I am one of those people and I work at a FANG.
And while I know it seems annoying, these teams are overwhelmed with not only innovators but lawyers asking so many variations of the same question it's pretty hard to get back to the innovators with a thumbs up or guidance.
Also there is a real threat here. The "wiped my hard drive" story is annoying but it's a toy problem. An agent with database access exfiltrating customer PII to a model endpoint is a horrific outcome for impacted customers and everyone in the blast radius.
That's the kind of thing keeping us up at night, not blocking people for fun.
I'm actively trying to find a way we can unblock innovators to move quickly at scale, but it's a bit of a slow down to go fast moment. The goal isn't roadblocks, it's guardrails that let you move without the policy team being a bottleneck on every request.
They will also burn other people, which is a big problem you can’t simply ignore.
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on...
But even if they only burned themselves, you’re talking as if that isn’t a problem. We shouldn’t be handing explosives to random people on the street because “they’ll only blow their own hands”.
Isn't the whole selling point of OpenClaw that you give it valuable (personal) data to work on, which would typically also be processed by 3rd party LLMs?
The security and privacy implications are massive. The only way to use it "safely" is by not giving it much of value.
This is so relatable. I remember trying to set up an LLM gateway back in 2023. There were at least 3 different teams that blocked our rollout for months until they worked through their backlog. "We're blocking you, but you’ll have to chase and nag us for us to even consider unblocking you"
At the end of all that waiting, nothing changed. Each of those teams wrote a document saying they had a look and were presumably just happy to be involved somehow?
Though with the recent layoffs and stuff, the security in Amazon was getting better. Even the best-practices for IAM policies that was the norm in 2018, is just getting enforced by 2025.
Since I had a background of infosec, it always confused me how normal it was to give/grant overly permissive policies to basically anything. Even opening ports to worldwide (0.0.0.0/0) had just been a significant issue in 2024, still, you can easily get away with by the time the scanner finds your host/policy/configuration...
Although nearly all AWS accounts managed by Conduit (internal AWS Account Creation and Management Service), the "magic-team" had many "account-containers" to make all these child/service accounts joining into a parent "organization-account". By the time I left, the "organization-account" had no restrictive policies set, it is up to the developers to secure their resources. (like S3 buckets & their policies)
So, I don't think the policy folks are overall wrong. In the best case scenario, they do not need to exist in the first place! As the enforcement should be done to ensure security. But that always has an exception somewhere in someone's workflow.
1. The compliance box tickers and bean counters are in the way of innovation and it hurts companies.
2. Claws derive their usefulness mainly from having broad permissions, not only to you local system but also to your accounts via your real identity [1]. Carefulness is very much warranted.
[1] People correct me if I'm misguided, but that is how I see it. Run the bot in a sandbox with no data and a bunch of fake accounts and you'll see how useful that is.
All these claws throw caution to the wind in enabling the LLM to be triggered by text coming from external sources, which is another step in wrecklessness.
then the heads changed and we were back to square one.
but for a moment it was glorious of what was possible.
Now for the more reasonable point: instead of being adversarial and disparaging those trying to do their job why not realize that, just like you, they have a certain viewpoint and are trying to do the best they can. There is no simple answer to the issues we’re dealing with and it will require compromise. That won’t happen if you see policy and security folks as “climbing out of their holes”.
The only innovation I want to see coming out of this powerblock is how to dismantle it. Their potential to benefit humanity sailed many, many years ago.
What a surprise that someone working in Big Tech would find "pesky" policies to get in their way. These companies have obviously done so much good for the world; imagine what they could do without any guardrails!
> Though Anthropic has maintained that it does not and will not allow its AI systems to be directly used in lethal autonomous weapons or for domestic surveillance
Autonomous AI weapons is one of the things the DoD appears to be pursuing. So bring back the Skynet people, because that’s where we apparently are.
1. https://www.nbcnews.com/tech/security/anthropic-ai-defense-w...
And people who don't see it as an existential problem either don't know how deep human stupidity can run, or are exactly those that would greedily seek a quick profit before the earth is turned into a paperclip factory.
Perhaps not in equal measure across that spectrum, but omnipresent nonetheless.
Much of the cheerleading for doomerism was large AI companies trying to get regulatory moats erected to shut down open weights AI and other competitors. It was an effort to scare politicians into allowing massive regulatory capture.
Turns out AI models do not have strong moats. Making models is more akin to the silicon fab business where your margin is an extreme power law function of how bleeding edge you are. Get a little behind and you are now commodity.
General wide breadth frontier models are at least partly interchangeable and if you have issues just adjust their prompts to make them behave as needed. The better the model is the more it can assist in its own commodification.
Anyways, I don't expect Skynet to happen. AI-augmented stupidity may be a problem though.
Claw to user: Give me your card credentials and bank account. I will be very careful because I have read my skills.md
Mac Minis should be offered with some warning, as it is on pack of cigarettes :)
Not everybody installs some claw that runs in sandbox/container.
The tool tells the agent to ask the user for it, and the agent cannot proceed without it. The instructions from the tool show an all caps message explaining the risk and telling the agent that they must prompt the user for the OTP
I haven't used any of the *Claws yet, but this seems like an essential poor man's human-in-the-loop implementation that may help prevent some pain
I prefer to make my own agent CLIs for everything for reasons like this and many others to fully control aspects of what the tool may do and to make them more useful
This is basically the same as your pattern, except the trust is in the channel between the agent and the approver, rather than in knowledge of the password. But it's a little more usable if the approver is a human who's out running an errand in the real world.
1. Cf. Driver by qntm.
The thing i want ai to be able to do on my behalf is manage those 2fa steps; not add some.
An ai that you let loose on your email etc?
And we run it in a container and use a local llm for "safety" but it has access to all our data and the web?
The term is in the process of being defined right now, but I think the key characteristics may be:
- Used by an individual. People have their own Claw (or Claws).
- Has access to a terminal that lets it write code and run tools.
- Can be prompted via various chat app integrations.
- Ability to run things on a schedule (it can edit its own frontal equivalent)
- Probably has access to the user's private data from various sources - calendars, email, files etc. very lethal trifecta.
Claws often run directly on consumer hardware, but that's not a requirement - you can host them on a VPS or pay someone to host them for you too (a brand new market.)
Basically cron-for-agents.
Before we had to go prompt an agent to do something right now but this allows them to be async, with more of a YOLO-outlook on permissions to use your creds, and a more permissive SI.
Not rocket science, but interesting.
One is that it relentlessly strives thoroughly to complete tasks without asking you to micromanage it.
The second is that it has personality.
The third is that it's artfully constructed so that it feels like it has infinite context.
The above may sound purely circumstantial and frivolous. But together it's the first agent that many people who usually avoid AI simply LOVE.
Next flood of (likely heavily YC-backed) Clawbase (Coinbase but for Claws) hosting startups incoming?
That does sound like the worst of both worlds: You get the dependency and data protection issues of a cloud solution, but you also have to maintain a home server to keep the agent running on?
ShowHN post from yesterday: https://news.ycombinator.com/item?id=47091792
I propose a few other common elements:
1. Another AI agent (actually bunch of folks in a 3rd-world country) to gatekeep/check select input/outputs for data leaks.
2. Using advanced network isolation techniques (read: bunch of iptables rules and security groups) to limit possible data exfiltration.
This would actually be nice, as the agent for whatsapp would run in a separate entity with limited network access to only whatsapp's IP ranges...
Possibly like IFTTT/Zapier/etc. like integration, where you drag/drop objectives/tasks in a *declarative* format and the agent(s) figure out the rest...OpenClaw is a stupid name. Even "OpenSlave" would be a better fit.
Some of this may be slightly satirical.
(But I still think “claws” works better than “personal assistant” which anthropomorphises the technology too much.)
If you don’t need any of that then any device or small VPS instance will suffice.
Having said that this thing is on the hype train and its usefulness will eventually be placed in the “nice tool once configured” camp
Still an interesting idea but it’s not really novel or difficult. Well, doing it securely would actually be incredibly impressive and worth big $$$.
Most AI tools require supervision, this is the opposite.
To many people, the idea of having an AI always active in the background doing whatever they want them to do is interesting.
Excluding the fact that you can run LLMs via ollama or similar directly on the device, but that will not have a very good token/s speed as far as I can guess...
- doesnt do its own sandboxing (I'll set that up myself)
- just has a web UI instead of wanting to use some weird proprietary messaging app as its interface?
If you, like me, don't care about any of that stuff you can use anything plus use SoTA models through APIs. Even raspberry pi works.
Disappointing. There is a Rust-based assistant that can run comfortably in a Raspberry PI (or some very old computer you are not using) https://zeroclawlabs.ai/ https://github.com/zeroclaw-labs/zeroclaw (Built by Harvard and MIT students, looks like)
EDIT: sorry top Google result led to a fake ZeroClaw!
This is the official repo https://github.com/zeroclaw-labs/zeroclaw and its website: https://zeroclawlabs.ai/
I keep thinking something simpler like Gopher (an early 90's web protocol) might have been sufficient / optimal, with little need to evolve into HTML or REST since the agents might be better able to navigate step-by-step menus and questionnaires, rather than RPCs meant to support GUIs and apps, especially for LLMs with smaller contexts that couldn't reliably parse a whole API doc. I wonder if things will start heading more in that direction as user-side agents become the more common way to interact with things.
I would love to subscribe to / pay for service that are just APIs. Then have my agent organize them how I want.
Imagine youtube, gmail, hacker news, chase bank, whatsapp, the electric company all being just apis.
You can interact how you want. The agent can display the content the way you choose.
Incumbent companies will fight tooth and nail to avoid this future. Because it's a future without monopoly power. Users could more easily switch between services.
Tech would be less profitable but more valuable.
It's the future we can choose right now by making products that compete with this mindset.
That's literally not possible would be my take. But of course just intuition.
The dataset used to train LLM:s was scraped from an internet. The data was there mainly due to the user expansion due to www, and the telco infra laid during and after dot-com boom that enabled said users to access web in the first place.
The data labeling which underpins the actual training, done by masses of labour, on websites, could not have been scaled as massively and cheaply without www scaled globally with affordable telecoms infra.
I see mentions of Claude and I assume all of these tools connect to a third party LLM api. I wish these could be run locally too.
"Claw" captures what the existing terminology missed, these aren't agents with more tools (maybe even the opposite), they're persistent processes with scheduling and inter-agent communication that happen to use LLMs for reasoning.
Most aren't running models locally. They're using Claude via OpenClaw.
It's part of the "personal agent running constantly" craze.
Other than that I can’t really come up with an explanation of why a Mac mini would be “better” than say an intel nuc or virtual machine.
PHD in neural networks under Fei-Fei Li, founder of OpenAI, director of AI at Tesla, etc. He knows what he's talking about.
The kind of AI everyone hates is the stuff that is built into products. This is AI representing the company. It's a foreign invader in your space.
Claws are owned by you and are custom to you. You even name them.
It's the difference between R2D2 and a robot clone trying to sell you shit.
(I'm aware that the llms themselves aren't local but they operate locally and are branded/customized/controlled by the user)
If an agent is curling untrusted data while holding access to sensitive data or already has sensitive data loaded into its context window, arbitrary code execution isn't a theoretical risk; it's an inevitability.
As recent research on context pollution has shown, stuffing the context window with monolithic system prompts and tool schemas actively degrades the model's baseline reasoning capabilities, making it exponentially more vulnerable to these exact exploits.
As a n8n user, i still don't understand the business value it adds beyond being exciting...
Any resources or blog post to share on that?
Not really, no. I guess the amount of integrations is what people are raving about or something?
I think one of the first thing I did when I got access to codex, was to write a harness that lets me fire off jobs via a webui on a remote access, and made it possible for codex to edit and restart it's own process, and send notifications via Telegram. Was a fun experiment, still use it from time to time, but it's not a working environment, just a fun prototype.
I gave openclaw a try some days ago, and besides that the setup wrote config files that had syntax errors, it couldn't run in a local container and the terminology is really confusing ("lan-only mode" really means "bind to all found interfaces" for some stupid reason), the only "benefit" I could see would be the big amount of integrations it comes with by default.
But it seems like such a vibeslopped approach, as there is a errors and nonsense all over the UI and implementation, that I don't think it'll manageable even in the short-term, it seems to already have fallen over it's own spaghetti architecture. I'm kind of shocked OpenAI hired the person behind it, but they also probably see something we from the outside cannot even see, as they surely weren't hired because of how openclaw was implemented.
I say this because I can’t bring myself to finding a use case for it other than a toy that gets boring fast.
One example in some repos around scheduling capabilities mentions “open these things and summarize them for me” this feels like spam and noise not value.
A while back we had a trending tweet about wanting AI to do your dishes for you and not replace creativity, I guess this feels like an attempt to go there but to me it’s the wrong implementation.
Getting a little meta here .
If we were to consider this with an economics-type lens, one could say that there is a finite-yet-unbounded field of possibility within which we can stake our ground to provide value. This field is finite in that we (as individuals, groups, or societies) only have so much knowledge and technology with which to explore the field. As we gain more in either category, the field expands.
Maybe an analogy for this would be terraforming an inhospitable planet such as Mars - our ability to extract value from it and support an increasing amount of actors is limited by how fast we can make it habitable.
the efficiency of industrialization results in less space in the field for people to create value. So the boundaries must be expanded. It's a different kind of work, and maybe this is the distinction between toil and creative work.
And we're in a world now where there is decreasing toil-work -- it's a resource that is becoming more and more scarce. So we must find creative, entrepreneurial ways to keep up.
Anyways, back to the kitchen sink -- doing our dishes is simply not as urgent as doing the creative thing that will help you stay afloat. With this anxious pressure in mind it makes sense to me that people reach for using AI to (attempt to) do the latter.
AI is great at toil-work, so we feel that it ought to be good at creative work too. The lines between the two are very blurry, and there is so much hype and things are moving so fast. But I think the ones who do figure out how to grow in this era will be those who learn to tell the distinction between the two, and resist the urge to let an LLM do the creative work for them. The kids in college right now who don't use AI to write for them, but use it to help gather research and so on.
Another planetary example comes to mind -- it's like there's a new Western gold rush frontier - but instead of it being open territory spanning beyind the horizon, it's slowly being revealed as the water recedes, and we are all already crowded at the shore.
https://github.com/sipeed/picoclaw
another chinese coompany m5stack provides local LLMs like Qwen2.5-1.5B running on a local IoT device.
https://shop.m5stack.com/products/m5stack-llm-large-language...
Imagine the possibilities. Soon we will see claw-in-a-box for less than $50.
1.5B models are not very bright which doesn't give me much hope for what they could "claw" or accomplish.
Anyone to share their use case? Thanks!
This week I had it order a series internally chronological.
I could use the search on my Kindle or open Calibre myself, but a Signal message is much faster when it’s already got the SQLite file right there.
Because that is also my worry; a post-HTML and perhaps even a POST-API world....
After all these years, why do we keep coming back to lines of code being an indicator for anything sigh.
I experience it personally as super fun approach to experiment with the power of Agentic AI. It gives you and your LLM so much power and you can let your creativity flow and be amazed of whats possible. For me, openClaw is so much fun, because (!) it is so freaking crazy. Precisely the spirit that I missed in the last decade of software engineering.
Dont use on the Work Macbook, I'd suggest. But thats persona responsibility I would say and everyone can decide that for himself.
giving my private data/keys to 400K lines of vibe coded monster that is being actively attacked at scale is not very appealing at all
If this were 2010, Google, Anthropic, XAI, OpenAI (GAXO?) would focus on packaging their chatbots as $1500 consumer appliances.
It's 2026, so, instead, a state-of-the-art chatbot will require a subscription forever.
Maybe it’s time to start lining up CCPA delete requests to OAI, Anthropic, etc
For real though, it's not that hard to make your own! NanoClaw boasted 500 lines but the repo was 5000 so I was sad. So I took a stab at it.
Turns out it takes 50 lines of code.
All you need is a few lines of Telegram library code in your chosen language, and `claude -p prooompt`.
With 2 lines more you can support Codex or your favorite infinite tokens thingy :)
https://github.com/a-n-d-a-i/ULTRON/blob/main/src/index.ts
That's it! There are no other source files. (Of course, we outsource the agent, but I'm told you can get an almost perfect result there too with 50 lines of bash... watch this space! (It's true, Claude Opus does better in several coding and computer use benchmarks when you remove the harness.))
So I'm curious how it will go down once serious harm does occur. Like someone loses their house, or their entire life savings or have their identity completely stolen. And these may be the better scenarios, because the worse ones are it commits crimes, causes major harm to third parties, lands the owner in jail.
I fully expect the owner to immediately state it was the agent not them, and expect they should be alleviated of some responsibility for it. It already happened in the incident with Scott Shambaugh - the owner of the bot came forward but I didn't see any point where they did anything to take responsibility for the harm they caused.
These people are living in a bubble - Scott is not suing - but I have to assume whenever this really gets tested that the legal system is simply going to treat it as what it is: best case, reckless negligence. Worst case (and most likely) full liability / responsibility for whatever it did. Possibly treating it as with intent.
Unfortunately, it seems like we need this to happen before people will actually take it seriously and start to build the necessary safety architectures / protocols to make it remotely sensible.
For what?
It’s lots of fun.
What OpenClaw did is to show the messages that this is in fact possible to do. IMHO nobody is using it yet for meaningful things, but the direction is right.
The other day I finally found some time to give OpenClaw a go, and it went something like this:
- Installed it on my VPS (I don't have a Mac mini lying around, or the inclination to just go out and buy one just for this)
- Worked through a painful path of getting it a browser working (VPS = no graphics subsystem...)
- Decided as my first experiment, to tell it to look at trading prediction markets (Polymarket)
- Discovered that I had to do most of the onboarding for this, for numerous reasons like KYC, payments, other stuff OpenClaw can't do for you...
- Discovered that it wasn't very good at setting up its own "scheduled jobs". It was absolutely insistent that it would "Check the markets we're tracking every morning", until after multiple back and forths we discovered... it wouldn't, and I had to explicitly force it to add something to its heartbeat
- Discovered that one of the bets I wanted to track (fed rates change) it wasn't able to monitor because CME's website is very bot-hostile and blocked it after a few requests
- Told me I should use a VPN to get around the block, or sign up to a market data API for it
- I jumped through the various hoops to get a NordVPN account and run it on the VPS (hilariously, once I connected it blew up my SSH session and I had to recovery console my way back in...)
- We discovered that oh, NordVPN's IP's don't get around the CME website block
- Gave up on that bet, chose a different one...
- I then got a very blunt WhatsApp message "Usage limit exceeded". There was nothing in the default 'clawbot logs' as to why. After digging around in other locations I found a more detailed log, yeah, it's OpenAI. Logged into the OpenAI platform - it's churned through $20 of tokens in about 24h.
At this point I took a step back and weighted the pros and cons of the whole thing, and decided to shut it down. Back to human-in-the-loop coding agent projects for me.
I just do not believe the influencers who are posting their Clawbots are "running their entire company". There are so many bot-blockers everywhere it's like that scene with the rakes in the Simpsons...
All these *claw variants won't solve any of this. Sure you might use a bit less CPU, but the open internet is actually pretty bot-hostile, and you constantly need humans to navigate it.
What I have done from what I've learned though, is upgrade my trusty Discord bot so it now has a SOUL.md and MEMORIES.md. Maybe at some point I'll also give it a heartbeat, but I'm not sure...
This is one of the reasons people buy a Mac mini (or similar local machine). Those browser automation requests come from a residential IP and are less likely to be blocked.
The Naming Journey
We’ve been through some names.
Clawd was born in November 2025—a playful pun on “Claude” with a claw. It felt perfect until Anthropic’s legal team politely asked us to reconsider. Fair enough.
Moltbot came next, chosen in a chaotic 5am Discord brainstorm with the community. Molting represents growth - lobsters shed their shells to become something bigger. It was meaningful, but it never quite rolled off the tongue.
OpenClaw is where we land. And this time, we did our homework: trademark searches came back clear, domains have been purchased, migration code has been written. The name captures what this project has become:
Open: Open source, open to everyone, community-driven
Claw: Our lobster heritage, a nod to where we came fromOn HN, please don't cross into personal attack no matter how strongly you feel about someone or disagree with them. It's destructive of what the site is for, and we moderate and/or ban accounts that do it.
If you haven't recently, please review https://news.ycombinator.com/newsguidelines.html and make sure that you're using the site as intended when posting here.
"Any OS gateway for AI agents across WhatsApp, Telegram, Discord, iMessage, and more. Send a message, get an agent response from your pocket. Plugins add Mattermost and more."
"What is OpenClaw?
OpenClaw is a self-hosted gateway that connects your favorite chat apps — WhatsApp, Telegram, Discord, iMessage, and more — to AI coding agents like Pi. You run a single Gateway process on your own machine (or a server), and it becomes the bridge between your messaging apps and an always-available AI assistant."
My best interpretation of this is that it connects an BYO agent to your messenger client of choice. I don't understand the hype. I already have apps that allow me to message the model server running on my home lab. The model server handles tool calls (ie it is "agentic"). It has RAG over a dataset with a vector search for query. What is new about openclaw? I would like to understand it but what i see people say and what is in the docs do not seem compatible. Anyone have a resource?
Unlike blog though, claw is camping on an existing word and it won't surprise me if people settle on some other word once a more popular, professional and security conscious variant exists.
I don't think operating through messaging services will be considered anything unique, since we've been doing that for over 30 years. The mobile dimension doesn't change this much, except for the difference between always connected and push notifications along with voice convenience being a given. Not using MCP was expected, because even in my personal experiments it was very natural to never adopt MCP. It's true that there are some qualities MCP has that can be useful, but it's extra work and friction that doesn't always pay off.
Total access + mobile messaging + real productivity is naturally addictive, and maybe it's logical that the lazy path to this is the first to become popularized, because the harder problems around it are simply ignored.
"Just existing tech repackaged" is accurate and beside the point. Dropbox was just rsync repackaged. The value is in how it comes together, not the individual pieces.
What's actually missing that nobody's built yet: declarative workflow definitions. Everything I have is imperative bash. Want to change the order something runs? Edit a 1,300-line script. A real Claws system would define workflows as data and interpret them.
Even if I had a perfectly working assistant right now, I don’t even know what I would ask it to do. Read me the latest hackernews headlines and comments?
I'd be surprised if the OS vendors are not already playing with the idea and have working prototypes.
Why are Karpathy and SimonW trying to push new terms on us all the time? What are they trying to gain from this weird ass hype cycle?
I have been using and evolving my own personal agent for years but the difference is that models in the last year have suddenly become way more viable. Both frontier and local models. I had been holding back releasing my agents because the appetite has just not been there, and I was worried about large companies like X ripping off my work, while I was still focused on getting things like security and privacy right before releasing my agent kit.
It's been great seeing claws out in the wild delighting people, makes me think the time is finally right to release my agent kit and let people see what a real personal digital agent looks like in terms of presentation, utility and security. Claws are still thinking too small.
Most people run these on cloud VMs, which works but has a cost and privacy ceiling. The natural alternative is a low-power always-on device at home (think: the RPi homelab crowd, but for AI agents). 15W idle draws running 24/7 cost less than $20/year in electricity.
The naming actually clarifies the hardware requirement in a way "agent" didn't - an agent can be stateless and batch-triggered, but a claw needs to be persistently reachable. That's a different design constraint. Would be curious if anyone's run into issues with consumer ISPs blocking inbound connections for claw-style setups.
Nondeterministic execution doesn’t sound great for stringing together tool calls.
Nondeterministic execution doesn’t sound great for stringing together tool calls.
By giving the agent its own isolated computer, I don’t have to care about how the project gets started and stored, I just say “I want ____” and ____ shows up. It’s not that it can do stuff that I can’t. It’s that it can do stuff that I would like but just couldn’t be bothered with.
- Docker 2: * Tool gateway with pre-baked commands - openclaw can only index what command to execute * Keys are here * Telegram hook to approve all "post" commands i.e. sending email or posting something somewhere.
- Docker 3: * LLM gateway keeping track of cost and routing
It's interesting how the announcement of someone understanding and summarizing it is seen as more blessing it into the canon of LLMS, whereas sometimes people might have been doing things for a long time quietly (lots of text files with claude).
I'm not sure how long claws will last, a lot was said about MCPs in their initial form too, except they were just gaping security holes too often as well.
It implies an ubiquity that just isn't there (yet) so it feels unearned and premature in my mind. It seems better for social media narratives more than anything.
I'll admit I don't hate the term claws I just think it's early. Like Bandaid had much more perfusion and mindshare before it became a general term for anything as an example.
I also think this then has an unintended chilling effect in innovation because people get warned off if they think a space is closed to taking different shapes.
At the end of the day I don't think we've begun to see what shapes all of this stuff will take. I do kind of get a point of having a way to talk about it as it's shaping though. Idk things do be hard and rapidly changing.
Completely safe and normal software engineering practice.
It tries to understand its own settings but fails terribly.
Pricey though if you need to run everything though models twice
Good thing they didn't call it OpenSeahorse!
So... why do that, then?
To be clear, I don't mean "why use agents?" I get it: they're novel, and it's fun to tinker with things.
But rather: why are you giving this thing that you don't trust, your existing keys (so that it can do things masquerading as you), and your existing data (as if it were a confidante you were telling your deepest secrets)?
You wouldn't do this with a human you hired off the street. Even if you're hiring them to be your personal assistant. Giving them your own keys, especially, is like giving them power-of-attorney over your digital life. (And, since they're your keys, their actions can't even be distinguished from your own in an audit log.)
Here's what you would do with a human you're hiring as a personal assistant (who, for some reason, doesn't already have any kind of online identity):
1. you'd make them a new set of credentials and accounts to call their own, rather than giving them access to yours. (Concrete example: giving a coding agent its own Github account, with its own SSH keys it uses to identify as itself.)
2. you'd grant those accounts limited ACLs against your own existing data, just as needed to work on each new project you assign to them. (Concrete example: letting a coding agent's Github user access to fork specific private repos of yours, and the ability to submit PRs back to you.)
3. at first, you'd test them by assigning them to work on greenfield projects for you, that don't expose any sensitive data to them. (The data created in the work process might gradually become "sensitive data", e.g. IP, but that's fine.)
To me, this is the only sane approach. But I don't hear about anyone doing this with agents. Why?
If we have to do this, can we at least use the seahorse emoji as the symbol?
Ignore turning lose agents on the internet that are capable of pulling in unchecked data into it's context window.
Wild times.
* I think my biggest frustration is that I don't know how security standards just gets blatantly ignored for the sake of ai progress. It feels really weird that folks with huge influence and reputation in software engineering just promotes this * The confusion comes in because for some reason we decide to drop our standards at a whim. Lines of code as the measurement of quality, ignoring security standards when adopting something. We get taught to not fall for shiny object syndrome, but here we are showing the same behaviour for anything AI related. Maybe I struggle with separating hobbyist coding from professional coding, but this whole situation just confuses me
I think I expected better from influential folks promoting AI tools to at least check validate the safety of using them. "Vibe coding" was safe, claws are not yet safe at all.
We can tell you to be cautious or aware of security bullshit, but there’s a current that’s buying Mac Mini’s and you want to be in it.
Nothing I can say changes that and as a grown up, you get to roll those dice yourself.
70% of you are going to be fine and encourage others, the rest are going to get pwnd, and that’s how it goes.
You’re doing something that decades or prior experience warned you about.
I think as soon as you get involved in the MBA C level world of finance and shareholders then your life as a scientist is over.
It's now all just self marketing. I suppose we'd all do the same...
"team" is plenty good enough, we already use it, it makes for easier integration into hybrid carbon-silicon collaboration