About

Hinotoi is a defensive security researcher based in Singapore, guided by a simple idea from the profile repository: a single spark can change the field.

This site is the public-facing notebook for AI security and OSS vulnerability research. It tracks how small signals become useful security work: a suspicious path, a redirected URL, a tool call with too much authority, a document parser running in the wrong place, a prompt that crosses into host action, or maintainer feedback that sharpens the next report.

What this site tracks

• AI-agent and MCP-style trust boundaries
• prompt/content injection that reaches tools, files, memory, credentials, browsers, or network calls
• upload, parser, URL-fetch, path, symlink, and sandbox hardening patterns
• merged OSS security PRs and the lessons they leave behind
• external security references converted into original field observations
• repeatable checklists that improve future reviews

The aim is not volume. The aim is compression: every daily post should leave behind a takeaway, and every durable takeaway should route back into the vault so the next review starts sharper.

Links

• GitHub: Hinotoi-agent
• LinkedIn: Lennon Chia Min Jun