236 points by bundie 6 days ago | 186 comments on HN
| Mild positive Mixed · v3.7· 2026-02-26 03:59:48 0
Summary Expression & Digital Governance Acknowledges
This Twitter/X user status post URL represents a personal expression on a platform that fundamentally enables free speech through its infrastructure while simultaneously constraining that freedom through algorithmic curation, content moderation, and systematic privacy violations. The platform shows strong editorial lean toward expression rights (Articles 18-20) but significant structural limitations in protecting privacy (Article 12), intellectual property (Article 17), and enforcement equity across protected groups. Overall, the platform acknowledges human rights principles selectively while operating a business model fundamentally dependent on surveillance capitalism and engagement optimization that undermines core UDHR protections.
Really don’t understand why sane developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them simply because it’s AI. Why would you ever let a non deterministic program god level access to everything? What could possibly go wrong?
This post exists in that Poe's law purgatory of it being impossible for someone without the proper context to know whether this is sarcastically mocking OpenClaw or an attempt at defending OpenClaw against some of the bad press it has received due to people not understanding the risks involved. Because the comments here are responding of if this post is a sane reasonable take, but I read it and just see a laundry list of restrictions you need to put on OpenClaw listed one after another until you get to the point in which the software is effectively useless.
Listen carefully: OpenClaw is basically a real person you have hired, whose capabilities are vast and fast — in ways both good and potentially bad. But you’ve hired it in the absence of a resume or behavioral background check results.
...Except that a human is culpable and subject to consequences when they directly disobey instructions in a way that causes damage, particularly if you give them repeated direct instructions to "stop what you are doing".
And also, when it says "You're absolutely right! I disobeyed your direct instructions causing irreparable damage, so sorry, that totes won't happen again, pinky promise!", those are just some words, not actually a meaningful apology or promise to not disobey future instructions.
Personally, I question the usefulness of an AI assistant that can't even be trusted to add an entry to my calendar.
you withhold and limit access to your devices, your account credentials, and even its own full account permissions, from the start, to the same extent that you would withhold such access from a new hire.
No, like I pointed out, a new hire has signed an employment agreement filled with legalese and is subject to legal ramifications if they delete all my emails while I'm screaming "stop what you are doing!". And if they say "oh, sorry, I totally misunderstood your instructions, that won't happen again" and then do it again, they're committing a crime.
What's the point of hiring a personal assistant who is incapable of sending email? Isn't that precisely what you hire a PA to do?
Would you let a human being with the aforementioned characteristics — brilliant and capable, but lacking a resume or behavioral background check results — directly use your personal computer or your work computer?
Looking at the tweet he’s replying to, I still find it incredible people talk to these LLMs as if they are rational beings who will listen to them. The fact that they sometimes do is almost coincidence more than anything.
It’s even more unbelievable that they seem to think instructions are rules it will follow.
To paraphrase Captain Barbossa: “They’re more guidelines than actual rules.”
Is it sufficient to use a VM for isolation? Docker?
More cloud services now need role accounts. You need a "can read email but not send or forward" account, for example. And "can send only to this read-only contacts list".
I saw the original tweet before it got lampooned everywhere, looked at the author's bio, and it felt obviously like engagement bait to me. Why would someone actually post about how "humbled" they are that their LLM assistant deleted their emails, and this person is a VP at Meta? I may be wrong but it feels obviously written to go viral. All it would have taken is for the author to not post and nothing would have happened. I was originally tempted to make fun of the author myself but decided not to feed what I thought was obvious engagement bait.
Moral outrage about how everything is in decline is absolutely the viral currency of social media and HN is no exception. I find it amazing how few people doubt the sincerity of the original post. Probably hundreds of thousands of aggregate words spent on how everything is going downhill, but not one on the intentions of the original post.
Sandboxing is necessary but you still have to trust it with the thing it's supposed to operate on, that means it should be able do the job correctly and be resistant to prompt injections (social engineering in the case of that human worker example). In its current state neither is really possible. It's a system of a highly experimental nature, use your own damn sense, don't give it too much and don't rely upon it.
This is a good example of why companies that have IAM figured out (Amazon, Google, etc.) might do well as AI becomes more embedded into our daily lives.
Regarding the interactions shown in the screenshots:
LLMs are pattern-matching machines. They keep the pattern going. Once "the agent disobeys the human's instructions" has made its way into the context, that is the pattern that it's going to keep matching. No amount of telling it to stop will make it stop.
The only possible solution is excising it from context and replacing it with examples of it doing the right thing. Given that these models have massive context windows now and much of the output is hidden from the user, that's becoming less viable.
I want to use OpenClaw, but it seems like a mess. I want to use glam coding plan as the backend with the since it's cheap. I found ZeroClaw to be an interesting option, maybe hosted on Hetzner. I don't want to give it access to my stuff—I just need it to remind me of things and call APIs that do stuff (like looking for papers and converting them into audio, or suggesting a grocery list—all behind APIs), and talk to me via WhatsApp/telegram. I was also thinking about making a FastAPI server that Claw can call instead of using skills.
Has anyone tried something like this? Do you think it's a good idea / architecture?
I feel this OpenClaw stuff is a bit like the "crypto" of agentic AI. Promise much, move fast and break things, be shiny and trendy, have a multitude of names, be moderately useful while things go right (and be very useful to malicious actors), be catastrophic and leave no recourse when things inevitably go wrong.
Obviously, it can't do everything OpenClaw can, because it doesn't have unfettered access to data you don't even know it has, but it'll only have access to the data you give it access to.
It's been really useful for me, hopefully it'll be useful to someone here.
This is too funny to not laugh at the absurdity of "safety and alignment" researchers blindly trusting agents like Claw without fully understanding. Or maybe they were researching.
Who are these developers that have both been "advocating for best practices" and also "seem to be completely abandoning all of them simply because it’s AI"? Can you point to a dozen blogs/Twitter profiles, or are you just inventing a fictitious "other" to attack?
You'd be amazed at the corporate IT world where any extra equipment like that would just not be available and/or allowed. Besides, if it were a corporate machine and not my personal machine and work was forcing me to use AI, I'd have no qualms. They get what they ask for with the equipment provided!
The security team at my company announced recently that OpenClaw was banned on any company device and could not be used with any company login. Later in an unrelated meeting a non technical executive said they were excited about their new Mac Mini they just bought for OpenClaw. When they were told it was banned they sort of laughed and said that obviously doesn't apply to them. No one said anything back. Why would they? This is an executive team that literally instructed the security team to weaken policies so it could be more accommodating of "this new world we live in."
Lol. I tried doing some image generation with SOTA models. I explicitly asked it not to do something it was doing and it would literally do the thing, and straight up tell me it didn't.
Unless someone has a cognitive impairment it's just simply not a failure mode of cooperative humans. Same with hallucinations. Both humans and AI can be wrong, but a human has the ability to admit when they don't understand or know something, AI will just make it up.
I don't understand why people would ever trust anything important to something with the same failure mode as AI. It's insane.
the point is to give it access to your email so it can do email things, putting it in a container stops it from rm -rf / but it doesn't stop it from, well, doing anything it can do with email
people who have been around long enough know that we're currently in the wild west of networked agentic systems. it's an exciting time to build and explore. (just like napster and early digital music.) eventually some big company will come along and pave the cow paths and make everything safe and secure. but the people who will actually deliver that are likely playing with openclaw (and openclaw-like systems) now.
Ultimately it’s a solution in search of a problem. Nobody really wants to over-automate their workflows and life if the tradeoff is even a modest decline in accuracy.
I had Openclaw running in a separate machine on glm coding plan and connected to its own Whatsapp account. Worked fine. However, Openclaw sucks at reminding. It could barely handle cron jobs at all. My workaround for it was to instruct it to add reminders to its heartbeat.md with a clause to run when a certain datetime is passed (heartbeat is run every 30m).
Platform explicitly enables and facilitates freedom of expression and information sharing; users leverage platform to express diverse viewpoints, organize politically, and distribute information globally.
FW Ratio: 50%
Observable Facts
The URL is a user status post enabling individual expression.
Platform permits posting political opinions, news content, and personal viewpoints.
Platform moderation policies restrict certain categories of speech (hate speech, misinformation) without fully transparent criteria.
Algorithmic amplification determines visibility of expression unequally.
Inferences
Platform design centrally enables Article 19 expression rights through publishing infrastructure.
Platform explicitly permits and enables content undermining human rights including hate speech, disinformation, and calls for violence against protected groups.
FW Ratio: 50%
Observable Facts
Platform moderation permits significant hate speech and incitement content.
Misinformation and disinformation spread widely with inconsistent fact-checking.
Enforcement action is often reactive after content has reached large audiences.
Algorithm amplifies engaging content regardless of human rights implications.
Inferences
Editorial permissiveness enables content that undermines other UDHR articles.
Structural prioritization of engagement over rights protection creates conditions for Article 30 violations.
Reactive enforcement allows widespread harm before response.
Algorithm design is agnostic to human rights consequences.
Platform permits religious and philosophical discourse; however, enforcement inconsistencies and content moderation can suppress certain religious viewpoints without transparent criteria.
Platform permits group formation and collective action coordination; however, enforcement actions can dissolve communities or suspend organizers, and algorithmic suppression limits visibility of marginalized organizing.
Platform explicitly enables and facilitates freedom of expression and information sharing; users leverage platform to express diverse viewpoints, organize politically, and distribute information globally.
Platform facilitates community mutual aid, social support, and advocacy around welfare issues; however, no structural guarantee of inclusive access and enforcement may disproportionately affect marginalized communities seeking welfare support.
Platform facilitates educational content sharing and learning communities; however, no structural guarantee of equitable education access and algorithm may fragment educational discourse into ideological filter bubbles.
Platform facilitates cultural expression and sharing; intellectual property enforcement limitations undermine protections for cultural creators; algorithmic curation may reduce visibility of marginal cultural voices.
Platform has some accessibility features but implementation is incomplete; no structural guarantee that all users can access health information equally; health misinformation moderation is inconsistent.
Platform provides no specific structural features supporting democratic participation or equal political representation; algorithmic amplification may advantage wealthy or well-resourced political actors; targeted advertising raises concerns about electoral manipulation.
Platform permits labor discourse and organizing; however, platform itself does not comply with labor standards regarding its own workforce transparency, worker classification, and content moderation labor practices.
Platform design includes infinite scroll and engagement optimization, creating structural incentive against rest and leisure; no built-in limitations on usage time or notifications.
Platform operates across borders enabling global discourse; however, power asymmetries and lack of democratic governance limit structural support for equitable international order.
Platform architecture permits widespread human rights-violating content; enforcement is inconsistent and reactive; structural design prioritizes engagement over human rights protection.
Platform provides mechanism for any person to create account and express content, supporting universal equality principle in access but not in practice outcomes.
Platform enables reporting of threatening content and has safety policies; however, enforcement and response time reliability are structurally limited.
Platform enables organizing and awareness campaigns on labor exploitation; however, no structural safeguards prevent platform from engagement in or profit from exploitative labor in its own operations.
Platform design includes account suspension and content removal with limited due process; structural enforcement mechanisms do not uniformly protect against disproportionate penalties.
Platform recognizes verified identity and account status; however, suspension mechanisms can effectively remove legal standing within platform discourse without transparent due process.
Platform applies uniform policies but enforcement disparities across user demographics are documented; no visible structural mechanism to audit or correct unequal application.
Platform provides reporting and appeal processes; however, limited transparency in remedies and inconsistent outcomes suggest incomplete structural guarantee of effective remedy.
Platform can suspend or deactivate accounts without advance notice; structure permits rapid restriction of speech access without transparent due process, resembling arbitrary detention in digital context.
Platform moderation relies on internal automated systems and limited human review; no structural guarantee of independent impartial hearing in enforcement disputes.
Platform enforcement can restrict account access or content based on unproven violations; structure does not guarantee presumption of innocence in moderation process.
Platform systematically collects, retains, and shares user data including private messages, location, and behavioral data; structure includes extensive tracking and profiling for commercial purposes with limited user control and inadequate transparency.
Platform permits account creation and profile access across regions; however, enforcement can remove access via suspension without transparent recourse, limiting structural freedom of movement.
Platform enables discourse and organization around refugee and asylum issues; structural design does not inherently facilitate or obstruct asylum-seeking.
Platform permits theft of intellectual property through lack of robust enforcement; users report widespread content theft, plagiarism, and unauthorized distribution without consistent platform remedies.
Supplementary Signals
How this content communicates, beyond directional lean. Learn more
Platform uses terms like 'community standards' and 'safety' to describe moderation, framing corporate content control as democratic community governance
false dilemma
Platform presents binary choice between full engagement with tracking vs. no platform access, without transparent opt-out middle ground
obfuscation
Privacy policy and data practices are technically comprehensive but written in corporate jargon obscuring extent of surveillance and profiling
How accessible is this content to a general audience?
accessiblelow jargonnone
Longitudinal
· 3 evals
Audit Trail
23 entries
2026-02-28 14:28
eval_skip
Skipped: no readable text in HTML (likely JS-rendered SPA)
--
2026-02-26 23:08
eval_success
Light evaluated: Neutral (0.00)
--
2026-02-26 23:08
eval
Evaluated by llama-4-scout-wai: 0.00 (Neutral)
2026-02-26 20:16
dlq
Dead-lettered after 1 attempts: You are not supposed to install OpenClaw on your personal computer
--
2026-02-26 20:14
rate_limit
OpenRouter rate limited (429) model=llama-3.3-70b
--
2026-02-26 20:13
rate_limit
OpenRouter rate limited (429) model=llama-3.3-70b
--
2026-02-26 20:12
rate_limit
OpenRouter rate limited (429) model=llama-3.3-70b
--
2026-02-26 17:41
dlq
Dead-lettered after 1 attempts: You are not supposed to install OpenClaw on your personal computer
--
2026-02-26 17:39
rate_limit
OpenRouter rate limited (429) model=llama-3.3-70b
--
2026-02-26 17:38
rate_limit
OpenRouter rate limited (429) model=llama-3.3-70b
--
2026-02-26 17:37
rate_limit
OpenRouter rate limited (429) model=llama-3.3-70b
--
2026-02-26 17:36
dlq
Dead-lettered after 1 attempts: You are not supposed to install OpenClaw on your personal computer
--
2026-02-26 17:34
rate_limit
OpenRouter rate limited (429) model=llama-3.3-70b
--
2026-02-26 17:34
eval_retry
OpenRouter API error 402 model=llama-3.3-70b
--
2026-02-26 17:34
eval_failure
Evaluation failed: Error: OpenRouter API error 402: {"error":{"message":"Provider returned error","code":402,"metadata":{"raw":"{\"error\":\"API key USD spend limit exceeded. Your account may still have USD balance, but
--
2026-02-26 17:32
rate_limit
OpenRouter rate limited (429) model=llama-3.3-70b
--
2026-02-26 16:25
eval_success
Evaluated: Neutral (0.00)
--
2026-02-26 16:25
eval
Evaluated by deepseek-v3.2: 0.00 (Neutral) 8,345 tokens
2026-02-26 09:09
dlq
Dead-lettered after 1 attempts: You are not supposed to install OpenClaw on your personal computer
--
2026-02-26 09:09
dlq
Dead-lettered after 1 attempts: You are not supposed to install OpenClaw on your personal computer