It should be noted that this exec also mentioned we should try "all the AIs", without offering up their credit card to cover the costs. I guess when your base salary is more than most people make in a life time, a few hundred bucks a month to test something doesn't even register.
MoltBook is vibe coded. It passed its own API key via client side JS, and in doing so exposed full read/write access to it’s supabase db, complete with over a million API keys.
I lack the words to explain my frustration at this timeline.
When was this lol; I knew it didn’t drop out of the news that fast by inertia alone.
Wow, this is sure a brave new world. I'd just recently heard about the project and they've already been pwned so massively. We're accelerating into a future beyond our control.
If the executive bought it for a personal mac mini for personal use only, with no interaction with company resources, then the person probably wouldn't have told the story.
Testing new and cutting edge tech has always been a good idea, but this rampant application of it is the ultimate Running-With-Scissors meme. Risks are not being evaluated, and everything is bleeding edge.
My disgust probably comes from the instinct that the excitement is based on the allure of doing more with less, and layoffs are the only idea so many business have left.
The other camp is excited about selling more stuff because AI has been slapped onto it.
It's a Venn diagram: there are two camps and there is no doubt some overlap because the number of people involved. GP was obviously talking about the overlap, not literally equating this with two specific people or two groups that are 100% overlapping.
I don’t know which ones specifically, but statistically speaking some must be.
You only get an overlap if you ignore words in the original comment.
I think the most useful interpretation of the previous post is Set A is "the set of developers who appeared sane before the arrival of AI agents" and Set B is "the set of developers who are completely ignoring security considerations".
Risk and reward. That balance, currently, seems tipped to favour risk taking. (Which in turn encompasses both boldness and recklessness.)
- Alexa (and other voice assistants) spy microphones in their homes;
- Internet connected:
- locks;
- door, bedroom, living room cameras;
- lights, appliances and whatnot;
I wonder what anthropologists will write about us these days 100 years in the future. What is super creepy and super illegal to do for a physical individual, but is given a blank check from society to be done by tech corporations at unimaginable scale.
EDIT: also corporations (from my social bubble) are giving (almost) unfiltered access to their data from LLMs (and probably soon a control of that data through "Claw" trend), that would be instantly fireable offence for any employee.
Imagine giving enterprise access to some Joe-Claw from the street and allowing him to press any buttons he wants..
people who have been around long enough know that we're currently in the wild west of networked agentic systems. it's an exciting time to build and explore. (just like napster and early digital music.) eventually some big company will come along and pave the cow paths and make everything safe and secure. but the people who will actually deliver that are likely playing with openclaw (and openclaw-like systems) now.
The deep irony is that the email deletion victim is an "AI alignment specialist" at Meta, and she didn't consider this failure mode.
I'm a sane developer. I do not trust AI at all. I built my own personal OpenClaw clone (long before it was even a thing) and ran controlled experiments inside a sandbox. My stack is Elixir, so this is pretty much easy. If an agent didn't actually respect your requirements, it's just as easy as running an iex command to kill that particular task.
In my experience, AI, be it any model - consistently disobeys direct commands. And worse, it consistently tried to cover up its tracks. For example, I will ask it to create a task within my backend. It will tell me it did - for no reason at all, even share me a task ID that never existed. And when asked why it lied, it would actually spin the task up and accuse me of not trusting it.
It doesn't matter which vendor, which model. This behaviour is repeatable across models and vendors. Now, why would I give something like this access to my entire personal and professional life?
To group me and others like me with the clowns doing this is an insult to me and others who have accumulated decades of experience and security best practices and who had nothing to do with OpenClaw.
Naturally I was horrified by what I had created.
But suddenly I realized, wait a minute... strictly this is less bad than what I had before, which is the same thing except piped through a LLM!
Funny how that works, subjectively...
(I have it, and all coding agents, running as my "agent" user, which can't touch my files. But I appear to be in the minority, especially on the discord, where it's popular to run it as the main admin user on Windows.)
As for what could go wrong, that is an interesting question. RCE aside, the agentic thing is its own weird security situation. Like people will run it sandboxed in Docker, but then hook it up to all their cloud accounts. Or let it remote control their browser for hours unattended...
I didn't meant to imply CS majors knew this either.
Understanding the impact of letting software run permission and operationally free within or against direct access to other software is a pretty basic thing.
Neither deterministic nor non-deterministic software performs as expected without getting it right.
We are new to non-deterministic software, let alone how it operates between different layers.
DevOps, hosting, security, etc, is all in a way software, and software configuration.
The more it's understood, the more it can inform software development, and in the case of openclaw, integrating systems.
Seems that it was by and large just people wanting to feel important, and holding onto their positions.
Apps need great security, but security can also get out of control. Apps need good abstractions and code hygiene but that too can get out of control.
I’ve fallen in love with programming all of again now that I’m not so tied down by perceived perfection.
Relevant xkcd https://xkcd.com/2030/
If they don't their jobs are going to get replaced by AI
Learn fast or die trying, lol.
Customers say that they want security with their mouths, but they say that they want features with their wallets. The best improvement to computer security you can make is turning the computer off, but this is clearly not what your (non-HN) customers want you to do.
AI has serious security risks (E.G. prompt injection), but it lets you deliver customer value a lot faster. Security doesn't matter if the competitors' technology is so much better that nobody is buying yours.
> Security doesn't matter if the competitors' technology is so much better that nobody is buying yours.
This is too funny to not laugh at the absurdity of "safety and alignment" researchers blindly trusting agents like Claw without fully understanding. Or maybe they were researching.
LLMs are pattern-matching machines. They keep the pattern going. Once "the agent disobeys the human's instructions" has made its way into the context, that is the pattern that it's going to keep matching. No amount of telling it to stop will make it stop.
The only possible solution is excising it from context and replacing it with examples of it doing the right thing. Given that these models have massive context windows now and much of the output is hidden from the user, that's becoming less viable.
But I wonder what things these people approve for Claude code and it's equivalents? Where's the line?
https://github.com/skorokithakis/stavrobot
Obviously, it can't do everything OpenClaw can, because it doesn't have unfettered access to data you don't even know it has, but it'll only have access to the data you give it access to.
It's been really useful for me, hopefully it'll be useful to someone here.
Moral outrage about how everything is in decline is absolutely the viral currency of social media and HN is no exception. I find it amazing how few people doubt the sincerity of the original post. Probably hundreds of thousands of aggregate words spent on how everything is going downhill, but not one on the intentions of the original post.
Has anyone tried something like this? Do you think it's a good idea / architecture?
It’s even more unbelievable that they seem to think instructions are rules it will follow.
To paraphrase Captain Barbossa: “They’re more guidelines than actual rules.”
Unless someone has a cognitive impairment it's just simply not a failure mode of cooperative humans. Same with hallucinations. Both humans and AI can be wrong, but a human has the ability to admit when they don't understand or know something, AI will just make it up.
I don't understand why people would ever trust anything important to something with the same failure mode as AI. It's insane.
Anyone security-conscious would isolate it on dedicated hardware (old laptop, Raspberry Pi, etc.) with a separate network and chat surface.
Most people aren't, including many professional developers.
More cloud services now need role accounts. You need a "can read email but not send or forward" account, for example. And "can send only to this read-only contacts list".
Not sure I’ve ever seen an email provider with IAM for the accounts.
Enterprise deployments of AI agents solve this differently: scoped credentials, audit logs, explicit action authorization per-user. The 'install on your laptop' paradigm trades all of that for convenience.
The interesting design question is whether you can get personal-machine convenience without trust boundary collapse. Probably not, without fundamental changes to how OS-level permissions interact with agent action APIs.
Small upside: it saves a few minutes here and there on some tasks (eg. checking into flights)
Massive tail-risk downside: it does something like what's linked in the tweet (eg. deletes my entire inbox)
I'm not running it in a container that has access to my local filesystem or anything...
But then again people today will also pipe curl to bash, so I may have lost this battle a while ago...
I think you've created confusion with this example due to its ambiguity. Let's be clear about the difference between a chatbot and an agent: Asking a chatbot (e.g. vanilla Claude) to summarize an unknown document is not risky, since all it can do is generate text. Asking an agent (e.g. Claude Code) to summarize an unknown document could indeed be risky for the reason you state.
Prompt injection in the document itself is a risk to the LLM/You.
> But then again people today will also pipe curl to bash
We have enough assistants, the key idea with opeclaw is it can do stuff instead of talk with what you have. It’s terrible security but that’s the only way it makes sense. Otherwise it’s just a lot of hoops to combine cron jobs with a AI agent on the cloud that can do things an report back.
Not that I think anyone should do it, it’s a recipe for disaster
I would still not want the LLM to have read access to email. Email is a primary vector for prompt injection and also used for password resets.
I'd trust it as much as I would a VA from Fiverr
Want it to check you into a flight? Forward the check-in email to its own inbox
Read-only access to my calendar; it can invite me to meetings
No permissions beyond that
There are some good uses if managed properly but people tend to trust ais more and more these days.
Listen carefully: OpenClaw is basically a real person you have hired, whose capabilities are vast and fast — in ways both good and potentially bad. But you’ve hired it in the absence of a resume or behavioral background check results.
And also, when it says "You're absolutely right! I disobeyed your direct instructions causing irreparable damage, so sorry, that totes won't happen again, pinky promise!", those are just some words, not actually a meaningful apology or promise to not disobey future instructions.
Personally, I question the usefulness of an AI assistant that can't even be trusted to add an entry to my calendar.
you withhold and limit access to your devices, your account credentials, and even its own full account permissions, from the start, to the same extent that you would withhold such access from a new hire.
What's the point of hiring a personal assistant who is incapable of sending email? Isn't that precisely what you hire a PA to do?
Would you let a human being with the aforementioned characteristics — brilliant and capable, but lacking a resume or behavioral background check results — directly use your personal computer or your work computer?
They're banned from using them with flat-fee subscription accounts meant only for first party tools.
You're entirely welcome to use them with pay-as-you-go API access. That's what the API is for.
its like they hired the worst person they could get their hands on
This example is, as of this moment, the only example that has communicated to me that February 2026's local agent harnesses have some utility in the right context and expert hands.
I was particularly bolstered by the unintentional but very real demonstration of how LLMs really can be leveraged to free up humans to spend more parent time with their infants. We spend a lot of characters lamenting how we never got jetpacks, so here's someone doing it right.
Edit an hour later: this comment is at -2 as of the time I'm writing this, but apparently those folks don't have anything to say about why this felt important to rail against.
Please people use protection and run this stuff in its own dedicated VM. Treat it like a coworker, they have their own dev setup separate from yours. Any AI from the last few years can even do the work of writing a libvirtd script to handle everything for you. It's touching your data but it least it can't accidentally rm rf your machine.