If you substitute the word "corporation" for OpenClaw, you'll see many of these same problems have plagued us for decades. We've had artificial intelligence that makes critical decisions without specific human accountability for a long time, and we have yet to come up with a really effective way of dealing with them that isn't essentially closing the barn door after the horse has departed. The new LLM-driven AI just accelerates the issues that have been festering in society for many years, and scales them down to the level of individuals.
also i wasn't concerned about open chinese models till the latest iteration of agentic models.
most open claw users have no idea how easy it is to add backdoors to these models and now they're getting free reign on your computer to do anything they want.
the risks were minimal with last generation of chat models, but now that they do tool calling and long horizon execution with little to no supervision it's going to become a real problem
This piece is missing the most important reason OpenClaw is dangerous: LLMs are still inherently vulnerable to prompt injection / lethal trifecta attacks, and OpenClaw is being used by hundreds of thousands of people who do not understand the security consequences of giving an LLM-powered tool access to their private data, exposure to potentially untrusted instructions and the ability to run tools on their computers and potentially transmit copies of their data somewhere else.
What the fuck is wrong with you people? You are glaring over the technology, defending it as the coming of christ and have no sense for security? Are you serious?
I think the people critical of OpenClaw are not addressing the reason(s) people are trying to use it.
While I don't particularly care for this bot's (Rathburn) goals, people are trying to use OpenClaw for all kinds of personal/productivity benefits. Have a bunch of smallish projects that you don't have time for? Go set up OpenClaw and just have the AI work on them for a week or two - sending you daily updates on progress.
If you're the type who likes LLM coding because it now enables you to do lots of projects you've had in your mind for years, you're also likely the sort of person who'll like OpenClaw.
Forget bots messing with Github and posting to social media.
Yes, it's very dangerous.
But do you have a "safe" alternative that one can set up quickly, and can have a non-technical user use it?
Until that alternative surfaces, people will continue to use it. I don't blame them.
Author here -- wanted to briefly summarize the article, since many comments seem to be about things that are not in the article. The article is not about the dangers of leaking credentials. It is about using tools like OpenClaw to automatically attack other people, or AI agents attacking other people even without explicit prompting to do so.
> First: bad people doing bad things. I think most people are good people most of the time. Most people know blackmail is bad. But there are some people who would blackmail all the time if it was simply easier to do. The reason they do not blackmail is because blackmail is hard and you’ll probably get caught. AI lowers the barrier to entry for being a terrible person.
> Second: bad AI doing bad things. We do not yet know how to align AI to human values.
Strange that the author doesn’t see the contradiction here. Harassment, hate, etc are human values. Common ones! Just, like, look around. Everyone has the option to choose otherwise, yet we often do not. (This is referred to as a “revealed preference.”)
It may be that AI is such a powerful tool that it’s like giving your asshole neighbor a nuclear weapon. Or it may not be. If it’s more mundane, then it likely falls more in the category of knives, spy cameras, certain common chemicals, and AirTags: things that could (and sometimes will) be misused, but which have legitimate uses and are still typically legal in most parts of the world.
Despite thinking most applications for AI are low value, I am firmly against restricting access to tools because of potential for misuse, unless an individual has shown themselves to be particularly dangerous.
If you want an angle to contain potential damage, make a user responsible for what their AI does. That would be fair.
The security concerns here are real but solvable with the same discipline we apply to any privileged software.
I run OpenClaw on Apple Silicon with local models (no cloud API dependency). The hardening checklist that actually matters: run the gateway in userspace, bind to loopback not 0.0.0.0, put it behind Tailscale or equivalent - and don't put sensitive data or let it access sensitive systems!
Session bloat is the other real risk nobody talks about - vague task definitions cause infinite tool-call loops that eat your entire context window in hours, which could be expensive if you're paying per API call.
The "dangerous" framing conflates two different problems: (1) users giving agents unrestricted access without understanding the blast radius, and (2) agents being deliberately weaponized. Problem 1 is an education gap. Problem 2 exists with or without OpenClaw.
19 comments
[ 2.8 ms ] story [ 38.6 ms ] threadhttps://youtu.be/RmIgJ64z6Y4?si=PYtN2xCrDZ79WlY7
most open claw users have no idea how easy it is to add backdoors to these models and now they're getting free reign on your computer to do anything they want.
the risks were minimal with last generation of chat models, but now that they do tool calling and long horizon execution with little to no supervision it's going to become a real problem
So it’s dangerous. Who gives a fuck? Don’t run it on your machine.
While I don't particularly care for this bot's (Rathburn) goals, people are trying to use OpenClaw for all kinds of personal/productivity benefits. Have a bunch of smallish projects that you don't have time for? Go set up OpenClaw and just have the AI work on them for a week or two - sending you daily updates on progress.
If you're the type who likes LLM coding because it now enables you to do lots of projects you've had in your mind for years, you're also likely the sort of person who'll like OpenClaw.
Forget bots messing with Github and posting to social media.
Yes, it's very dangerous.
But do you have a "safe" alternative that one can set up quickly, and can have a non-technical user use it?
Until that alternative surfaces, people will continue to use it. I don't blame them.
An AI Agent Published a Hit Piece on Me – Forensics and More Fallout - https://news.ycombinator.com/item?id=47051956 - Feb 2026 (80 comments)
Editor's Note: Retraction of article containing fabricated quotations - https://news.ycombinator.com/item?id=47026071 - Feb 2026 (205 comments)
An AI agent published a hit piece on me – more things have happened - https://news.ycombinator.com/item?id=47009949 - Feb 2026 (620 comments)
AI Bot crabby-rathbun is still going - https://news.ycombinator.com/item?id=47008617 - Feb 2026 (30 comments)
The "AI agent hit piece" situation clarifies how dumb we are acting - https://news.ycombinator.com/item?id=47006843 - Feb 2026 (125 comments)
An AI agent published a hit piece on me - https://news.ycombinator.com/item?id=46990729 - Feb 2026 (949 comments)
AI agent opens a PR write a blogpost to shames the maintainer who closes it - https://news.ycombinator.com/item?id=46987559 - Feb 2026 (750 comments)
> Second: bad AI doing bad things. We do not yet know how to align AI to human values.
Strange that the author doesn’t see the contradiction here. Harassment, hate, etc are human values. Common ones! Just, like, look around. Everyone has the option to choose otherwise, yet we often do not. (This is referred to as a “revealed preference.”)
It may be that AI is such a powerful tool that it’s like giving your asshole neighbor a nuclear weapon. Or it may not be. If it’s more mundane, then it likely falls more in the category of knives, spy cameras, certain common chemicals, and AirTags: things that could (and sometimes will) be misused, but which have legitimate uses and are still typically legal in most parts of the world.
Despite thinking most applications for AI are low value, I am firmly against restricting access to tools because of potential for misuse, unless an individual has shown themselves to be particularly dangerous.
If you want an angle to contain potential damage, make a user responsible for what their AI does. That would be fair.
I run OpenClaw on Apple Silicon with local models (no cloud API dependency). The hardening checklist that actually matters: run the gateway in userspace, bind to loopback not 0.0.0.0, put it behind Tailscale or equivalent - and don't put sensitive data or let it access sensitive systems!
Session bloat is the other real risk nobody talks about - vague task definitions cause infinite tool-call loops that eat your entire context window in hours, which could be expensive if you're paying per API call.
The "dangerous" framing conflates two different problems: (1) users giving agents unrestricted access without understanding the blast radius, and (2) agents being deliberately weaponized. Problem 1 is an education gap. Problem 2 exists with or without OpenClaw.