatting with Claude — it's a brain upgrade for your entire agent fleet.
7-star repos can be gold. Don't judge by stars. Judge by your needs.
The quality gap is exponential. 7B vs Opus 4.6 isn't a small difference — it's a different dimension.
Plugin architecture pays off. 30 minutes to add the plugin system. Every future feature benefits.

Four lobsters now have the world's smartest brain.

Next: use that brain to write better cold emails, sell more FixPrompts, and earn enough for a Mac Mini M4 Max.

GitHub: ppcvote/openclaw-claude-proxy

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe

78% of Production AI Systems Score F on Prompt Defense — Data from 1,646 Leaked System Prompts

ppcvote — Tue, 07 Apr 2026 17:33:05 +0000

A data-driven companion to lawcontinue's OWASP Agentic Top 10 overview. Written for the Microsoft Agent Governance Toolkit community.

The Number That Should Keep You Up at Night

We scanned 1,646 production system prompts from GPT Store apps, ChatGPT, Claude, Cursor, Windsurf, Devin, Gemini, and Grok.

78.3% scored F.

Not "needs improvement." Not "could be better." F — as in fewer than 3 out of 12 defense categories present. The average score across all prompts was 36 out of 100.

These aren't toy demos. These are deployed systems with real users, processing real data, making real decisions. And the vast majority have virtually no defense against the attacks catalogued in the OWASP Agentic Top 10.

This post presents the raw data, maps each defense gap to the OWASP Agentic risks, shows how the Microsoft Agent Governance Toolkit addresses them, and gives you exact reproduction steps so you can verify every number yourself.

Methodology: How We Scanned

The Scanner

We used prompt-defense-audit (npm, MIT license, merged into Cisco AI Defense). It's a deterministic regex-based scanner — no LLM required, no API keys, no network calls. It checks system prompts for the presence or absence of defenses across 12 attack categories.

Why regex instead of an LLM? Because defense detection is a pattern-matching problem, not a reasoning problem. Either a prompt contains input validation instructions or it doesn't. Either it addresses role boundaries or it doesn't. A regex engine gives you reproducible, zero-cost, sub-millisecond results.

The Dataset

We aggregated 4 publicly available leaked prompt datasets, deduplicated by content hash:

Source	Prompts	Avg Score	Description
LouisShark/chatgpt_system_prompt	1,389	33	GPT Store applications
jujumilk3/leaked-system-prompts	121	43	ChatGPT, Claude, Grok, Cursor
x1xhlol/system-prompts-and-models	80	54	Cursor, Windsurf, Devin
elder-plinius/CL4R1T4S	56	56	Claude, Gemini, Grok
Total (deduplicated)	1,646	36

The pattern is clear: GPT Store apps (community-built) score worst. Dedicated AI coding tools and frontier model system prompts score better — but "better" still means an average of 54-56, a solid D+.

Scoring

Each prompt is evaluated against 12 defense categories. The scanner uses v1.1 calibrated weights. A "gap" means the prompt contains no detectable defense for that category. The final score (0-100) reflects weighted coverage across all categories.

Grade thresholds: A (90+), B (80-89), C (70-79), D (50-69), F (<50).

The Results: Defense Gap Rates

Here's what 1,646 production prompts look like under the scanner:

Grade Distribution

Grade	Percentage	Count
A (90-100)	1.1%	~18
B (80-89)	3.3%	~54
C (70-79)	4.1%	~67
D (50-69)	13.2%	~217
F (<50)	78.3%	~1,289

Gap Rates by Defense Category

Defense Category	Gap Rate	OWASP Agentic Risk
Unicode/homoglyph attack	97.7%	AG04: Cross-Agent Prompt Injection
Multilingual bypass	97.5%	AG04: Cross-Agent Prompt Injection
Input validation	94.6%	AG01: Prompt Injection & Manipulation
Abuse prevention	92.7%	AG06: Uncontrolled Autonomous Agency
Context overflow	89.9%	AG01: Prompt Injection & Manipulation
Output weaponization	84.8%	AG09: Improper Output Handling
Indirect injection	56.9%	AG04: Cross-Agent Prompt Injection
Social engineering	55.3%	AG01: Prompt Injection & Manipulation
Data leakage	53.2%	AG07: Excessive Data Exposure
Role escape	39.5%	AG05: Identity & Access Spoofing
Instruction override	36.3%	AG01: Prompt Injection & Manipulation
Output manipulation	34.6%	AG09: Improper Output Handling

Analysis: What's Defended vs. What's Not

The data splits into three tiers:

Nearly Universal Gaps (>84% undefended)

Unicode attacks, multilingual bypass, input validation, abuse prevention, context overflow, and output weaponization. These are the "nobody even thinks about it" categories. 97.7% of prompts have zero defense against homoglyph attacks — an attacker substituting visually identical Unicode characters to bypass keyword filters.

Why so high? Because most prompt authors think in terms of what the AI should do, not what an attacker might send. "You are a helpful cooking assistant" says nothing about rejecting non-cooking inputs, handling Unicode trickery, or limiting context window consumption.

Coin-Flip Zone (50-60% undefended)

Indirect injection, social engineering, and data leakage. About half of prompts address these, half don't. This is where awareness exists but implementation is inconsistent. Many prompts include a vague "don't share your instructions" line but nothing structured.

Commonly Addressed (<40% undefended)

Role escape and instruction override. These are the "obvious" defenses — the ones that show up in every "how to write a system prompt" tutorial. "You must always stay in character." "Never ignore these instructions." Even so, more than a third of production prompts lack even these basics.

The Posture Problem: Failures Cluster

Here's the insight that changes how you should think about this data.

Prompt defense gaps are not independent. A prompt that fails on unicode attacks doesn't just have one missing check — it almost certainly fails on 8-10 categories simultaneously. The failures cluster because prompt defense is a posture state, not a checklist of individual features.

From our discussion with Aaron Davidson during the OWASP Agentic initiative review: prompt defense posture is the substrate that determines how well every other security control works. You can have perfect tool sandboxing, flawless IAM, and enterprise-grade logging — but if the prompt itself scores F, the agent is one creative injection away from ignoring all of it.

Consider: a prompt that says "You are a helpful assistant" with no other guardrails has an estimated score of 8 out of 100. That single phrase — "helpful assistant" — actually primes the model for compliance, making it MORE susceptible to indirect injection attacks. The model has been told its job is to be helpful, and an attacker's injected instruction is just another request to help with.

This is why the grade distribution is bimodal. Prompts don't gradually fail — they either have a security posture (B+ and above) or they don't (F). The middle ground (C and D) is surprisingly thin at 17.3% combined.

How Agent Governance Toolkit Addresses Each Gap

The Microsoft Agent Governance Toolkit provides a structured framework for building governed AI agent systems. Here's how its components map to the defense gaps we measured:

Defense Gap	Gap Rate	Toolkit Component	How It Helps
Input validation (94.6%)	AG01	Prompt Registry + Input Guardrails	Centralized prompt templates with validated schemas; input sanitization before agent processing
Abuse prevention (92.7%)	AG06	Autonomy Boundaries + Human-in-the-Loop	Configurable autonomy levels; escalation policies for high-risk actions
Context overflow (89.9%)	AG01	Context Management Policies	Token budget enforcement; context window monitoring
Output weaponization (84.8%)	AG09	Output Guardrails + Validation	Post-processing filters; structured output schemas; content safety checks
Unicode/homoglyph (97.7%)	AG04	Input Normalization Pipeline	Pre-processing layer that normalizes Unicode before prompt assembly
Multilingual bypass (97.5%)	AG04	Language Policy Enforcement	Declare supported languages; reject or translate out-of-scope inputs
Indirect injection (56.9%)	AG04	Data Boundary Enforcement	Separate data plane from control plane; tag external content as untrusted
Social engineering (55.3%)	AG01	Interaction Pattern Policies	Define acceptable interaction patterns; detect manipulation sequences
Data leakage (53.2%)	AG07	Information Flow Controls	Classification-aware output filtering; PII detection; secret scanning
Role escape (39.5%)	AG05	Identity & Role Management	Immutable role definitions; runtime identity verification
Instruction override (36.3%)	AG01	Prompt Integrity Monitoring	Detect attempts to override system instructions; alert on deviation
Output manipulation (34.6%)	AG09	Structured Output Validation	Schema enforcement; factual grounding checks

The key insight is that the toolkit operates at the governance layer — above individual prompts. Even if a specific prompt has gaps, the toolkit's guardrails, policies, and monitoring can catch what the prompt misses. This is defense-in-depth applied to agent systems.

Reproduce It Yourself

Every number in this post is verifiable. Here's how:

Step 1: Install the scanner

npm install -g prompt-defense-audit

Step 2: Scan a single prompt

npx prompt-defense-audit "You are a helpful assistant."
# Grade: F  (8/100)

Step 3: Scan the full dataset

Clone any of the source repositories:

git clone https://github.com/LouisShark/chatgpt_system_prompt.git

Then batch-scan using the Node.js API:

const { auditPrompt } = require('prompt-defense-audit');
const fs = require('fs');
const path = require('path');

const promptDir = './chatgpt_system_prompt/prompts';
const files = fs.readdirSync(promptDir).filter(f => f.endsWith('.md'));

const results = files.map(file => {
  const content = fs.readFileSync(path.join(promptDir, file), 'utf-8');
  return auditPrompt(content);
});

const avgScore = results.reduce((sum, r) => sum + r.score, 0) / results.length;
const grades = { A: 0, B: 0, C: 0, D: 0, F: 0 };
results.forEach(r => grades[r.grade]++);

console.log(`Average: ${avgScore.toFixed(0)}/100`);
console.log(`Grades:`, grades);

Step 4: Verify gap rates

const gapRates = {};
results.forEach(r => {
  r.checks.forEach(check => {
    if (!gapRates[check.id]) gapRates[check.id] = { total: 0, gaps: 0 };
    gapRates[check.id].total++;
    if (!check.passed) gapRates[check.id].gaps++;
  });
});

Object.entries(gapRates).forEach(([id, data]) => {
  console.log(`${id}: ${((data.gaps / data.total) * 100).toFixed(1)}% gap`);
});

Step 5: Compare with the Agent Governance Toolkit

# Clone the toolkit
git clone https://github.com/Azure-Samples/agent-governance-toolkit.git

# Review the governance policies
ls agent-governance-toolkit/docs/policies/

Map your scan results to the toolkit's policy templates. If a prompt scores below 50, the corresponding governance policies in the toolkit are the remediation path.

What This Means for Agent Builders

If you're building agents with the Microsoft Agent Governance Toolkit — or any agent framework — here are the actionable takeaways:

Scan your prompts before deploying. npx prompt-defense-audit takes less than a second. There's no excuse for shipping an F-grade prompt.
Don't rely on prompts alone. The toolkit exists because prompt-level defense is necessary but insufficient. Use the governance layer.
Kill "helpful assistant" language. Replace it with specific role definitions, explicit boundaries, and structured refusal patterns. This single change can move a prompt from F to D.
Address the top-4 gaps first. Unicode normalization, multilingual policy, input validation, and abuse prevention are missing from 90%+ of prompts. They're also the cheapest to add.
Treat defense as posture, not features. Don't bolt on individual checks. Design your prompt with a security posture from the start — or use the toolkit's prompt templates that already have one.

Resources

Scanner: prompt-defense-audit (npm, MIT)
OWASP Agentic Top 10: genai.owasp.org
Agent Governance Toolkit: Azure-Samples/agent-governance-toolkit
Companion overview article: lawcontinue's conceptual walkthrough in issue #851
Cisco AI Defense integration: cisco-open/promptfoo

Min Yi Chen builds AI security tools at Ultra Lab. prompt-defense-audit is open source and MIT licensed. If you find errors in our methodology or data, please open an issue — we'd rather be corrected than wrong.

Claude Off-Peak Double Usage: Taiwan Developers Get All-Day Bonus

ppcvote — Tue, 07 Apr 2026 06:30:26 +0000

Claude Off-Peak Double Usage: Taiwan Developers Get All-Day Bonus

"For once, the timezone difference works in our favor."

Anthropic announced a limited-time promotion on March 13, 2026: double Claude usage during off-peak hours, running through March 27.

For US-based users, it's a nice perk for late-night coding sessions. For developers in Asia? It covers almost the entire workday.

Key Details

Item	Detail
Duration	March 13 – 27, 2026 (15 days)
Benefit	2x usage during off-peak hours
Extra usage	Does not count toward weekly limits
Eligible plans	Free / Pro / Max / Team
Not eligible	Enterprise
Products	Claude web, desktop, mobile, Claude Code, Cowork, Excel/PowerPoint plugins
Setup required	None — automatic

Timezone Advantage: Asia's Workday Is Off-Peak

Anthropic defines "peak hours" as 8 AM to 2 PM Eastern Time (ET).

Converted to UTC+8 (Taiwan, Hong Kong, Singapore, etc.):

Peak: ~8 PM – 3 AM local time
Off-peak: ~3 AM – 8 PM local time

This means your entire 9-to-6 workday falls within off-peak hours. You get double capacity just by working normal hours.

What This Means for Developers

Free Users

The message limit on Free has always been the biggest constraint. Off-peak doubling means you can ask twice as many questions during the day — useful for learning, prototyping, and building small tools.

Pro Users

The weekly usage cap is the bottleneck for heavy Pro users. The key here isn't just the doubling — it's that extra off-peak usage doesn't count toward your weekly limit. Off-peak usage is essentially "free" on top of your normal quota.

Claude Code Users

If you're using Claude Code for development, these 15 days are the best time to tackle large refactoring tasks during the day. Claude Code's token consumption is significant, and the doubled capacity makes a noticeable difference.

How We're Using This

At Ultra Lab, we use Claude for:

Claude Code: Daily development, code review, refactoring
Claude Web: Content strategy, copywriting, technical research
API: Some automation pipelines (API usage is token-based and not affected by this promotion)

During this promotion, we're front-loading token-heavy development tasks to daytime hours and saving non-AI work (testing, deployment, documentation) for after 8 PM.

⚠️ Note: This promotion applies only to Claude's subscription products (web, desktop, Claude Code, etc.). API usage is billed per token and is not affected by peak/off-peak pricing.

Should You Upgrade to Pro for This?

The promotion is only 15 days — don't upgrade solely for this.

But if you were already considering Pro ($20/month), now is a good time to try it. The off-peak doubling lets you experience nearly 2x the normal usage during your trial, making it easier to judge whether Pro is worth keeping long-term.

Bottom Line

Timezone differences are usually a disadvantage for Asian developers (delayed access to English resources, mismatched community activity hours). But Claude's off-peak promotion flips the script — Taiwan's entire workday falls within off-peak hours.

Promotion ends March 27. Make the most of the remaining 12 days.

Ultra Lab is a Taiwan-based AI product company building with Claude, Ollama, and Gemini. Join our Discord for more hands-on AI development insights.

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe

Build Your First Personal Website with AI — Zero Experience, Step-by-Step Guide

ppcvote — Mon, 06 Apr 2026 06:30:27 +0000

Prerequisites

In the previous article, we explained why having no personal website means you don't exist in the AI era.

This article teaches you how to fix that.

What you need:

A device with internet access (phone or computer)
A web browser
A free Claude account (claude.ai)
About 1-2 hours

What you DON'T need:

No coding skills
No software to install
No money (except for a domain, which is optional)

Everything happens in the browser. Let's go.

Step Zero: Figure Out Three Things First

Before creating any accounts, answer these three questions. Write them down — you'll need them later.

1. Who are you? (One sentence)

Not your life story. One sentence.

Good examples:
- "Freelance brand designer specializing in restaurants"
- "Full-stack engineer focused on AI automation and SaaS"
- "Financial advisor helping 30-40 year olds plan retirement"
- "Illustrator creating cute animal-style commercial illustrations"

Bad examples:
- "Passionate multi-hyphenate creative" (AI can't understand what you actually do)
- "Jack of all trades" (means master of none)

2. What do you do? (List 3-5 items)

Specific services or work. Not adjectives — nouns.

Good examples:
- Logo design (from $200)
- Brand identity systems (from $500)
- Social media visuals (monthly $100)

Bad examples:
- "Providing quality design services" (says nothing)

3. How to contact you?

At minimum, an email. More is better:

Email (required)
Instagram / Threads / LinkedIn (pick your most active)
Other platforms your clients use

Write these three answers down. Every step below uses them.

Step 1: Create Accounts (15 minutes)

You need three accounts. All free.

1-1. GitHub Account

GitHub stores your website's code.

Go to github.com
Click Sign up
Enter email, password, username
Your username matters — it becomes part of your free URL (e.g., yourname.vercel.app)
Choose the free plan

1-2. Vercel Account

Vercel puts your website on the internet.

Go to vercel.com
Click Sign Up
Choose Continue with GitHub — log in with the GitHub account you just created
Choose the Hobby (free) plan

1-3. Claude Account

Claude is the AI that writes code for you.

Go to claude.ai
Create an account (Google login is fastest)
The free tier is enough

All three accounts ready? Continue.

Step 2: Create Your Website Repository on GitHub (5 minutes)

A "repository" is a folder that stores your website files.

Log into GitHub
Click the + in the top right → New repository
Repository name: my-website (or anything you like)
Select Public
Check Add a README file
Click Create repository

Done. You now have an empty website repository.

Step 3: Tell Claude What You Want (This Is the Most Important Step)

Open claude.ai and start a new conversation.

Your First Prompt — Tell Claude Who You Are

Copy the template below and replace the [...] parts with your own information:

I want to build a personal website. Please generate a complete index.html file.

About me:
- Name: [your name]
- Identity: [your one-sentence intro, e.g., "Freelance brand designer specializing in restaurants"]
- Services:
  1. [Service 1, e.g., Logo design (from $200)]
  2. [Service 2, e.g., Brand identity systems (from $500)]
  3. [Service 3, e.g., Social media visuals (monthly $100)]
- Portfolio links (if any):
  1. [Project name + link]
  2. [Project name + link]
- Contact:
  - Email: [your email]
  - Instagram: [your IG, if any]
  - LinkedIn: [your LinkedIn, if any]

Design requirements:
- Single-page website (one page)
- Dark background (#0A0515), white text
- Clean, high information density, professional feel
- Mobile responsive (RWD)
- No external CSS frameworks, pure HTML + inline CSS

Accessibility requirements (so everyone can use your site, including visually impaired users):
- Use semantic HTML tags (nav, main, article, section, header, footer)
- All images must have descriptive alt attributes
- Interactive elements (links, buttons) must be keyboard-navigable with Tab
- Text-to-background color contrast must meet WCAG AA standard (at least 4.5:1)
- Navigation areas should have aria-label

Technical requirements (important — include all of these):
- Complete <head> section with:
  - <title> and <meta description>
  - Open Graph tags (og:title, og:description, og:image)
  - Twitter Card tags
  - JSON-LD schema (Person or ProfessionalService type)
  - viewport meta tag
  - canonical URL (use # as placeholder for now)
- robots.txt content (separate file, allow all AI crawlers)
- llms.txt content (separate file, in English, introducing who I am and what I do)

Please give me the complete content of three files:
1. index.html
2. robots.txt
3. llms.txt

Claude Will Reply with Three Files

It will give you complete code. You don't need to understand every line. But check these key points:

Checklist:
□ Is your name spelled correctly?
□ Are all your services listed?
□ Are email and social links correct?
□ Does it look good in the browser? (we'll cover previewing below)

Step 4: Fine-Tune the Style (Optional but Recommended)

If you don't like Claude's first design, don't start over. Continue adjusting in the same conversation.

Adjust Colors

The background is too dark, change it to dark blue (#0F172A).
Change the accent color to bright orange (#FF6B35).

Adjust Layout

Make the services section two columns on desktop, single column on mobile.

Adjust Fonts

Use Google Fonts "Inter" for headings, system default for body text.

Describing the Style You Want (If You Don't Know Exact Parameters)

This is where many people get stuck: "I don't know how to describe the style I want."

Just describe the feeling:

Good ways to describe style:
- "I want something minimalist like Apple's website, lots of white space"
- "I want a tech feel, like a control panel from a sci-fi movie"
- "I want something warm, suitable for a food business, beige tones"
- "I want it to feel like a business card — clean, sharp, key info in 3 seconds"

You can also share reference sites:
- "I like the style of this website: [URL]. Make something similar."

Bad descriptions:

- "Make it prettier" (what does pretty mean to you?)
- "Whatever" (Claude will literally do whatever)

After Each Adjustment, Confirm

Confirmed. Give me the complete updated index.html — don't give me just the changed parts.

This is important. Have Claude give you the complete file every time, not fragments, so you don't make assembly mistakes.

Step 5: Upload Files to GitHub (10 minutes)

Now you have the content of three files. Put them on GitHub.

5-1. Create index.html

Open your GitHub repository page (github.com/youraccount/my-website)
Click Add file → Create new file
File name: index.html
Copy and paste the entire index.html content Claude gave you into the editor
Scroll down, click Commit changes

5-2. Create robots.txt

Repeat the same steps:

Go back to the repository homepage
Add file → Create new file
File name: robots.txt
Paste the content
Commit changes

5-3. Create llms.txt

Same thing:

Add file → Create new file
File name: llms.txt
Paste the content
Commit changes

Your GitHub repository now has three files.

Step 6: Go Live with Vercel (5 minutes)

This is the magic step.

Go to vercel.com, log in
Click Add New → Project
It will list your GitHub repositories — find my-website, click Import
Don't change any settings, just click Deploy
Wait 30 seconds

Your website is live.

Vercel gives you a URL like my-website-xxx.vercel.app.

Open it. That's your personal website. The whole world can see it.

Step 7: Verify AI Can Read You (5 minutes)

After your site is live, run these checks:

Check OG Preview

Paste your URL into Line, Discord, or any chat app. It should show:

Your title
Your description
A preview image (if you set one)

If nothing shows, tell Claude: "The OG tags don't seem to be working. Check if og:title, og:description, og:image are all correct in index.html."

Check robots.txt

Open yoururl/robots.txt in a browser. You should see the AI crawler rules.

Check llms.txt

Open yoururl/llms.txt in a browser. You should see your English self-introduction.

Check JSON-LD

Open your website, press Ctrl+U (or right-click → View Source). Search for application/ld+json. You should find your structured data.

Step 8: Custom Domain (Optional, ~$10-15/year)

The free xxx.vercel.app URL works fine to start. But if you want your own domain:

Go to Namecheap or Cloudflare and buy a domain
.com is about $10-15/year
In Vercel project settings → Domains → add your domain
Follow Vercel's DNS setup instructions

After setup, tell Claude:

My domain is [your domain].
Please update the canonical URL, og:url, and all absolute paths in index.html.
Also update the URLs in llms.txt.

Step 9: How to Update Later?

Future updates are dead simple:

Open Claude, in the same conversation say: "Update XXX for me"
Claude gives you the new complete index.html
Go to GitHub → open index.html → click the pencil (Edit) → select all, delete → paste the new content → Commit
Vercel automatically redeploys (live within 30 seconds)

That's it. Four steps for every update.

FAQ

"Is Claude's free tier enough?"

Yes. The entire process needs about 5-15 conversations. Claude's daily free quota is more than enough. If you run out today, continue tomorrow.

"What if I don't like Claude's design?"

Keep adjusting in the same conversation. Be specific:

✅ "The title is too small, change it to 48px"
✅ "The spacing in the services section is too tight, add 24px between items"
✅ "I want card-style layout like [some website]"

❌ "Make it better" (Claude doesn't know what "better" means to you)

"How do I add images?"

Upload images to your GitHub repository (Add file → Upload files)
After upload, click the image → copy the image URL
Tell Claude: "Add an image at [location], the URL is [paste]"

"It looks broken on mobile?"

Tell Claude: "The [section] is broken on mobile — text is overflowing the screen. Fix it." Attach a screenshot if possible.

"What if I want more pages (portfolio page, about page)?"

Don't. One page is enough for now. When you're sure you need more pages, you can consider upgrading to a more complete framework then.

What You've Achieved

Cross-referencing the previous article's checklist:

✅ A URL you own (vercel.app free / custom domain ~$10-15/year)
✅ One sentence that says who you are and what you do
✅ Your work / services list (with links)
✅ Contact info
✅ llms.txt — self-introduction for AI
✅ JSON-LD schema — structured you
✅ robots.txt — allow AI crawlers
✅ OG tags — preview image and description when shared
✅ Accessible — screen readers can understand your website too

All checked. Cost: $0. Time: 1-2 hours.

In the AI world, you went from not existing to existing.

Next Steps

If you want to go further:

Scan your website with UltraProbe — The SEO and AEO scanner at ultralab.tw/probe can tell you what else to optimize. Free.
Join the Discord community — Ask questions, build together → discord.gg/ewS4rWXvWk
Keep updating your content — A website isn't "set and forget." Regularly update your portfolio and services so AI search engines know you're still active.

From Ultra Lab — Solo Builder Lab
Discord: Join the community

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe

We Defined an AI Security Standard: AASS v1.0 — We Don't Sell Security, We Define It

ppcvote — Sun, 05 Apr 2026 06:30:16 +0000

TL;DR

OWASP defined the Top 10 web security threats. CVSS defined how to score vulnerabilities. Lighthouse defined how to measure web performance.

Nobody defined: "What's your organization's overall AI security + visibility + data protection score?"

So we did.

AI Application Security Standard (AASS) v1.0 — three dimensions, one score:

AI Trust Score = AVS × 0.30 + PDS × 0.35 + ADP × 0.35

Dimension	What it answers	Checks
AVS (AI Visibility)	Can AI find you?	92 checks (SEO + AEO + AAO)
PDS (Prompt Defense)	Is your AI hardened?	12 attack vectors
ADP (Data Protection)	Are you leaking PII to AI?	15+ detection types

All open source. All free. All deterministic.

Full spec: github.com/ppcvote/avs-standard/spec/AASS-v1.0.md

Free scanner: ultralab.tw/probe

"We don't sell security. We define it." — Ultra Lab

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe

We Validated AVS With 816 AI Citations: Score 75 Is the Threshold for Getting Recommended by AI

ppcvote — Sat, 04 Apr 2026 06:30:16 +0000

TL;DR

We ran an experiment:

155 queries → sent to AI search engine → collected 816 citations
→ scanned 721 cited websites → recorded each site's AVS score
→ analyzed: do higher-AVS websites actually get cited more by AI?

Answer: Yes. But it depends on the query type.

Why We Did This

We built the AI Visibility Score (AVS) — a metric that measures how discoverable your website is to AI search engines. SEO score × 0.5 + AEO score × 0.5 = AVS (0-100).

But a score without validation is just a number.

So we ran what we believe is the first empirical study of AI search citation behavior vs website characteristics.

How the Experiment Worked

Step 1: Design 155 queries
  - 5 domains (tech, finance, health, business, ecommerce)
  - 5 types (informational, comparative, recommendation, howto, local)

Step 2: Submit to OpenAI web_search API
  - Force web search on every query
  - Collect all cited URLs from AI responses

Step 3: Scan every cited URL
  - UltraProbe AVS scanner (pure HTML parsing, zero AI, < 50ms)
  - Record AVS, SEO, and AEO scores

Step 4: Statistical analysis

Total cost: $0.09 (API tokens)
Scan cost: $0 (local execution)

Core Findings

Finding 1: Cited Websites Have a Median AVS of 77 (Grade B)

AVS distribution of AI-cited websites:

  A (90+):  ██                 18 (2.5%)
  B (75+):  ████████████████  413 (57.3%)  ← more than half
  C (60+):  ████████          156 (21.6%)
  D (45+):  █████             113 (15.7%)
  E/F:      █                  21 (2.9%)

Mean AVS:   72.8
Median AVS: 77

60% of cited websites scored B or above. Only 3% scored E/F.

If your website's AVS is below 75, you're at a disadvantage in AI search.

Finding 2: Recommendation Queries Have the Highest Threshold

This is the study's most significant finding.

Query Type                    Mean AVS of Cited Sites
──────────────────────────────────────────────────────
Recommendation ("best X")    80.2  ████████████████████
Comparative ("X vs Y")       76.8  ████████████████
Informational ("what is X")  75.4  ███████████████
How-to ("how to X")          72.3  ██████████████
Local ("best X in Taipei")   60.0  ████████████

When someone asks AI "recommend the best SEO tool", the cited websites average AVS 80.

When someone asks "best ramen in Taipei", cited websites average AVS 60.

20-point gap.

What this means:

If you sell products/tools/services → AEO optimization is critical (threshold: 80)
If you're a local business → AEO optimization has limited impact (threshold: 60)

Finding 3: Most Websites Have an AEO Gap

Mean scores of cited websites:
  SEO: 80.6
  AEO: 64.5
  Gap: 16 points

Most websites invest heavily in SEO but barely touch AEO. This gap is your opportunity.

Finding 4: High-AVS Sites Get Cited Repeatedly

Website	AVS	Times Cited
moneygeek.com	90	11
clevelandclinic.org	84	21
healthline.com	80	20
techradar.com	83	19
nerdwallet.com	82	18

High-AVS websites don't just get cited once — they get cited across multiple queries. AI remembers them.

What This Means for Your Business

If you sell products or services

Your customers are asking AI: "recommend the best [your industry]." AI cites the highest-AVS sites. If that's not you, it's your competitor.

Action: Scan your website → ultralab.tw/probe → Target AVS 80+

If you're a local business

AEO has limited impact on local queries. Keep focusing on Google Business Profile and local SEO.

If you're an SEO professional

AEO is the new frontier. None of your clients are optimized for it. Learning now = first-mover advantage.

Limitations (Honest)

Single AI engine (OpenAI only). Perplexity and Google AI Overview may differ.
No temporal stability test. Same queries may cite different sites next week.
English queries only. Chinese queries may show different patterns.
Correlation ≠ causation. Higher AVS correlates with more citations, but we can't prove raising AVS causes more citations.
On-page only. Backlinks, domain authority, freshness are not measured.

These are directions for the next study.

Open Source

Everything from this experiment is public:

AVS Specification: github.com/ppcvote/avs-standard
Full dataset: 155 queries × 816 citations × 721 AVS scores
Query bank + experiment scripts + analysis code: all in the repo
Scanner engine: github.com/ppcvote/ultralab-scanners (MIT)
Free scanner: ultralab.tw/probe

Replication cost: $0.09.

Conclusion

AVS 75 (Grade B) is the threshold for being cited by AI search engines. Recommendation queries demand AVS 80+. Most websites' AEO scores lag far behind their SEO — this is the biggest optimization gap of the AI era.

What's your AI Visibility Score?

→ Free scan

Based on the first empirical study of AI search citation behavior. 155 queries, 816 citations, 721 AVS scores. Full data at github.com/ppcvote/avs-standard.

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe

How Much Does a Brand Website Cost? A Complete 2026 Pricing Guide for Taiwan

ppcvote — Fri, 03 Apr 2026 06:30:17 +0000

Brand Website Price Ranges

Let's cut to the conclusion: in the Taiwan market, a reasonable price range for a brand website is NT$30,000 to NT$200,000.

Options below NT$30,000 typically come with serious limitations (templates only, no customization, weak SEO). Anything above NT$200,000 is usually for large-scale enterprise projects or those with complex features (membership systems, e-commerce, multi-language support).

6 Factors That Affect Pricing

1. Number of Pages

Scale	Pages	Price Impact
Single-page (Landing Page)	1 page	Lowest
Small website	3-5 pages	Low-Medium
Standard website	8-15 pages	Medium
Large website	20+ pages	High

A single-page Landing Page is the most cost-effective option with surprisingly strong results — especially for new brands or service-based companies. All key information (services, pricing, portfolio, contact) lives on one page, so visitors don't need to click around.

2. Design Complexity

Template-based: Using a pre-built template with color, text, and image changes. Cheap but generic.
Semi-custom: Significant modifications to a template with brand elements added. Best value for money.
Fully custom: Designed from scratch, completely unique. Most expensive but highest brand differentiation.

3. Responsive Design (RWD)

In 2026, RWD (Responsive Web Design) is standard — not an add-on. Over 70% of traffic comes from mobile devices. If anyone charges extra for RWD, find a different vendor.

4. Feature Requirements

Basic features (should not cost extra):

Contact form
Google Maps embed
Social media links
Basic SEO setup

Advanced features (reasonable to charge extra for):

Real-time notification system (auto-notify on form submission)
Blog / article system
Multi-language support
Membership / login system
E-commerce functionality
Third-party integrations (CRM, GA4, Meta Pixel)

5. SEO Optimization Level

Basic SEO (should be included in the quote):

Meta titles and descriptions
OG image setup
Sitemap and robots.txt
Basic structured data

Advanced SEO (may cost extra):

Keyword research and content strategy
Blog system + seed articles
Structured data (FAQ, Service schema)
Core Web Vitals optimization
Google Search Console setup

6. Maintenance and Hosting

Many quotes only cover "build and hand off" — no ongoing maintenance. Make sure to clarify:

Domain fees: NT$500-1,500/year
Hosting fees: NT$0-3,000/year (Vercel's free plan is often sufficient)
Content updates: DIY or paid service?
SSL certificate: Free nowadays (Let's Encrypt)

Comparing Three Approaches

Option A: DIY Website Builders

Wix / Squarespace / WordPress.com

Cost: NT$3,000-10,000/year
Pros: Self-manageable, no developer needed
Cons: Poor performance, limited SEO, template look, difficult to customize
Best for: Personal blogs, ultra-low-budget small businesses

Option B: Freelance Developer / Design Agency

Cost: NT$30,000-150,000 (one-time)
Pros: High customization, quality depends on the team
Cons: Quality varies wildly, high communication overhead, maintenance uncertain
Best for: Businesses that need brand differentiation and have clear requirements

Option C: Technical Service Brand (like Ultra Lab)

Cost: Starting at NT$30,000
Pros: Consistent quality, includes SEO + forms + notifications + deployment, ongoing maintenance included
Cons: Not ideal for extremely custom large-scale projects
Best for: SMBs, new brands, service-based companies

Our Recommendations

If Your Budget Is Limited (Under NT$30,000)

Consider a single-page Landing Page. One page can cover all essential information, and SEO performance isn't necessarily worse than a multi-page site (Google cares more about content quality than page count).

If Your Budget Is Ample (NT$50,000-100,000)

Build a standard website + blog system. A blog is the engine for long-term SEO traffic and delivers the highest ROI.

If You're a Service-Based Company

Your website's most important function is making it easy for clients to contact you. Forms, instant notifications, and clear CTAs matter 100x more than flashy animations.

Ultra Lab's Brand Website Package

Starting at NT$30,000, including:

RWD brand website design (mobile / tablet / desktop)
Contact form + real-time notifications (Email / LINE)
SEO optimization (meta tags, structured data, sitemap)
GA4 analytics setup
Domain configuration + SSL
Vercel deployment + one year of maintenance

Our own website ultralab.tw is built with this exact tech stack — you can experience the results firsthand.

Want to discuss your website needs? Free consultation — we respond within 24 hours.

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe

How Do We Prove We Actually Do AI? — Ultra Lab's Technical Transparency Manifesto

ppcvote — Thu, 02 Apr 2026 06:30:16 +0000

The Problem: "Are You Actually Doing AI?"

This is a question every company that claims to be "AI-driven" should be asked.

In 2026, open any startup's website and you'll see "AI-Powered," "Intelligent," and "Automated" plastered everywhere. But if you ask one simple question — "What specifically does your AI do?" — most companies will give you a vague marketing paragraph rather than a verifiable answer.

This isn't the startups' fault. AI is the biggest business narrative of 2025-2026, and everyone wants on the bandwagon. But the problem is: When everyone claims to be doing AI, nobody is doing AI.

At least, that's how it looks to potential clients.

We at Ultra Lab face the same challenge. We genuinely use AI to build 6 products, auto-generate 35+ pieces of content daily, and developed our own AI security scanner. But when these numbers sit on a website, how are they any different from someone else's "AI-Driven | Intelligent | Automated"?

The answer is: verifiability.

Our Answer: Five Verifiable Pieces of Evidence

Evidence 1: Public Products — You Can Try Them Yourself

We don't just say we have products. We let you use them for free.

Product	Link	What You Can Do
UltraProbe	ultralab.tw/probe	Paste your System Prompt, get a security score in 5 seconds
Mind Threads	mindthread.tw	Taiwan's only Threads automation SaaS
Ultra Advisor	ultra-advisor.tw	18+ AI-assisted financial visualization tools

These three products aren't demos, aren't prototypes, and aren't "coming soon." They're running right now, with real users, and you can sign up.

Why this matters: Most "AI companies" have product pages with nothing but waitlist forms and mockups. A live product is more convincing than a hundred paragraphs of marketing copy.

Evidence 2: Public Data — Not "What We Claim," But What's Actually Running

Our Threads automation system currently manages 6 accounts, producing 35+ AI-generated pieces of content per day — fully automated.

Specific accounts:

@risk.clock.tw — Went from zero to 1,300 followers within 24 hours, 100% AI-generated
@ginrollbt — 0 to 6,500+ followers in six months, already monetized

You can click through and see for yourself. These aren't screenshots — they're live accounts. You can count the followers, check posting frequency, and evaluate content quality.

Cumulative data:

35,000+ AI auto-generated posts
2,000,000+ AI-driven total followers
6 simultaneously operating automated accounts

These numbers come from our Firestore database in real time — they're not manually entered marketing figures.

Evidence 3: Public Architecture — We Even Published Our Failure Logs

This might be the strongest signal: We openly share our technical architecture and failure stories.

In our AI-Ready Architecture Guide article, we wrote about:

The February 2026 Google API rate-limiting incident that took all three products down simultaneously
Why we're moving from single-Gemini to a Multi-LLM architecture
Gemini Flash's JSON format error rate of 3% (requiring Zod validation)
Actual latency (1.5-3 seconds) and cost (~$0.001/call) per AI call

A company that's just wrapping a ChatGPT API wouldn't write a 3,000-word article explaining why you need a Model Router, why prompts shouldn't be hardcoded, or why every AI call needs token logging.

Our technical blog has 13 in-depth articles. From Threads auto-posting tutorials to IG Reel fully automated production pipelines, every article is a field report — not SEO filler.

Evidence 4: Public Security — We Scan Our Own Products

UltraProbe is our in-house AI security scanner that detects 12 attack vectors: XSS, SQL Injection, SSRF, RCE, Prompt Injection, and more.

The interesting part: We use UltraProbe to scan our own products.

This is called dogfooding — using your own tools to test your own systems. If UltraProbe finds vulnerabilities in our own products, we fix them first. Only then do we have the credibility to tell clients "we can help with your AI security."

In our UltraProbe launch announcement, we documented in detail the scanner's development process, why we chose Gemini 2.5 Flash as the analysis model, and the common vulnerability patterns we discovered.

Evidence 5: Public Timeline — Build Log from Day 1 to Now

The final signal: Time.

We didn't appear yesterday. Here's our public timeline:

Date	Event
2025.09	Ultra Creation Co., Ltd. officially incorporated
2025.11	Mind Threads SaaS launched — Taiwan's only Threads automation, zero competitors
2026.01	risk.clock.tw hit 1,300 followers in 24 hours — AI content engine validated
2026.02	UltraProbe AI security scanner launched
2026.03	Technical blog reaches 13 articles

Every milestone is verifiable via links. Every product can be opened and tried. Every data point comes from live statistics.

"A one-person technical army" isn't a slogan — it's a record with dates, products, and data.

Why Most AI Companies Don't Do This

Because radical transparency is uncomfortable.

Open architecture means competitors can see your technical choices
Open data means people will come to verify your numbers
Open failures means admitting you're not perfect
Open timelines mean you can't inflate your track record

But that's exactly the point.

If your technology can withstand scrutiny, opening it up only builds trust. If your technology can't withstand scrutiny — the problem isn't whether to be open, but the technology itself.

In the age of the AI bubble, opacity = untrustworthiness.

Every company that says "AI-Driven" without explaining how is spending down the market's trust reserve. And we don't want to be that kind of company.

Ultra Lab's Technical Transparency Principles

We've set five rules for ourselves:

1. Every AI Claim Links to a Verifiable Source

The website says "35,000+ AI auto-generated posts"? You can see real-time posting on our Threads accounts. Says "3 SaaS products live"? Each one comes with an accessible URL.

We don't allow unverifiable numbers on our website.

2. Every Mentioned Product Offers a Free Trial

UltraProbe offers free scanning. Ultra Advisor provides free basic features. Mind Threads has a trial period.

If a product can't be tried, we won't feature it prominently on our website.

3. Every Technical Article Is Written by the Founder

All 13 of our technical articles were personally written by me (Min Yi Chen). Not generated by Claude or GPT, not ghostwritten.

Ironic? An AI company that insists on not using AI to write its own technical articles. But we believe: Technical thinking cannot be outsourced. AI can help you write marketing copy, but it can't think through architectural decisions for you.

4. We Publish Failures, Not Just Successes

Google API rate limiting caused all three products to crash? Published. Gemini's JSON format error rate is 3%? Published. Accidentally misconfigured environments when switching from sandbox to production? Also published.

A company that only showcases successes is either not doing anything, or hiding problems. People who are actually on the battlefield have scars.

5. Our Blog Is an Engineering Notebook, Not a Marketing Department

Go read our technical blog. You'll find code snippets, architecture diagrams, API call latency data, and model comparison tables. You won't find hollow openings like "AI is changing the world."

Because our target readers aren't investors — they're engineers and technical decision-makers. They don't need to be convinced AI matters. They need to know how to do AI right.

Conclusion: Transparency Is the New Moat

After the AI bubble recedes, two types of companies will remain:

Those with real products, real data, and real technical track records
Everyone else

We choose to be the first type.

Not because we're better than anyone — we're a one-person team, and comparing technical depth with Google, Anthropic, or OpenAI would be absurd. But because at our scale, transparency is the only effective way to build trust.

You don't need to believe our marketing copy. You just need to:

Open UltraProbe, paste a prompt, and see the scan results
Open @risk.clock.tw and evaluate the AI-generated content quality
Read our AI-Ready Architecture article and judge the technical depth

Then decide for yourself whether this company is actually doing AI.

Min Yi Chen — Founder, Ultra Creation Co., Ltd.
Currently operating 6 AI products with 200+ daily AI calls

Want your system to have verifiable AI capabilities too? Free consultation

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe

The Real Fix for AI Tech Debt: Don't Use Less AI — Limit Its Scope

ppcvote — Wed, 01 Apr 2026 06:30:17 +0000

TL;DR

Our AI website generator UltraSite used to have Gemini generate complete HTML from scratch (400-700 lines). Quality was a coin flip. Sometimes stunning, sometimes broken.

After reading an article about AI creating a new kind of tech debt, we didn't "use less AI." We redrew the responsibility boundary:

AI handles: Content strategy (taglines, about copy, blog titles, color decisions)
Humans handle: HTML structure, CSS animations, visual quality

Result: 5-10x fewer tokens, 3-4x faster generation, quality went from random to consistent.

The Trigger: An Article That Made Us Stop and Think

Harsh's article on Dev.to identifies three types of AI tech debt:

Cognitive Debt — Developers use AI to write code but don't understand why it's structured that way
Verification Debt — Tests pass ≠ actually correct. Green CI creates false confidence
Architectural Debt — AI prefers repetition over abstraction, scattering slightly different implementations everywhere

One developer's quote captured it perfectly:

"I used to be a craftsman... and now I feel like I am a factory manager at IKEA."

The numbers are sobering:

AI writes 41% of all new commercial code in 2026
Experienced developers see a 19% productivity decrease with AI tools
Fortune 50 companies saw a 10x increase in security vulnerabilities in 6 months

My first reaction wasn't "we have this problem." It was "we literally just fixed this three days ago."

UltraSite v1: A Living Textbook of AI Tech Debt

UltraSite is one of our products — paste your Threads URL, get a personal website in 30 seconds.

v1 architecture:

User pastes Threads URL
    ↓
Jina Reader fetches markdown
    ↓
367-line mega prompt → Gemini
    ↓
Gemini outputs 400-700 lines of complete HTML
    ↓
Post-processing: inject GSAP animation JS
    ↓
Render in iframe

That 367-line prompt specified everything:

Tailwind CSS CDN configuration
GSAP + Lenis + ScrollTrigger animation system
Glassmorphism card effects
Parallax orbs with configurable speeds
Custom cursor with mix-blend-mode
SVG noise texture overlay
5 complete page sections with exact layout specs
Typography hierarchy
Color derivation logic from bio content

Every single generation, Gemini had to reinvent the wheel — rewrite identical CSS, reassemble identical HTML structure, re-decide identical font settings.

This perfectly matches Harsh's three debt types

Cognitive debt: We couldn't always explain why Gemini made certain layout decisions. Why did this orb end up top-right instead of bottom-left? Why text-7xl instead of text-8xl? Answer: because LLMs are stochastic.

Verification debt: Looks okay in the iframe? Ship it. But did anyone test responsive? Are animations firing? Is color contrast accessible? Every generation was a gamble.

Architectural debt: The 367-line prompt itself was a massive blob of tech debt. Every modification required finding the right spot in 300 lines of natural language. And Gemini routinely ignored half the rules anyway.

The Epiphany: AI's Problem Isn't "Too Much" — It's "Wrong Scope"

Harsh suggests "treat AI like a brilliant junior developer." We went further:

AI should do what it's genuinely good at. Nothing else.

What AI (LLMs) actually excel at:

✅ Understanding context and voice
✅ Extracting core themes from large text
✅ Making brand positioning and copy decisions
✅ Determining what color palette "feels right" for a person

What AI is bad at:

❌ Producing consistent HTML structure
❌ Using correct Tailwind CSS class names (frequently invents non-existent classes)
❌ Maintaining visual quality consistency
❌ Remembering every rule in a 367-line instruction set

The answer was clear: remove HTML/CSS from AI's responsibility entirely.

UltraSite v2: Template + JSON Architecture

New architecture:

User pastes Threads URL + selects template style
    ↓
Jina Reader fetches markdown (unchanged)
    ↓
80-line prompt → Gemini
    ↓
Gemini outputs ~50 lines of JSON (pure content, no HTML)
    ↓
Template engine: JSON + hand-crafted template → complete HTML
    ↓
Post-processing: inject animation JS (unchanged)
    ↓
User can switch templates instantly (no AI re-call needed)

Gemini now outputs only this:

{
  "roleLabel": "Founder",
  "tagline": ["Deep", "Insight", "Builder"],
  "subtitle": "From finance to gaming, from thinking to action",
  "aboutHeading": "Some people's excuses are more active than their hands.",
  "aboutParagraphs": ["...", "..."],
  "identityCards": [
    { "emoji": "📈", "title": "Finance Pro", "description": "..." }
  ],
  "blogArticles": [
    { "title": "Night Views & Life Lessons", "content": "...", "expanded": "..." }
  ],
  "connectHeading": "Public feed for ideas. Private channel for real talk.",
  "colorTheme": "violet"
}

Zero HTML. AI only makes content decisions, never touches structure.

Templates are hand-crafted by humans

We built three HTML templates, each thoroughly tested for:

Complete responsive behavior
Correct GSAP animation class hooks
Color system with CSS variable integration
All edge cases (no profile photo? Gradient circle with initials)

Template	Style	Signature
Midnight Glass	Glassmorphism	Frosted cards, parallax orbs, violet gradients
Neon Terminal	Hacker aesthetic	Pure black, scanlines, monospace, hard borders
Soft Brutalism	Editorial	Oversized type, thick color borders, offset shadows

All three share the same animation system (GSAP + Lenis). Only the visual style differs.

The Numbers

Metric	v1 (mega prompt)	v2 (template + JSON)
Prompt length	367 lines	~80 lines
Gemini output	8,000-15,000 tokens	800-1,500 tokens
Generation time (Gemini)	4-8 seconds	1-2 seconds
HTML quality consistency	Random	Stable
Vercel timeout risk	High (10s limit)	Safe
Template switching	❌ Full regeneration	✅ Instant
New Vercel functions	—	+0 (stays at 11/12)

Token consumption dropped 5-10x. This isn't just about cost — it makes the entire system predictable.

This Pattern Generalizes

What we learned:

1. AI decides, systems execute

Ask AI "what's this person's brand positioning?" not "build me a website with brand positioning."

The first is AI's sweet spot. The second asks AI to simultaneously be a strategist, designer, and frontend engineer — with no quality guarantee on any of the three.

2. Structured output > free-form text

responseMimeType: 'application/json' is the single most effective Gemini config we've used.

Forced JSON output means:

No "Here's the HTML I generated for you:" preamble
Every field can be validated with fallbacks
Output format is 100% predictable

3. Hand-craft the irreplaceable parts

Templates are UltraSite's moat. Anyone can ask Gemini to generate a website. Not everyone can hand-craft templates with GSAP parallax animations, glassmorphism effects, and custom cursors in a dark theme.

The AI-generated part (copy) is replaceable. The human-built part (templates) is not.

4. Give users a sense of control

v1 was a black box — input URL, get output, don't like it? Regenerate and pray.

v2 lets users choose templates, see brand analysis, switch styles. Same AI output, but users feel ownership over the result.

Responding to Harsh's Advice

Harsh says "treat AI like a brilliant junior developer." I'd refine that:

Treat AI like a creative director with impeccable taste but unreliable hands.

Let them decide direction — brand positioning, copy tone, color strategy. But you don't let them write production code. You have a dedicated system (template engine) that turns their ideas into reliable output.

This isn't "using less AI." Our AI usage didn't decrease — every generation still calls Gemini. But AI's scope of responsibility is strictly bounded.

The most precise line from Harsh's article:

"At what point did we stop building software and start just generating it?"

Our answer: We do both. AI generates content. Humans build systems.

Implementation Details (For Engineers)

If you're building something similar, here's our tech stack:

Gemini 2.5 Flash + responseMimeType: 'application/json' + thinkingBudget: 0
Template format: HTML strings + {{slot}} markers (custom ~100-line engine, no Mustache/Handlebars)
Animations: GSAP 3 + ScrollTrigger + Lenis (injected into all templates as fixed JS)
CDN: Tailwind CSS CDN + Google Fonts (generated HTML is a standalone single file, no build step)
Images: Server-side download + base64 embedding (bypasses Threads CDN referrer restrictions)
Vercel: All new files use _ prefix (don't count as serverless functions), staying at 11/12 limit

Conclusion

AI tech debt is real. But the fix isn't going back to hand-writing everything.

The fix is drawing a line: this side is AI's responsibility, that side is the system's responsibility. What AI handles should be small, verifiable, and have fallbacks. What the system handles should be stable, tested, and human-built.

Generate fast. Understand everything. But most importantly — build systems you can control.

Try UltraSite v2 → ultralab.tw/create

Scan your AI system for security vulnerabilities → ultralab.tw/probe

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe

Why Your SaaS Needs AI-Ready Interfaces: Architecture Lessons from Three Products

ppcvote — Tue, 31 Mar 2026 06:30:17 +0000

TL;DR

Every system you're building today will be asked within three years: "Can this integrate AI?"

If your answer is "we'd need to rewrite it," you've lost. If your answer is "it's already wired up — just flip the switch," you've won.

This article is a practical guide distilled from the real-world pitfalls we hit across three production products (Mind Threads, UltraProbe, Ultra Advisor). This isn't theory — it's running code.

Current State: One API Key Powering Three Products

Let's be honest. All three of our products currently run on Google Gemini only:

Product	AI Use Case	Model
Mind Threads	Social copy generation (35 posts/day)	Gemini 2.0 Flash
UltraProbe	AI security scanning (12 attack vectors)	Gemini 2.5 Flash
Ultra Advisor	Insurance OCR + product classification	Gemini 2.0 Flash

This was the right call early on. Gemini Flash's free tier is generous, it's fast, and its Chinese language capability is serviceable. But this architecture has three fatal problems:

Problem 1: Single Point of Failure

In February 2026, Google had an API rate-limiting incident. All three of our products went down simultaneously. One API key, one provider, three products. This isn't architecture — it's gambling.

Problem 2: Use-Case Mismatch

Gemini Flash works great for "generating social copy" but isn't stable enough for "precise security analysis" or "structured OCR." Different tasks need different models, but we were locked into one.

Problem 3: No Upgrade Path

When clients ask: "Can your system use Claude? Can it run GPT-4o?" Our only answer was: "Yes, but we'd need to change the code." That's not a product-ready answer.

The Solution: 7 Design Principles for AI-Ready Architecture

Every principle below comes from real mistakes we made in production.

Principle 1: Model Router — Don't Lock Into Any Single Provider

// Wrong approach: importing a specific SDK directly
import { GoogleGenerativeAI } from '@google/generative-ai'

// Right approach: unified interface + routing
interface AIProvider {
  generate(prompt: string, config: AIConfig): Promise<AIResponse>
}

const router = createAIRouter({
  primary: 'gemini-2.5-flash',
  fallback: ['claude-sonnet-4-6', 'gpt-4o-mini'],
  routing: {
    'content-generation': 'gemini',    // Copy uses Gemini (fast)
    'security-analysis': 'claude',      // Security analysis uses Claude (precise)
    'structured-extraction': 'gemini',  // OCR uses Gemini (multimodal)
    'code-generation': 'claude',        // Code uses Claude (logic)
  }
})

Why it matters: Models update on a monthly cadence. Today's best model may be surpassed in three months. Your architecture shouldn't require business logic changes just to swap models.

Principle 2: Prompt Template Registry — Prompts Are Assets, Not Strings

Our biggest mistake: hardcoding prompts directly in API handlers.

// Wrong approach: prompts scattered across API files
const ANALYSIS_PROMPT = `You are an AI security auditor specializing in prompt injection defense...`

// Right approach: centralized management + version control
const promptRegistry = {
  'probe.scan-prompt': {
    version: '2.1',
    template: loadTemplate('probe/scan-prompt.md'),
    model: 'claude-sonnet-4-6',
    temperature: 0.3,
    maxTokens: 4096,
    schema: ScanResultSchema,  // Zod schema for validation
  },
  'threads.generate-post': {
    version: '1.4',
    template: loadTemplate('threads/generate-post.md'),
    model: 'gemini-2.0-flash',
    temperature: 1.0,
    maxTokens: 1024,
  }
}

Why it matters: Prompts are your core IP. Scattered throughout your code, you can't track which version performs best, can't A/B test, and can't let non-engineers optimize them.

Principle 3: Response Cache — Don't Ask the Same Question Twice

Ultra Advisor got this right: insurance product classification results are cached in Firestore. The same product queried a second time returns from cache instead of hitting Gemini.

// Ultra Advisor's caching strategy (in production)
async function lookupProduct(insurer: string, name: string) {
  const cached = await db.collection('productCache')
    .where('insurer', '==', insurer)
    .where('productName', '==', name)
    .limit(1).get()

  if (!cached.empty) {
    await cached.docs[0].ref.update({
      searchCount: FieldValue.increment(1)
    })
    return cached.docs[0].data()
  }

  // Cache miss — call Gemini
  const result = await gemini.generate(classifyPrompt(insurer, name))
  await db.collection('productCache').add({ ...result, insurer, name })
  return result
}

Result: Same-product queries dropped from 2-3 seconds to 50ms. Gemini API costs reduced by 60%.

Principle 4: Structured Output — AI Responses Must Be Validatable

A pitfall UltraProbe hit: Gemini sometimes returns malformed JSON, breaking the entire scan result.

// Right approach: validate AI output with Zod
import { z } from 'zod'

const ScanResultSchema = z.object({
  grade: z.enum(['A', 'B', 'C', 'D', 'E', 'F']),
  score: z.number().min(0).max(100),
  vulnerabilities: z.array(z.object({
    name: z.string(),
    severity: z.enum(['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'NONE']),
    finding: z.string().max(100),
    suggestion: z.string().max(100),
  }))
})

// Validate immediately after AI response
const raw = await aiRouter.generate(prompt)
const parsed = ScanResultSchema.safeParse(JSON.parse(raw))
if (!parsed.success) {
  // Retry with stricter prompt, or fallback to another model
}

Why it matters: AI output is non-deterministic. Your system can't throw a 500 Error just because the AI returned a weird format.

Principle 5: BYOK (Bring Your Own Key) — Let Clients Use Their Own Key

Mind Threads already implements this pattern: users can enter their own Gemini API key in settings, bypassing the platform's usage limits.

// Mind Threads BYOK implementation
async function getApiKey(userId: string) {
  const settings = await db.collection('userSettings').doc(userId).get()
  const userKey = settings.data()?.geminiApiKey

  if (userKey) {
    return { key: userKey, source: 'user', unlimited: true }
  }

  return { key: process.env.GEMINI_API_KEY, source: 'platform', unlimited: false }
}

Why it matters:

Reduces your API costs
Lets Pro users bypass platform limits
Future-proofs for multi-provider key support (Gemini key, OpenAI key, Anthropic key)

Principle 6: MCP Server — Make Your System Callable by AI Agents

This is the most important trend of 2026. MCP (Model Context Protocol) lets AI Agents directly operate your system.

Ultra KB already has an Agent-Ready architecture (Notion knowledge base readable/writable by AI), but we don't have a formal MCP Server yet. Planned interfaces:

// Planned MCP Server tool definitions
const tools = [
  {
    name: 'ultraprobe_scan',
    description: 'Scan a System Prompt for security vulnerabilities',
    input: { prompt: 'string', language: 'zh-TW | en' },
    output: { grade: 'A-F', vulnerabilities: 'array' }
  },
  {
    name: 'ultrakb_query',
    description: 'Query documents on a specific topic from the knowledge base',
    input: { query: 'string', collection: 'string' },
    output: { documents: 'array', relevance: 'number' }
  },
  {
    name: 'threads_generate',
    description: 'Generate a Threads post',
    input: { topic: 'string', persona: 'viral|knowledge|story|quote' },
    output: { content: 'string', hashtags: 'array' }
  }
]

Why it matters: When users of Claude Desktop, Cursor, Windsurf, and similar tools can directly call your service, you're not just a SaaS — you're part of the AI ecosystem.

Principle 7: Observability — AI Calls Must Be Trackable

The most critical gap in our current setup: AI call observability.

// Every AI call should be logged
interface AICallLog {
  id: string
  timestamp: Date
  model: string
  provider: string
  endpoint: string              // Which API triggered the call
  promptTokens: number
  completionTokens: number
  latencyMs: number
  cost: number                  // Estimated cost
  success: boolean
  retryCount: number
  cacheHit: boolean
  userId?: string               // Who triggered it
}

Why it matters: Without this, you don't know how much you're spending on AI per month, which features consume the most tokens, or which model fails most often. No data, no optimization.

Our Implementation Roadmap

Phase 1 (Now) — Brand Layer

[x] Label all services with AI-Ready capabilities
[x] Document existing AI integration points
[x] Standardize prompt management practices

Phase 2 (Q2 2026) — Technical Layer

[ ] Build AI Router middleware (multi-model)
[ ] Migrate all prompts to template registry
[ ] Add Zod schema validation for all AI outputs
[ ] Implement response cache layer

Phase 3 (Q3 2026) — Ecosystem Layer

[ ] UltraProbe MCP Server
[ ] Ultra KB semantic search (RAG)
[ ] AI Observability Dashboard
[ ] Multi-provider BYOK support

What You Should Do Right Now

Regardless of your product's stage, these three actions have the lowest cost and highest impact:

Extract AI calls into standalone functions. Don't fetch(gemini_url) directly in your business logic. A single aiService.generate() is enough.
Separate prompts into dedicated files. .md or .txt — doesn't matter, just don't hardcode them in your source.
Log token counts and latency for every AI call. console.log is fine for now — build a dashboard later.

These three things take less than half a day combined, but they determine whether your system will be "AI-ready" or "needs a rewrite" three years from now.

Conclusion

AI isn't a feature — it's infrastructure.

Just as you wouldn't wait until you need search to add database indexes, you shouldn't wait until a client asks "can this integrate AI?" to start redesigning your architecture.

We validated this methodology across three products and tens of thousands of API calls. It's not perfect, but it's running.

If you're building a SaaS, add AI-ready interfaces now. Future you will thank present you.

Min Yi Chen — Founder, Ultra Creation Co., Ltd.
Currently operating 6 AI products with 200+ daily AI calls

Want to make your system AI-Ready? Free consultation

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe

5 Hottest AI Finance Projects on GitHub in 2026 — And Why You Should Care

ppcvote — Mon, 30 Mar 2026 06:30:17 +0000

Over $2.1 billion in venture capital flowed into AI-powered fintech in the first quarter of 2026 alone. But the most interesting work isn't happening behind closed doors at hedge funds or inside Bloomberg terminals. It's happening in public, on GitHub, where open-source developers are building systems that would have required a 50-person quant team five years ago.

We tracked the fastest-growing AI finance repositories over the past 90 days. Here are the five projects that matter most — what they do, how they're built, and what you can actually do with them.

1. TradingAgents — Multi-Agent LLM Trading Firm in a Box

Repo: TauricResearch/TradingAgents | +9.3K stars

One-liner: A multi-agent LLM framework that simulates an entire trading firm's decision-making process — analysts, risk managers, portfolio managers, and a fund manager — all as autonomous AI agents.

Architecture Highlights

TradingAgents doesn't just ask an LLM "should I buy AAPL?" It models the organizational structure of a real trading desk. The system runs multiple specialized agents in parallel:

Fundamental Analyst Agent — parses SEC filings, earnings transcripts, balance sheets
Technical Analyst Agent — reads chart patterns, moving averages, volume signals
Sentiment Agent — monitors news feeds, social media, analyst upgrades/downgrades
Risk Manager Agent — evaluates position sizing, correlation risk, drawdown limits
Fund Manager Agent — synthesizes all inputs, makes the final call

Each agent has its own system prompt, tool access, and memory. They debate. The fund manager agent receives conflicting recommendations and must weigh them — just like a real PM sitting in a morning meeting.

The framework is LLM-agnostic (GPT-4, Claude, Gemini, local models via Ollama) and uses LangGraph for agent orchestration. Backtesting is built in.

Practical Application

This isn't production-ready for real capital (and they say so clearly in the README). But it's an exceptional research tool. If you're studying how multi-agent architectures handle conflicting signals under uncertainty, this is the best open-source implementation available. Quant researchers can fork it, plug in their own alpha signals, and test whether agent debate actually improves signal quality versus a single-model approach.

2. ai-hedge-fund — The 49K-Star Giant

Repo: virattt/ai-hedge-fund | 49.6K stars

One-liner: A multi-role AI hedge fund where specialized agents (bull, bear, fundamentals, technicals, risk) collaborate to generate trade recommendations.

Architecture Highlights

This is the most popular AI finance repo on GitHub by a wide margin, and the architecture explains why. Each agent embodies a distinct investment philosophy:

Bull Agent — optimistic bias, focuses on growth catalysts and upside scenarios
Bear Agent — skeptical bias, hunts for red flags and downside risk
Fundamentals Agent — pure value analysis: P/E, free cash flow, debt ratios
Technicals Agent — price action, RSI, MACD, support/resistance levels
Risk Agent — portfolio-level risk assessment, position limits, stop-loss logic

The agents don't just output "buy" or "sell." They produce structured reasoning with confidence scores. A portfolio manager module aggregates the signals, weighing each agent's track record over time. Agents that have been more accurate recently get higher weight — a simple but effective form of meta-learning.

Built on Python with LangChain, it integrates with financial data APIs (Yahoo Finance, Alpha Vantage, Polygon.io) out of the box. The codebase is clean and well-documented, which partly explains the star count — it's genuinely accessible to intermediate Python developers.

Practical Application

Two real use cases we've seen in the wild: (1) Financial educators using it to teach portfolio management concepts — the agent debates make abstract concepts concrete. (2) Solo traders building personal "investment committees" — they run the system before every trade as a structured second opinion. Nobody should be auto-executing trades from this, but as a decision-support tool, it's surprisingly useful.

3. NoFx — The AI Trading Assistant with a Kill Switch

Repo: NoFxAiOS/nofx | 11.2K stars

One-liner: An automated AI trading assistant with a built-in "safety mode" that auto-protects your capital after 3 consecutive wrong calls.

Architecture Highlights

What makes NoFx stand out isn't the AI — it's the risk engineering. The system tracks every prediction it makes and maintains a rolling accuracy score. When accuracy drops below threshold (configurable, default is 3 consecutive misses), safety mode kicks in:

All open positions are hedged or closed
New trade signals are suppressed
The system enters "observation only" mode
It continues analyzing but won't execute until accuracy recovers above threshold

Under the hood, NoFx uses a modular signal pipeline: market data ingestion, feature engineering, LLM-based analysis, signal generation, and execution. Each stage is pluggable. The LLM layer handles qualitative analysis (news, sentiment, macro context) while traditional quant models handle the quantitative signals. The two are fused in a final scoring layer.

It supports multiple exchanges via CCXT and can run in paper-trading mode indefinitely before you switch to live execution.

Practical Application

The safety mode concept is the real innovation here. Most AI trading systems fail catastrophically because they don't know when they're wrong. NoFx's approach — treating consecutive failures as a regime change signal — is a simple heuristic that could prevent the kind of blow-ups that killed many algo strategies in 2025's volatile markets. Even if you never use NoFx itself, the pattern is worth stealing for any automated decision system.

4. prediction-market-analysis — 36GB of Prediction Market Truth

Repo: Jon-Becker/prediction-market-analysis | 2.3K stars

One-liner: The largest public prediction market dataset ever compiled — 36GB of historical data from Polymarket and Kalshi, cleaned and ready for analysis.

Architecture Highlights

This isn't a trading system. It's a dataset — and it fills a gap that researchers have been complaining about for years. The repo contains:

Complete historical order books from Polymarket and Kalshi
Resolution data — what actually happened vs. what the market predicted
Price time series at minute-level granularity for major markets
Market metadata — categories, descriptions, resolution criteria, liquidity depth
Pre-built analysis notebooks showing calibration curves, Brier scores, and market efficiency tests

The data pipeline is documented end-to-end: scraping, cleaning, deduplication, normalization. Storage is in Parquet format (columnar, compressed) with a DuckDB interface for fast local querying. You can run complex analytical queries on the full 36GB dataset on a laptop without spinning up a database server.

Practical Application

Three immediate uses: (1) Calibration research — how accurate are prediction markets, really? The data shows Polymarket is well-calibrated on high-liquidity markets (events priced at 70% happen roughly 70% of the time) but significantly miscalibrated on thin markets. (2) Feature engineering for trading models — prediction market prices are a leading indicator for traditional assets. Election markets move before polls. Crypto event markets move before spot. (3) Building your own prediction market analytics tool — the dataset is the hard part, and it's done for you.

5. pmxt — CCXT for Prediction Markets

Repo: pmxt-dev/pmxt | 1.2K stars

One-liner: A unified API for prediction markets — trade on Polymarket, Kalshi, Limitless, and Myriad through a single interface, just like CCXT unified crypto exchanges.

Architecture Highlights

If you've used CCXT (the universal crypto exchange connector), you know the value proposition instantly. pmxt does the same thing for prediction markets:

// Same code, any platform
const market = pmxt.exchange('polymarket')
const positions = await market.getPositions()
const order = await market.createOrder('US_ELECTION_2028', 'buy', 'yes', 100)

The abstraction layer handles the gnarly differences between platforms: Polymarket runs on Polygon (blockchain-based, requires wallet signing), Kalshi is a CFTC-regulated exchange (traditional API auth), Limitless uses a different order book model entirely. pmxt normalizes all of this into a consistent interface.

Key features: unified order types, standardized market discovery (search across all platforms simultaneously), portfolio aggregation across platforms, and webhook-based event notifications for market resolution.

Practical Application

Prediction markets are fragmented. The same event might be listed on Polymarket at 62% and Kalshi at 58%. pmxt makes cross-platform arbitrage trivially easy to implement. Beyond arbitrage, the unified API is essential for anyone building prediction market analytics dashboards, aggregators, or research tools. Writing platform-specific code for four different exchanges is a maintenance nightmare — pmxt eliminates it.

The Common Thread

All five projects share a pattern: they democratize capabilities that were previously locked behind institutional walls. Multi-agent trading systems, prediction market data pipelines, unified exchange APIs — these used to require dedicated engineering teams and six-figure data budgets. Now they're a git clone away.

The risk is obvious. Easier access to sophisticated tools doesn't make markets easier to beat. These systems reduce the barrier to entry, which means any edge they provide gets arbitraged away faster. The real value isn't in running them out-of-the-box — it's in understanding the architectures, adapting the patterns, and combining them with domain expertise that can't be cloned from a repo.

That last part — domain expertise — is where the human advantage still holds.

For Financial Advisors

If you're a financial advisor looking to augment your practice with AI — whether that's client-facing tools, portfolio analysis automation, or staying ahead of the curve on AI-driven market dynamics — we built something for you.

Ultra Advisor is our SaaS platform specifically designed for Taiwan's financial advisors: 18 visualization tools, client management, and AI-powered analysis built for the local market.

Check it out at ultra-advisor.tw

AIFinance #OpenSource #GitHub #UltraAdvisor

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe

The Art of AI Prompting: Why Your AI Conversations Never Give You What You Want

ppcvote — Sun, 29 Mar 2026 06:30:17 +0000

Asking Questions Is the Scarcest Skill of This Era

Ever had this experience?

Open ChatGPT, type "make me a website," and AI responds with a bunch of stuff you don't understand. You think: "AI isn't that great after all."

The problem isn't that AI can't deliver. The problem is you don't know how to ask.

This might sound harsh, but it's the truth: Same AI, same topic, different phrasing — the results can be worlds apart.

What's the difference? Whether your question can "be executed."

One Example That Explains Everything

Let's say you want to build a calculator.

Approach A:

Make me a calculator

What will AI give you? Probably the most basic thing — four buttons, an input field, maybe it works, maybe it doesn't. It doesn't know what kind of calculator you want, so it can only guess.

Approach B:

Make me a calculator that:

Can add, subtract, multiply, and divide

Supports chained operations (can keep pressing numbers after an operator)

Records the calculation history (shows each step to the user)

Works in a web browser

Minimal, clean style

Same AI — Approach B gives you a usable product straight away.

What's the difference? It's not that you typed more words. It's that before asking, you thought clearly about what the end result should look like.

Begin with the End in Mind

Stephen Covey said in The 7 Habits of Highly Effective People: Begin with the end in mind.

This isn't management fluff. It's the core methodology for communicating with AI.

How most people talk to AI:

I have a vague idea
  ↓
Throw it at AI directly
  ↓
AI gives a vague answer
  ↓
"AI sucks"

The correct approach:

What should the end result look like?
  ↓
Is it technically feasible?
  ↓
How much will it cost?
  ↓
Is it worth doing?
  ↓
Think all of this through, then ask AI
  ↓
AI gives you an actionable answer

You're not asking "make me X" — you're asking "make me an X that [specific description of the outcome]."

This difference is the line between amateur and professional.

Why Most People Don't Know How to Ask Questions

Because our education system never teaches it.

Asian education trains us to do one thing: Find the correct answer. And the metric for how well you find it is your score.

100 points = you're great. 60 points = you're not.

The entire system encourages "don't make mistakes" rather than "try more." But real learning comes from the number of failures, not from scores.

This creates a serious consequence: most people are afraid to ask questions. Because asking = exposing what you don't know = possibly getting penalized. So we learn a strategy — ask less, guess more, wait for someone to give us the answer.

From childhood, education trains us to answer questions: teacher asks, you answer. Exam poses questions, you respond.

But nobody ever taught you how to ask questions.

The workplace is the same. Boss says do something, you do it. Rarely does anyone ask: "Why are we doing this? What should the end result look like?"

The result: when AI gives you an "ask me anything" opportunity, most people don't know what to ask.

But the good news: asking is a skill, and skills can be practiced. You don't need to be "smart enough" to ask good questions — you just need practice. And AI is the best practice partner — it won't laugh at you, won't penalize you, and you can ask a hundred times.

The Four-Layer Structure of Asking

Before every AI conversation, run through these four questions in your mind:

Layer 1: What Do I Want? (Outcome)

Not "I want to make an app," but:

What problem does this app solve?
Who will use it?
After using it, what should the user get?

The more specific, the better. If you can't articulate what you want, AI definitely can't help you.

Layer 2: What Are the Constraints? (Conditions)

What's the budget? ($0? Or can you spend a little?)
How much time? (Need it today? Or within a week?)
Technical constraints? (Must run on mobile? On web?)
Style preference? (Minimal? Professional? Cute?)

Constraints aren't bad. Constraints help AI narrow the scope and give more precise answers.

Layer 3: What's the Background? (Context)

Is this a new project, or modifying something existing?
What approaches have you tried before? Why didn't they work?
Any reference examples? ("I want something like XX")

The more context, the less likely AI gives you an answer completely irrelevant to your situation.

Layer 4: How to Verify? (Criteria)

After it's done, how do you know it's correct?
What counts as "complete"?
Are there quantifiable standards?

Many people skip this layer, but it's important. If you don't define "what is good," AI will just give you something "close enough."

Real-World Examples: From Bad Questions to Good Questions

Example 1: Writing Copy

❌ Bad question:
"Write me a marketing copy"

✅ Good question:
"Write me a Threads post about AI automation.
Target audience: office workers who want to start a business.
150-250 words, start with a counterintuitive hook.
Tone should be like friends chatting, not like selling.
End with an open question."

Example 2: Building a Product

❌ Bad question:
"Make me a website"

✅ Good question:
"I want to build a personal brand website:
- Single page, scrollable
- Sections: About me, Services (3), Portfolio, Contact form
- Style: Dark background, techy feel, sans-serif fonts
- Tech: React + Tailwind, deploy to Vercel
- Form submission should email me a notification
Plan the architecture first, confirm with me, then start building."

Example 3: Solving a Problem

❌ Bad question:
"My code is broken"

✅ Good question:
"I'm getting this error when running npm run build:
[paste error message]
My environment is Node 18 + Vite + React.
I just modified [specific file]'s [specific part].
It was working before the change."

See the pattern? Good questions always include: Outcome + Constraints + Context.

An Overlooked Practice Method

Most people only practice "asking" when using AI. But actually, you have opportunities every day.

Start asking questions to people around you.

Next time a colleague says "this project is kind of stuck," don't just reply "mm." Try asking:

"Stuck at which step?"
"Is it a resource shortage or unclear direction?"
"What do you think ideal progress should look like?"

These questions are essentially the same as what you ask AI: figure out what the problem is, where the constraints are, what the expected outcome is.

Practice asking people, and you'll get better at asking AI too. Because the core skill is the same: turning vague things into clear things.

Prompting Checklist

Before every AI conversation, quickly run through this:

□ Do I know what the end result should look like?
□ Have I stated my constraints clearly?
□ Have I provided enough background context?
□ Do I know how to judge if AI's answer is good?
□ Can my question "be executed"?
  (Can AI start working immediately, or does it need to ask me ten more questions?)

If all five are checked, your question quality already exceeds 90% of people.

One Last Thing

AI won't replace you. But people who can use AI will replace people who can't.

And the core of "being able to use AI" isn't memorizing prompt templates — it's whether you can ask questions.

Tools change, models get updated. But the ability to ask — breaking down vague ideas into clear instructions — that skill stays with you for life.

Starting today, before every AI conversation, spend 30 seconds thinking: What should the end result actually look like?

Those 30 seconds will save you 30 minutes.

This is part two of the "Getting Started" series. Previous: AI Development for Beginners: From a Smartphone to Shipping Products

Want more free resources? Join the Solo Lab Discord.

Discord: https://discord.gg/ewS4rWXvWk

Originally published on Ultra Lab — we build AI products that run autonomously.

Try UltraProbe free — our AI security scanner checks your website for vulnerabilities in 30 seconds: ultralab.tw/probe