Project Jennifer: The Lifecycle of an AI Agent
From the 10X promise of autonomous agency to the hard pivot of strategic realism. A deep dive into Moltbot orchestration, security hardening, and economic constraints.
Role
Security & Strategy Architect
Timeline
January 2026 - Concluded
Outcome
Prototyped a high-autonomy assistant before pivoting to a hardened 'human-in-the-loop' model to solve for unit economics, security vulnerabilities, and data privacy.
Tech Stack
The Vision: Beyond Automation
Project Jennifer was born from a desire to move beyond the rigid, node-based logic of my previous Autonomous Homelab Sentinel. While n8n provided excellent automation, it lacked Agency—the ability to understand intent and act without a pre-defined flowchart. I wanted a 24/7 partner that could 10X my output by acting as a “Resident SRE” for both my server and my life.
Phase 1: Setup & Initial POC
I repurposed a 2012 Mac Mini as an Ubuntu server and installed Moltbot (formerly Clawdbot). The setup was intentionally minimal: a SOUL.md to define personality and a MEMORY.md to store context.
The initial POC was a revelation. Unlike traditional chatbots, Jennifer felt like a technical peer. I could chat via Telegram or terminal, and very technical tasks, like deploying local web apps, were completed without me writing a single requirement or PRD.
Phase 2: Integration & Proactive Engineering
Within a few days, Jennifer had become the central nervous system of my lab:
- Life Logistics: She managed my TickTick to-do list and scanned my email for actionable items, moving fluidly between conversation and data.
- Network Sentinel: Using read-only APIs, she monitored every service in my homelab and alerted me proactively via Telegram.
- Autonomous Building: Without manual spec-writing, she built and deployed three distinct apps: an Interactive Dashboard, a Blogging Idea Manager, and a Project Kanban app.
Phase 3: The Security Audit & Hardening
As the agent’s autonomy grew, so did the risk. I used Claude Code to perform a comprehensive audit of the mini-server. The results were sobering, identifying 11 issues across 4 severity levels.
The Audit Findings:
- Critical Vulnerabilities: I discovered the UFW firewall was inactive, services were binding to
0.0.0.0(exposing them to the whole network), and session logs, which contained API keys in plain text, were world-readable. - Supply Chain Risk: There was no mechanism to detect malicious “skills.” A real-world incident where a backdoored skill reached 4,000 installs highlighted the danger.
The Hardening Response:
- Network Lockdown: I enabled UFW with a deny-by-default policy, allowing SSH only from anywhere and granting full access only to the Tailscale subnet.
- SSH & Brute Force: I disabled root login and password auth in favor of Ed25519 keys and installed Fail2ban to automatically ban IPs after failed attempts.
- Automated Skill Scanner: I developed a custom script to scan skill source code for 10 categories of suspicious patterns, including network exfiltration and reverse shells.
- Integrity Monitoring: I created a weekly cron job to validate the SHA256 baseline of all “TickTick” skill files, with Telegram alerts for unauthorized modifications.
Phase 4: The Economic Wall & Final Pivot
Despite the hardening, the “Agency Tax” became unavoidable. Continuous polling to stay “alive” consumed millions of tokens, making the Pay-As-You-Go API model economically ruinous. Experimenting with Kimi 2.5 (Moonshot) to save costs failed due to high latency and unacceptable data-training policies.
Current State: Jennifer has been decommissioned as an autonomous agent. I have returned to Strategic Tooling, using Claude Code for human-triggered tasks and free Cron Jobs for monitoring. This maintains 100% privacy and eliminates the financial bleed while retaining the high-reasoning power I need.