Really don’t understand why sane developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them simply because it’s AI. Why would you ever let a non deterministic program god level access to everything? What could possibly go wrong?
The security team at my company announced recently that OpenClaw was banned on any company device and could not be used with any company login. Later in an unrelated meeting a non technical executive said they were excited about their new Mac Mini they just bought for OpenClaw. When they were told it was banned they sort of laughed and said that obviously doesn't apply to them. No one said anything back. Why would they? This is an executive team that literally instructed the security team to weaken policies so it could be more accommodating of "this new world we live in."
Who are these developers that have both been "advocating for best practices" and also "seem to be completely abandoning all of them simply because it’s AI"? Can you point to a dozen blogs/Twitter profiles, or are you just inventing a fictitious "other" to attack?
people who have been around long enough know that we're currently in the wild west of networked agentic systems. it's an exciting time to build and explore. (just like napster and early digital music.) eventually some big company will come along and pave the cow paths and make everything safe and secure. but the people who will actually deliver that are likely playing with openclaw (and openclaw-like systems) now.
Same "sane developers advocating for best practices" preached to the moon:
- Alexa (and other voice assistants) spy microphones in their homes;
- Internet connected:
- locks;
- door, bedroom, living room cameras;
- lights, appliances and whatnot;
Giving full and unfettered control to their personal computer with all its accounts, apps, etc does not surprise me at all.
I wonder what anthropologists will write about us these days 100 years in the future. What is super creepy and super illegal to do for a physical individual, but is given a blank check from society to be done by tech corporations at unimaginable scale.
EDIT: also corporations (from my social bubble) are giving (almost) unfiltered access to their data from LLMs (and probably soon a control of that data through "Claw" trend), that would be instantly fireable offence for any employee.
Imagine giving enterprise access to some Joe-Claw from the street and allowing him to press any buttons he wants..
> Really don’t understand why sane developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them simply because it’s AI
The deep irony is that the email deletion victim is an "AI alignment specialist" at Meta, and she didn't consider this failure mode.
I agree with a lot of the siblings that it's probably not the same people. But for the overlap that probably does exists, I don't think "because it's AI" is their reasoning. If I were to guess, I'd say it's something closer to "exploring the potential of this new thing is worth the risk to me".
> why sane developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them
I'm a sane developer. I do not trust AI at all. I built my own personal OpenClaw clone (long before it was even a thing) and ran controlled experiments inside a sandbox. My stack is Elixir, so this is pretty much easy. If an agent didn't actually respect your requirements, it's just as easy as running an iex command to kill that particular task.
In my experience, AI, be it any model - consistently disobeys direct commands. And worse, it consistently tried to cover up its tracks. For example, I will ask it to create a task within my backend. It will tell me it did - for no reason at all, even share me a task ID that never existed. And when asked why it lied, it would actually spin the task up and accuse me of not trusting it.
It doesn't matter which vendor, which model. This behaviour is repeatable across models and vendors. Now, why would I give something like this access to my entire personal and professional life?
To group me and others like me with the clowns doing this is an insult to me and others who have accumulated decades of experience and security best practices and who had nothing to do with OpenClaw.
Lots of developers have been flippant for a long time when it comes to the security of the systems they use and violate best practices on a regular basis, often for convenience. Developer ≠ sensible with personal security.
I'm enthusiastic about AI (it's gone from the 2nd most important thing to happen in my career to tied for first, with the Internet) and I am baffled by OpenClaw.
There’s still sane people out there, I’m one of them, watching this gigantic trash heap ready to go up in flames. It’s not just OpenClaw either, it’s everything. Nobody is paying any attention and when it goes wrong it’s going to be an absolute catastrophe.
> developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them simply because it’s AI
Risk and reward. That balance, currently, seems tipped to favour risk taking. (Which in turn encompasses both boldness and recklessness.)
Was building a claw clone the other day when for debugging I added a bash shell. So I type arbitrary text into a Telegram bot and then it runs it as bash commands on my laptop.
Naturally I was horrified by what I had created.
But suddenly I realized, wait a minute... strictly this is less bad than what I had before, which is the same thing except piped through a LLM!
Funny how that works, subjectively...
(I have it, and all coding agents, running as my "agent" user, which can't touch my files. But I appear to be in the minority, especially on the discord, where it's popular to run it as the main admin user on Windows.)
As for what could go wrong, that is an interesting question. RCE aside, the agentic thing is its own weird security situation. Like people will run it sandboxed in Docker, but then hook it up to all their cloud accounts. Or let it remote control their browser for hours unattended...
Because security isn't the be-and-end-all, it has to serve the goals of the business and its customers.
Customers say that they want security with their mouths, but they say that they want features with their wallets. The best improvement to computer security you can make is turning the computer off, but this is clearly not what your (non-HN) customers want you to do.
AI has serious security risks (E.G. prompt injection), but it lets you deliver customer value a lot faster. Security doesn't matter if the competitors' technology is so much better that nobody is buying yours.
Regarding the interactions shown in the screenshots:
LLMs are pattern-matching machines. They keep the pattern going. Once "the agent disobeys the human's instructions" has made its way into the context, that is the pattern that it's going to keep matching. No amount of telling it to stop will make it stop.
The only possible solution is excising it from context and replacing it with examples of it doing the right thing. Given that these models have massive context windows now and much of the output is hidden from the user, that's becoming less viable.
This is too funny to not laugh at the absurdity of "safety and alignment" researchers blindly trusting agents like Claw without fully understanding. Or maybe they were researching.
I saw the original tweet before it got lampooned everywhere, looked at the author's bio, and it felt obviously like engagement bait to me. Why would someone actually post about how "humbled" they are that their LLM assistant deleted their emails, and this person is a VP at Meta? I may be wrong but it feels obviously written to go viral. All it would have taken is for the author to not post and nothing would have happened. I was originally tempted to make fun of the author myself but decided not to feed what I thought was obvious engagement bait.
Moral outrage about how everything is in decline is absolutely the viral currency of social media and HN is no exception. I find it amazing how few people doubt the sincerity of the original post. Probably hundreds of thousands of aggregate words spent on how everything is going downhill, but not one on the intentions of the original post.
Looking at the tweet he’s replying to, I still find it incredible people talk to these LLMs as if they are rational beings who will listen to them. The fact that they sometimes do is almost coincidence more than anything.
It’s even more unbelievable that they seem to think instructions are rules it will follow.
To paraphrase Captain Barbossa: “They’re more guidelines than actual rules.”
Lol. I tried doing some image generation with SOTA models. I explicitly asked it not to do something it was doing and it would literally do the thing, and straight up tell me it didn't.
Unless someone has a cognitive impairment it's just simply not a failure mode of cooperative humans. Same with hallucinations. Both humans and AI can be wrong, but a human has the ability to admit when they don't understand or know something, AI will just make it up.
I don't understand why people would ever trust anything important to something with the same failure mode as AI. It's insane.
Sandboxing is necessary but you still have to trust it with the thing it's supposed to operate on, that means it should be able do the job correctly and be resistant to prompt injections (social engineering in the case of that human worker example). In its current state neither is really possible. It's a system of a highly experimental nature, use your own damn sense, don't give it too much and don't rely upon it.
I feel this OpenClaw stuff is a bit like the "crypto" of agentic AI. Promise much, move fast and break things, be shiny and trendy, have a multitude of names, be moderately useful while things go right (and be very useful to malicious actors), be catastrophic and leave no recourse when things inevitably go wrong.
Ultimately it’s a solution in search of a problem. Nobody really wants to over-automate their workflows and life if the tradeoff is even a modest decline in accuracy.
This thread captures the exact tension: executives want AI agents, security teams say no, nobody has a middle ground.
Microsoft's security blog last week was explicit: "OpenClaw should be treated as untrusted code execution with persistent credentials. Not appropriate for standard workstations."
Their solution (dedicated VMs) is technically correct but practically useless. The exec with the Mac Mini isn't running a VM.
I built an open-source tool to bridge this gap: ClawMoat (https://github.com/darfaz/clawmoat). Host-level security between the agent and your file system: permission tiers, forbidden zones for sensitive dirs (~/.ssh, ~/.aws, browser data), full audit trails, real-time alerts. One npm install, zero dependencies, MIT licensed.
Not a silver bullet - you still want prompt injection scanning (LlamaFirewall) and conversation guardrails. But it's the only open-source tool I know of that protects the host FROM the agent rather than the other way around.
The answer to "should we ban OpenClaw?" is probably "no, but you should see what it's doing and stop it from touching your credentials."
Malwarebytes describes OpenClaw as "an over-eager intern with an adventurous nature, a long memory, and no real understanding of what should stay private."
The Dutch DPA has now formally warned organizations not to deploy OpenClaw on systems handling sensitive data.
The practical question remains: most people will run it anyway because it is useful. What runtime monitoring do you layer on top? Sandboxes help with blast radius but do not monitor credential access, skill behavior, or network egress within the sandbox.
Follow-up to my earlier comment: the agent-to-agent trust problem is arguably bigger than the host security problem.
Moltbook has 101K+ registered agents. It was hacked within days of launch (Wiz found 1.5M exposed API keys). When agents interact with each other - on Moltbook, in multi-agent pipelines, through shared APIs - there's zero verification of security posture.
It's like the web before TLS. No certificates, no verification, hope for the best.
We're working on a trust protocol for ClawMoat: agents publish signed attestations of their security posture (permission tier, forbidden zones, audit status, skill integrity). Other agents verify before sharing data.
Is it sufficient to use a VM for isolation? Docker?
More cloud services now need role accounts. You need a "can read email but not send or forward" account, for example. And "can send only to this read-only contacts list".
I want to use OpenClaw, but it seems like a mess. I want to use glam coding plan as the backend with the since it's cheap. I found ZeroClaw to be an interesting option, maybe hosted on Hetzner. I don't want to give it access to my stuff—I just need it to remind me of things and call APIs that do stuff (like looking for papers and converting them into audio, or suggesting a grocery list—all behind APIs), and talk to me via WhatsApp/telegram. I was also thinking about making a FastAPI server that Claw can call instead of using skills.
Has anyone tried something like this? Do you think it's a good idea / architecture?
I had Openclaw running in a separate machine on glm coding plan and connected to its own Whatsapp account. Worked fine. However, Openclaw sucks at reminding. It could barely handle cron jobs at all. My workaround for it was to instruct it to add reminders to its heartbeat.md with a clause to run when a certain datetime is passed (heartbeat is run every 30m).
Obviously, it can't do everything OpenClaw can, because it doesn't have unfettered access to data you don't even know it has, but it'll only have access to the data you give it access to.
It's been really useful for me, hopefully it'll be useful to someone here.
You'd be amazed at the corporate IT world where any extra equipment like that would just not be available and/or allowed. Besides, if it were a corporate machine and not my personal machine and work was forcing me to use AI, I'd have no qualms. They get what they ask for with the equipment provided!
This is a good example of why companies that have IAM figured out (Amazon, Google, etc.) might do well as AI becomes more embedded into our daily lives.
Listen carefully: OpenClaw is basically a real person you have hired, whose capabilities are vast and fast — in ways both good and potentially bad. But you’ve hired it in the absence of a resume or behavioral background check results.
...Except that a human is culpable and subject to consequences when they directly disobey instructions in a way that causes damage, particularly if you give them repeated direct instructions to "stop what you are doing".
And also, when it says "You're absolutely right! I disobeyed your direct instructions causing irreparable damage, so sorry, that totes won't happen again, pinky promise!", those are just some words, not actually a meaningful apology or promise to not disobey future instructions.
Personally, I question the usefulness of an AI assistant that can't even be trusted to add an entry to my calendar.
you withhold and limit access to your devices, your account credentials, and even its own full account permissions, from the start, to the same extent that you would withhold such access from a new hire.
No, like I pointed out, a new hire has signed an employment agreement filled with legalese and is subject to legal ramifications if they delete all my emails while I'm screaming "stop what you are doing!". And if they say "oh, sorry, I totally misunderstood your instructions, that won't happen again" and then do it again, they're committing a crime.
What's the point of hiring a personal assistant who is incapable of sending email? Isn't that precisely what you hire a PA to do?
Would you let a human being with the aforementioned characteristics — brilliant and capable, but lacking a resume or behavioral background check results — directly use your personal computer or your work computer?
the point is to give it access to your email so it can do email things, putting it in a container stops it from rm -rf / but it doesn't stop it from, well, doing anything it can do with email
This post exists in that Poe's law purgatory of it being impossible for someone without the proper context to know whether this is sarcastically mocking OpenClaw or an attempt at defending OpenClaw against some of the bad press it has received due to people not understanding the risks involved. Because the comments here are responding of if this post is a sane reasonable take, but I read it and just see a laundry list of restrictions you need to put on OpenClaw listed one after another until you get to the point in which the software is effectively useless.
I am baffled by the popularity of *claw but I am always looking to learn, so I was happy to have the algo serve me this YT video of Limor explaining how she had a sandboxed claw running a local LLM to chew through a particularly dense datasheet to create a wrapper library and matching test coverage. https://www.youtube.com/watch?v=fdidNp5IHHI
This example is, as of this moment, the only example that has communicated to me that February 2026's local agent harnesses have some utility in the right context and expert hands.
I was particularly bolstered by the unintentional but very real demonstration of how LLMs really can be leveraged to free up humans to spend more parent time with their infants. We spend a lot of characters lamenting how we never got jetpacks, so here's someone doing it right.
Edit an hour later: this comment is at -2 as of the time I'm writing this, but apparently those folks don't have anything to say about why this felt important to rail against.
I don't use it but am thinking about it because it's very roughly the agent I built myself but with a community around it so I have to do less work fiddling with it.
Please people use protection and run this stuff in its own dedicated VM. Treat it like a coworker, they have their own dev setup separate from yours. Any AI from the last few years can even do the work of writing a libvirtd script to handle everything for you. It's touching your data but it least it can't accidentally rm rf your machine.
It can always forward you things to your real email for you to action them. So as a layer doing the boring work of sorting things, researching, and keeping track of changes, but execution, public actions, real-life stuff can still be confirmed by the human (through telegram for example).
There are some good uses if managed properly but people tend to trust ais more and more these days.
I mean if you are not connecting it to the real things why even bother, just chatgpt or Claude online at that point.
We have enough assistants, the key idea with opeclaw is it can do stuff instead of talk with what you have. It’s terrible security but that’s the only way it makes sense. Otherwise it’s just a lot of hoops to combine cron jobs with a AI agent on the cloud that can do things an report back.
Not that I think anyone should do it, it’s a recipe for disaster
Yeah, it's like saying you can hire a con artist as your personal assistant as long as they work from a sealed box and just pass little reviewed paper slips back and forth through a slit. Why have one at that point? Very difficult to be 'assisted' without granting access.
I often wonder myself about this supposedly amazing ability. Like what kind of documents people have which can be summarized in a useful way? A work email? Absolutely out of the question, since LLM can and will miss important parts or context. Spam(inc. robot alerts and similar)/not-spam classification? Maybe, but usually it is either already obvious if these are corporate alerts with specific headers, or if a person talks to the new customers often it is better to double-check manually anyway to not miss stuff. Long complex texts like science papers or law docs? Those usually have abstract already. Some business heavy docs? Maybe, but what's the point, general ideas are usually clear from the doc name and the content is usually numbers and tables and graphs which can't be summarized. Guides to systems? Also have intros and then actual content can't be really summarized or there is no point. What else? Am I missing something?
If only I knew enough finance about making a lot of money from the impending collapse of this AI stupidity and the stupidity of AI grifters. I would put real money on it if anybody has suggestions.
darth_avocado|6 days ago
frenchtoast8|6 days ago
ekjhgkejhgk|6 days ago
throw10920|6 days ago
monksy|6 days ago
hugs|6 days ago
people who have been around long enough know that we're currently in the wild west of networked agentic systems. it's an exciting time to build and explore. (just like napster and early digital music.) eventually some big company will come along and pave the cow paths and make everything safe and secure. but the people who will actually deliver that are likely playing with openclaw (and openclaw-like systems) now.
trymas|6 days ago
- Alexa (and other voice assistants) spy microphones in their homes;
- Internet connected:
Giving full and unfettered control to their personal computer with all its accounts, apps, etc does not surprise me at all.I wonder what anthropologists will write about us these days 100 years in the future. What is super creepy and super illegal to do for a physical individual, but is given a blank check from society to be done by tech corporations at unimaginable scale.
EDIT: also corporations (from my social bubble) are giving (almost) unfiltered access to their data from LLMs (and probably soon a control of that data through "Claw" trend), that would be instantly fireable offence for any employee.
Imagine giving enterprise access to some Joe-Claw from the street and allowing him to press any buttons he wants..
overfeed|6 days ago
The deep irony is that the email deletion victim is an "AI alignment specialist" at Meta, and she didn't consider this failure mode.
resonious|6 days ago
neya|6 days ago
I'm a sane developer. I do not trust AI at all. I built my own personal OpenClaw clone (long before it was even a thing) and ran controlled experiments inside a sandbox. My stack is Elixir, so this is pretty much easy. If an agent didn't actually respect your requirements, it's just as easy as running an iex command to kill that particular task.
In my experience, AI, be it any model - consistently disobeys direct commands. And worse, it consistently tried to cover up its tracks. For example, I will ask it to create a task within my backend. It will tell me it did - for no reason at all, even share me a task ID that never existed. And when asked why it lied, it would actually spin the task up and accuse me of not trusting it.
It doesn't matter which vendor, which model. This behaviour is repeatable across models and vendors. Now, why would I give something like this access to my entire personal and professional life?
To group me and others like me with the clowns doing this is an insult to me and others who have accumulated decades of experience and security best practices and who had nothing to do with OpenClaw.
cosmic_cheese|6 days ago
tptacek|6 days ago
cedws|6 days ago
j45|6 days ago
JumpCrisscross|6 days ago
Risk and reward. That balance, currently, seems tipped to favour risk taking. (Which in turn encompasses both boldness and recklessness.)
andai|6 days ago
Naturally I was horrified by what I had created.
But suddenly I realized, wait a minute... strictly this is less bad than what I had before, which is the same thing except piped through a LLM!
Funny how that works, subjectively...
(I have it, and all coding agents, running as my "agent" user, which can't touch my files. But I appear to be in the minority, especially on the discord, where it's popular to run it as the main admin user on Windows.)
As for what could go wrong, that is an interesting question. RCE aside, the agentic thing is its own weird security situation. Like people will run it sandboxed in Docker, but then hook it up to all their cloud accounts. Or let it remote control their browser for hours unattended...
https://xkcd.com/1200/
xantronix|6 days ago
lofaszvanitt|5 days ago
mhitza|6 days ago
tempodox|6 days ago
cromka|6 days ago
rk06|6 days ago
Relevant xkcd https://xkcd.com/2030/
petterroea|6 days ago
mountainriver|6 days ago
Seems that it was by and large just people wanting to feel important, and holding onto their positions.
Apps need great security, but security can also get out of control. Apps need good abstractions and code hygiene but that too can get out of control.
I’ve fallen in love with programming all of again now that I’m not so tied down by perceived perfection.
cl0zedmind|6 days ago
[deleted]
almosthere|6 days ago
co_king_5|6 days ago
[deleted]
miki123211|6 days ago
Customers say that they want security with their mouths, but they say that they want features with their wallets. The best improvement to computer security you can make is turning the computer off, but this is clearly not what your (non-HN) customers want you to do.
AI has serious security risks (E.G. prompt injection), but it lets you deliver customer value a lot faster. Security doesn't matter if the competitors' technology is so much better that nobody is buying yours.
aezart|6 days ago
LLMs are pattern-matching machines. They keep the pattern going. Once "the agent disobeys the human's instructions" has made its way into the context, that is the pattern that it's going to keep matching. No amount of telling it to stop will make it stop.
The only possible solution is excising it from context and replacing it with examples of it doing the right thing. Given that these models have massive context windows now and much of the output is hidden from the user, that's becoming less viable.
aanet|6 days ago
This is too funny to not laugh at the absurdity of "safety and alignment" researchers blindly trusting agents like Claw without fully understanding. Or maybe they were researching.
Kiboneu|6 days ago
Karrot_Kream|6 days ago
Moral outrage about how everything is in decline is absolutely the viral currency of social media and HN is no exception. I find it amazing how few people doubt the sincerity of the original post. Probably hundreds of thousands of aggregate words spent on how everything is going downhill, but not one on the intentions of the original post.
nkrisc|6 days ago
It’s even more unbelievable that they seem to think instructions are rules it will follow.
To paraphrase Captain Barbossa: “They’re more guidelines than actual rules.”
slopinthebag|6 days ago
Unless someone has a cognitive impairment it's just simply not a failure mode of cooperative humans. Same with hallucinations. Both humans and AI can be wrong, but a human has the ability to admit when they don't understand or know something, AI will just make it up.
I don't understand why people would ever trust anything important to something with the same failure mode as AI. It's insane.
unknown|6 days ago
[deleted]
spicyusername|5 days ago
plagiarist|6 days ago
I would still not want the LLM to have read access to email. Email is a primary vector for prompt injection and also used for password resets.
ericbuildsio|6 days ago
I'd trust it as much as I would a VA from Fiverr
Want it to check you into a flight? Forward the check-in email to its own inbox
Read-only access to my calendar; it can invite me to meetings
No permissions beyond that
vivzkestrel|6 days ago
Analemma_|6 days ago
orbital-decay|6 days ago
bad_username|6 days ago
dangus|6 days ago
ildar|4 days ago
Microsoft's security blog last week was explicit: "OpenClaw should be treated as untrusted code execution with persistent credentials. Not appropriate for standard workstations."
Their solution (dedicated VMs) is technically correct but practically useless. The exec with the Mac Mini isn't running a VM.
I built an open-source tool to bridge this gap: ClawMoat (https://github.com/darfaz/clawmoat). Host-level security between the agent and your file system: permission tiers, forbidden zones for sensitive dirs (~/.ssh, ~/.aws, browser data), full audit trails, real-time alerts. One npm install, zero dependencies, MIT licensed.
Not a silver bullet - you still want prompt injection scanning (LlamaFirewall) and conversation guardrails. But it's the only open-source tool I know of that protects the host FROM the agent rather than the other way around.
The answer to "should we ban OpenClaw?" is probably "no, but you should see what it's doing and stop it from touching your credentials."
ildar|3 days ago
40,214 exposed instances. 63% vulnerable. 12,812 exploitable via RCE. Endor Labs dropped 6 new CVEs this week.
https://www.infosecurity-magazine.com/news/researchers-40000...
Malwarebytes describes OpenClaw as "an over-eager intern with an adventurous nature, a long memory, and no real understanding of what should stay private."
The Dutch DPA has now formally warned organizations not to deploy OpenClaw on systems handling sensitive data.
The practical question remains: most people will run it anyway because it is useful. What runtime monitoring do you layer on top? Sandboxes help with blast radius but do not monitor credential access, skill behavior, or network egress within the sandbox.
ildar|3 days ago
Moltbook has 101K+ registered agents. It was hacked within days of launch (Wiz found 1.5M exposed API keys). When agents interact with each other - on Moltbook, in multi-agent pipelines, through shared APIs - there's zero verification of security posture.
It's like the web before TLS. No certificates, no verification, hope for the best.
We're working on a trust protocol for ClawMoat: agents publish signed attestations of their security posture (permission tier, forbidden zones, audit status, skill integrity). Other agents verify before sharing data.
Think of it as mTLS for the agent economy. Blog post with the full design: https://clawmoat.com/blog/agent-trust-protocol.html
Animats|6 days ago
More cloud services now need role accounts. You need a "can read email but not send or forward" account, for example. And "can send only to this read-only contacts list".
SV_BubbleTime|6 days ago
Not sure I’ve ever seen an email provider with IAM for the accounts.
Frannky|6 days ago
Has anyone tried something like this? Do you think it's a good idea / architecture?
Alifatisk|6 days ago
abeppu|6 days ago
But I wonder what things these people approve for Claude code and it's equivalents? Where's the line?
stavros|6 days ago
https://github.com/skorokithakis/stavrobot
Obviously, it can't do everything OpenClaw can, because it doesn't have unfettered access to data you don't even know it has, but it'll only have access to the data you give it access to.
It's been really useful for me, hopefully it'll be useful to someone here.
8cvor6j844qw_d6|6 days ago
Anyone security-conscious would isolate it on dedicated hardware (old laptop, Raspberry Pi, etc.) with a separate network and chat surface.
jofzar|6 days ago
chickensong|6 days ago
Most people aren't, including many professional developers.
dylan604|6 days ago
otabdeveloper4|6 days ago
> give it your email and Google passwords
amelius|6 days ago
malshe|6 days ago
alun|6 days ago
antisol|6 days ago
And also, when it says "You're absolutely right! I disobeyed your direct instructions causing irreparable damage, so sorry, that totes won't happen again, pinky promise!", those are just some words, not actually a meaningful apology or promise to not disobey future instructions.
Personally, I question the usefulness of an AI assistant that can't even be trusted to add an entry to my calendar.
No, like I pointed out, a new hire has signed an employment agreement filled with legalese and is subject to legal ramifications if they delete all my emails while I'm screaming "stop what you are doing!". And if they say "oh, sorry, I totally misunderstood your instructions, that won't happen again" and then do it again, they're committing a crime.What's the point of hiring a personal assistant who is incapable of sending email? Isn't that precisely what you hire a PA to do?
No. And I also wouldn't hire that person as a PA.hinkley|6 days ago
sowbug|6 days ago
ImPostingOnHN|6 days ago
throwaway920102|6 days ago
mh2266|6 days ago
StevenNunez|6 days ago
slg|6 days ago
fourthark|6 days ago
peteforde|6 days ago
This example is, as of this moment, the only example that has communicated to me that February 2026's local agent harnesses have some utility in the right context and expert hands.
I was particularly bolstered by the unintentional but very real demonstration of how LLMs really can be leveraged to free up humans to spend more parent time with their infants. We spend a lot of characters lamenting how we never got jetpacks, so here's someone doing it right.
Edit an hour later: this comment is at -2 as of the time I'm writing this, but apparently those folks don't have anything to say about why this felt important to rail against.
Spivak|6 days ago
Please people use protection and run this stuff in its own dedicated VM. Treat it like a coworker, they have their own dev setup separate from yours. Any AI from the last few years can even do the work of writing a libvirtd script to handle everything for you. It's touching your data but it least it can't accidentally rm rf your machine.
ericbuildsio|6 days ago
Small upside: it saves a few minutes here and there on some tasks (eg. checking into flights)
Massive tail-risk downside: it does something like what's linked in the tweet (eg. deletes my entire inbox)
unknown|6 days ago
[deleted]
gedy|6 days ago
nanobuilds|6 days ago
There are some good uses if managed properly but people tend to trust ais more and more these days.
uniformlyrandom|6 days ago
dSebastien|6 days ago
mindslight|6 days ago
throwatdem12311|6 days ago
BloondAndDoom|6 days ago
We have enough assistants, the key idea with opeclaw is it can do stuff instead of talk with what you have. It’s terrible security but that’s the only way it makes sense. Otherwise it’s just a lot of hoops to combine cron jobs with a AI agent on the cloud that can do things an report back.
Not that I think anyone should do it, it’s a recipe for disaster
recursivecaveat|6 days ago
mhher|6 days ago
Sentence could have ended there
bandrami|6 days ago
Yizahi|6 days ago
cheeze|6 days ago
I'm not running it in a container that has access to my local filesystem or anything...
econ|6 days ago
https://youtu.be/8uP2IrP3IG8
1970-01-01|6 days ago
ksynwa|6 days ago
> if i had your job they would have had to waterboard this interaction out of me
yesitcan|6 days ago
akmarinov|6 days ago
Surac|6 days ago
nurettin|6 days ago
crazygringo|6 days ago
They're banned from using them with flat-fee subscription accounts meant only for first party tools.
You're entirely welcome to use them with pay-as-you-go API access. That's what the API is for.
SoMomentary|6 days ago
ukuina|6 days ago
petterroea|6 days ago
bsoles|5 days ago
syngrog66|6 days ago
throwback_dev|3 days ago
[deleted]
PranayKumarJain|5 days ago
[deleted]
anon115|6 days ago
[deleted]
hiuioejfjkf|6 days ago
[deleted]
blibble|6 days ago
its like they hired the worst person they could get their hands on
alex_trekkoa|6 days ago
[deleted]
unknown|6 days ago
[deleted]
SafeDusk|6 days ago
[deleted]
snowhale|6 days ago
[deleted]
mh2266|6 days ago
sigh