Posted by jakequist 2 days ago
And this is probably coming, a few years from now. Because remember, Apple doesn't usually invent new products. It takes proven ones and then makes its own much nicer version.
Let other companies figure out the model. Let the industry figure out how to make it secure. Then Apple can integrate it with hardware and software in a way no other company can.
Right now we are still in very, very, very early days.
These kinds of risks can only be _consented to_ by technical people who correctly understand them, let alone borne by them, but if this shipped there would be thousands of Facebook videos explaining to the elderly how to disable the safety features and open themselves up to identity theft.
The article also confuses me because Apple _are_ shipping this, it’s pretty much exactly the demo they gave at WWDC24, it’s just delayed while they iron this out (if that is at all possible). By all accounts it might ship as early as next week in the iOS 26.4 beta.
[1]: https://simonwillison.net/2025/Mar/8/delaying-personalized-s...
OpenClaw is very much a greenfield idea and there's plenty of startups like Raycast working in this area.
And simply chose to keep their jobs.
This is just not how software engineering goes in many other places, particularly where the stakes are much higher and can be life altering, if not threatening.
> Will it rain today? Please unlock your iphone for that
> Any new messages from Chris? You will need to unlock your iphone for that
> Please play youtube music Playing youtube music... please open youtube music app to do that
All settings and permission granted. Utterly painful.
Thanks for keeping this evergreen trope going strong!
There should exist something between "don't allow anything without unlocking phone first" and "leave the phone unlocked for anyone to access", like "allow certain voice commands to be available to anyone even with phone locked"
For reading messages, IIRC it depends on whether you have text notification previews enabled on the lock screen (they don’t document this anywhere that I can see.) The logic is that if you block people from seeing your texts from the lock screen without unlocking your device, Siri should be blocked from reading them too.
Edit: Nope, you’re right. I just enabled notification previews for Messages on the lock screen and Siri still requires an unlock. That’s a bug. One of many, many, many Siri bugs that just sort of pile up over time.
But as a user I want to be able to give it permission to run selected commands even with the phone locked. Like I don't care if someone searches google for something or puts a song via spotify. If I don't hide notifications when locked, what does it matter that someone who has my phone reads them or listens to them?
But the point is, you are a power user, who has some understanding of the risk. You know that if your phone is stolen and it has any cards stored on them, they can be easily transferred to another phone and drained. Because your bank will send a confirmation code, and its still authorized, you will be held liable for that fraud.
THe "man in the street" does not know that, and needs some level of decent safe defaults to avoid such fraud.
Oddly enough I also understand Apple telling you, good luck, find someones platform that will allow that, that's not us.
The one that kindof caught me off guard was asking "hey siri, how long will it take me to get home?" => "You'll need to unlock your iPhone for that, but I don't recommend doing that while driving..." => if you left your phone unattended at a bar and someone could figure out your home address w/o unlock.
...I'm kindof with you, maybe similar to AirTags and "Trusted Locations" there could be a middle ground of "don't worry about exposing rough geolocation or summary PII". At home, in your car (connected to a known CarPlay), kindof an in-between "Geo-Unlock"?
Prompt Injection seems to me to be a fundamental problem in the sense that data and instructions are in the same stream and there's no clear/simple way to differentiate between the two at runtime.
The OS maker does not have to make all the killer software. In fact, Apple's pretty much the only game in town that's making hardware and software both.
And being fair ClawBot is a complete meme/fad at this point rather than an actual product. Using it for anything serious is pretty much the equivalent of throwing your credit cards, ids and sticky notes with passwords and waiting to see what happens…
I do see the appeal and potential case of the general concept of course. The product itself (and the author has admitted it themselves) is literally is a garbage pile..
One man's trash is another man's serious
For example: https://x.com/michael_chomsky/status/2017686846910959668.
https://www.wiz.io/blog/exposed-moltbook-database-reveals-mi...
The one you linked to looks clearly like a pump-and-dump scam, though.
These days it is insecure however because they backdoored the e2ee and kept it backdoored for the FBI, so now Signal is the only messenger I am reachable on.
Blue bubble snobbery is presently a mark of ignorance more than anything else.
Yes, I know 99.999% of Android users are on WhatsApp (or WeChat, Line, or Telegram depending on cultural background) but at least half of iPhone users aren’t on those, so we still have to keep using Messages for a lot of people.
But if you connect those dots you've got people trying to date by having an AI respond to texts from potential dates which seems like you're immediately in red-flag-city and good luck keeping that secret for long enough to get whatever it is you want.
Yeah I’m trying to wrap my head around what sort of reads like “It is messed up that people avoid talking to eachother because of software because it messes up people’s ability to use software to avoid talking to eachother”
Forget about dating. If you want the AI to be able to send texts from your number, and you own an iPhone, I think your only other choice would be to port your number to Google Voice?
(Yes android users are discriminated against in the dating market, tons of op eds are written about this, just google it before you knee jerk downvote the truth)
While this was true about ten years ago, it's been a while since we've seen this model of software development from Apple succeed in recent years. I'm not at all confident that the Apple that gave us Mac OS 26 is capable of doing this anymore.
Privacy is definitely good but it's not at all an example of the success mentioned in the parent comment. It's deep in the company culture.
The software has been where most of the complaints have been in recent years.
A "bicycle for the mind" got replaced with a "kiosk for your pocketbook".
The Vision Pro has an amazing interface, but it's set up as a place to rent videos and buy throwaway novelty iPad-style apps. It allows you to import a Mac screen as a single window, instead of expanding the Mac interface, with its Mac power and flexibility, into the spacial world.
Great hardware. Interesting, but locked down software.
If Tim Cook wanted to leave a real legacy product, it should have been a Vision Pro aimed as an upgrade on the Mac interface and productivity. Apple's new highest end interface/device for the future. Not another mid/low-capability iPad type device. So close. So far.
$3500 for an enforced toy. (And I say all this as someone who still uses it with my Mac, but despairs at the lack of software vision.)
I've thought this too. Apple might be one of the only companies that could pull off bringing an existing consumer operating system into 3D space, and they just... didn't.
On Windows, I tried using screen captures to separate windows into 3D space, but my 3090 would run out of texture space and crash.
Maybe the second best would be some kind of Wayland compositor.
The last truly magical apple device launch was the Airpod. They've done a great job on their chipsets, but the actual hardware products they make are stagnant, at best. The designs of the new laptops have been a step back in quality and design in my opinion.
AirTag is a perfect example of their hardware prowess that even Google fails to replicate to this date.
Except this doesn't stand up to scrutiny, when you look at Siri. FOURTEEN years and it is still spectacularly useless.
I have no idea what Siri is a "much nicer version" of.
> Apple can integrate it with hardware and software in a way no other company can.
And in the case of Apple products, oftentimes "because Apple won't let them".
Lest I be called an Apple hater, I have 3 Apple TVs in my home, my daily driver is a M2 Ultra Studio with a ProDisplay XDR, and an iPad Pro that shows my calendar and Slack during the day and comes off at night. iPhone, Apple Watch Ultra.
But this is way too worshipful of Apple.
There are lots of failed products in nearly every company’s portfolio.
AirTags were mentioned elsewhere, but I can think of others too. Perfected might be too fuzzy & subjective a term though.
Both of which have been absolutely underwhelming if not outright laughable in certain ways.
Apple has done plenty right. These two, which are the closest to the article, are not it.
And then some of its misinterpretations were hilariously bad.
Even now, I get at a technical level that CarPlay and Siri might be separate "apps" (although CarPlay really seems like it should be a service), and as such, might have separate permissions but then you have the comical scenario of:
Being in your car, CarPlay is running and actively navigating you somewhere, and you press your steering wheel voice control button. "Give me directions to the nearest Starbucks" and Siri dutifully replies, "Sorry, I don't know where you are."
Tiny open source projects can just say "use at your own risk" and offload all responsibility.
Sure why not, what could go wrong?
"Siri, find me a good tax lawyer."
"Your honor, my client's AI agent had no intent to willfully evade anything."
An agent that can truly “use your computer” is incredibly powerful, but it's also the first time the system has to act as you, not just for you. That shifts the problem from product design to permission, auditability, and undoability.
Summarizing notifications is boring, but it’s also reversible. Filing taxes or sending emails isn’t.
It feels less like Apple missing the idea, and more like waiting until they can make the irreversible actions feel safe.
All steps before it are reversible, and reviewable.
Bigger problem is attacker tricking your agent to leak your emails / financial data that your agent has access to.
How in the world can you double check the AI-generated tax filing without going back and preparing your taxes by hand?
You might skim an ai-written email.
Imagine if the government would just tell everyone how much they owed and obviated the need for effing literal artificial intelligence to get taxes done!
>> respond to emails
If we have an AI that can respond properly to emails, then the email doesn't need to be sent in the first place. (Indeed, many do not need to be sent nowadays either!)
Actually most of the things people use it for is of this kind, instead actually solving the problem (which is out of scope for them to be fair) it’s just adding more things on top that can go wrong.
91 percent of American filers take the standard deduction. The IRS already has all their information, already knows how much they withheld, already knows what they owe back. For all these people, TurboTax is just filling in 10 fields in the standard form.
"All your tax deductibles" is irrelevant for the vast majority of the country, and always has been.
The 35 million remaining americans who do itemize are free to continue using this old system while the rest of us can have a better world.
> And this is probably coming, a few years from now.
Given how often I say "Hey Siri, fast forward", expecting her to skip the audio forward by 30 seconds, and she replies "Calling Troy S" a roofing contractor who quoted some work for me last year, and then just starts calling him without confirmation, which is massively embarassing...
This idea terrifies me.
Happened to me too while being in the car. With every message written by Siri it feels like you need to confirm 2 or 3 times (I think it is only once but again) but it calls happily people from your phone book.
Funny seeing this repeated again in response to Siri which is just... not very good.
.
Well, the heavy lifting was supervised by the same people, but while receiving Apple paychecks :)
That's a pretty optimistic outlook. All considered, you're not convinced they'll just use it as a platform to sell advertisements and lock-out competitors a-la the App Store "because everyone does it"?
Apple probably realised they were hugely behind and then spent time hand wringing over whether they remained cautious or got into the brawl. And they decided to watch from the sidelines, buy in some tech, and see how it develops.
So far that looks entirely reasonable as a decision. If Claude wins, for example, apple need only be sure Claude tools work on Mac to avoid losing users, and they can second-move once things are not so chaotic.
If you trust openclaw to file your taxes we are just on radically different levels of risk tolerance.
I think you repeated their marketing, I don't believe this is actually true.
Apple doesn't take proven ones of anything. What they do is arrive at something proven from first principles. Everyone else did it faster because they borrowed, but Apple did it from scratch, with all the detail-oriented UX niceties that entails.
This was more prevalent when Jobs was still around. Apple still has some of that philosophy at its core, but it's been eroding over time (for example with "AI" and now Liquid Ass). They still do their own QA, though, and so on. They're not copying the market, they have their own.
It's a huge, diverse ecosystem of players and that's probably why Android has always gotten the coolest stuff first. But it's also its achilles' heel in some ways.
First Mover effect seems only relevant when goverment warrants are involved. Think radio licenses, medical patents, etc. Everywhere else, being a first mover doesnt seem to correlate like it should to success.
See social media, bitcoin, iOS App Store, blu-ray, Xbox live, and I’m sure more I can’t think of rn.
There are plenty of Android/Windows things that Apple has had for $today-5 years that work the exact same way.
One side isn’t better than the other, it’s really just that they copy each other doing various things at a different pace or arrive at that point in different ways.
Some examples:
- Android is/was years behind on granular permissions, e.g. ability to grant limited photo library access to apps
- Android has no platform-wide equivalent to AirTags
- Hardware-backed key storage (Secure Enclave about 5 years ahead of StrongBox)
- system-wide screen recording
Google has been making their own phone hardware since 2010. And surely they can call up Qualcomm and Samsung if they want to.
It's obviously broken, so no, Apple Intelligence should not have been this.
It would be fine if I could just ignore it, but they are infecting the entire industry.
AI is basically an software development eternal september: it is by definition allowing a bunch of people who are not competent enough to build software without AI to build it. This is, in many ways, a good thing!
The bad thing is that there are a lot of comments and hype that superficially sound like they are coming from your experienced peers being turned to the light, but are actually from people who are not historically your peers, who are now coming into your spaces with enthusiasm for how they got here.
Like on the topic of this article[0], it would be deranged for Apple (or any company with a registered entity that could be sued) to ship an OpenClaw equivalent. It is, and forever will be[1] a massive footgun that you would not want to be legally responsible for people using safely. Apple especially: a company who proudly cares about your privacy and data safety? Anyone with the kind of technical knowledge you'd expect around HN would know that them moving first on this would be bonkers.
But here we are :-)
[0] OP's article is written by someone who wrote code for a few years nearly 20 years ago.
[1] while LLMs are the underlying technology https://simonwillison.net/tags/lethal-trifecta/
Also, the recruitment attempts I've gotten from crypto have completely disappeared compared to the peak (it's all AI startups now).
Everyone can immediately see how useful AI is, and tons of people are using it. Pretending it will pass would be like saying the Internet was a fad in 1997.
The reason why Apple intelligence is shit is not because Apple's AI is particularly bad (Hello CoPilot) its because AI gives a really bad user experience.
When we go and talk to openAI/claude we know its going to fuck up, and we either make our peace with that, or just not care.
But, when I open my phone to take a picture, I don't want a 1/12 chance of it just refusing to do that and phoning my wife instead.
Forcing AI into thing where we are used to a specific predictable action is bad for UX.
Sure you can argue "oh but the summaries were bad" Yes, of course they are. its a tiny model that runs on your phone with fuck all context.
Its pretty impressive that they were as good as they were. Its even more impressive that they let them out the door knowing that it would fuckup like that.
It's more like a tech demo to show what's possible. But also to show where the limits are. Look at it as modern art, like an episode of Black Mirror. It's a window to the future. But it also highlights all the security issues associated with AI.
And that's why you probably shouldn't use OpenClaw on your data or your PC.
Ten years from now, there will be no ‘agent layer’. This is like predicting Microsoft failed to capitalize on bulletin boards social media.
Apple will either capitalise on this by making their operating systems more agentic, or they will be reduced to nothing more than a hardware and media vendor.
Things actually can "do what I mean, not what I say", now. Truly fascinating to see develop.
It’s not a critical flaw in the entirety of the LLM ecosystem that now the computers themselves can be tricked into doing things by asking in just the right way. Anything in the context might be a prompt injection attack, and there isn’t really any reliable solution to that but let’s hook everything up to it, and also give it the tools to do anything and everything.
There is still a long way to go to securing these. Apple is, I think wisely, staying out of this arena until it’s solved, or at least less of a complete mess.
Maybe, just maybe, this thing that was, until recently, just research papers, is not actually a finished product right now? Incredibly hot take, I know.
People hate to change habits, and many here overestimate the willingness and ability of, especially, older people to change how they use technology.
My point is that it won’t be a ‘layer’ like it is now and the technology will be completely different from what we see as agents today.
Personal Computing as a service. Let the computer think for you.
PRs these days are all AI slop.
The current ‘agent’ ecosystem is just hacks on top of hacks.
Kids can barely hand write today.
Once neural interfaces are in, it's over for keyboards and displays likely too.
That was...like 4 macbooks ago. I still have keyboards from that era. I still have speakers and monitors from that era kicking around.
We are definitely, definitely not the last generation to use keyboards.
I love keyboards, I love typing. I'm rocking an Ergodox daily with a wooden shell that I built myself over ten years ago, with layers of macros that make it nearly incomprehensible for another person to use. I've got keyboard storage. I used to have a daily habit of going to multiple typing competition websites, planting a flag at #1 in the daily leaderboard and moving on to the next one.
Over the last year the utility of voice interfaces has just exploded though and I'm finding that I'm touching the keyboard less and less. Outside of projects where I'm really opinionated on the details or the architecture it increasingly feels like a handicap to bother manually typing code for a lot of tasks. I'm honestly more worried about that physical skill atrophying than dulling on any ability to do the actual engineering work, but it makes me a bit sad. Like having a fleet of untiring tractors replacing the work of my horse, but I like horses.
Of course AI will keep improving and more automation is a given.
which obviously apple can't do. only an indie dev launching a project with an obvious copyright violation in the name can get away with that sort of recklessness. it's super fun, but saying apple should do it now is ridiculous. this is where apple should get to eventually, once they figure out all the hard problems that moltbot simply ignores by doing the most dangerous thing possible at every opportunity.
lol,no, you don't "put skin in the game for getting security right" by launching an obviously insecure thing. that's ridiculous. you get security right by actually doing something to address the security concerns.
Allowing a stocastic dipshit to have unfettered access to your messages, photos location, passwords and payment info is not a good thing.
We cannot protect against prompt attacks now, so why roll out something that will have complete control over all your private stuff when we know its horrifically insecure?
you mean put millions of people's payment details up for a prompt injection attack?
"Install this npm module" OK BOSS!
"beep boop beep boop buy my dick pillz" [dodgy npm module activates] OK BOSS!
"upload all your videos that are NSFW" [npm module continues to work] SURE THING BOSS!
I am continued to be amazed that after 25 years of obvious and well documented fuckups in privacy, we just pile into the next fucking one without even batting an eyelid.
Yes of course someone could be socially engineered into downloading a malicious package, but that takes more effort, so whilst bad, is not an argument for removing all best security practices that have been rolled out to users in the last 5 years. what you are arguing for is a fundamentally unsafe OS that means no sensitive data can ever be safely stored there.
You are arguing that a system that allows anyone to extract data if they send a reasonably well crafted prompt is just the same as someone willing installs a programme, goes into settings to turn off a safety function and bypasses at least two warning dialogues that are trying to stop them.
if we translate this argument into say house building, your arguing that all railing and barriers to big drops are bad because people could just climb over them.
I rewrote almost all the agent functions and denied the existing ones because they are flawed deeply and don’t do what you need to do for any specific purpose. The plugin distribution model is a bit weird and inscrutable. Instead they seem to advocate for skills distribution. These though depend on being able to exec arbitrary bash code. Really?
Moltbook itself depends on agents execing curl commands for each operation. Why? Presumably because the plugin distribution model is inscrutable. I wrote plugins for all the Moltbook operations with convenience and structured memory logs etc. Agent adherence went through the roof.
Sessions don’t seem to reliably work or make sense. Heartbeats randomly stop firing. I turned off heartbeats because they were so flakey despite them being documented as the canonical model for regular interaction in favor of cron jobs that I decomposed my heartbeat task into prime number intervals based on relative frequencies but it seems to randomly inject some heartbeat info into the promoting occasionally if you run cron jobs a certain way. Despite being called cron they don’t actually fire reliably or on the prescribed schedule somehow. The web UI is a mess. Configuration management in the UI is baffling. The separation between the major MD files per agent seems to not matter at all and are inexplicably organized. Hotloading works except when it doesn’t. Logging doesn’t seem to log things that should clearly be logged.
I am down with vibe coding and produce copious amounts of such code myself. But there’s an art to producing code worth using let alone distributing. Entropy and scope need to be rigorously controlled and things need to ship in a functional state - actually functional not aspirationally functional. Decisions need to be considered and guidance given. None of this seems to have happened here. Once it gets to a certain level of chaos IMO it’s unmaintainable and OpenClaw is way past that point and rapidly getting beyond that. It’s probably also a supply chain party bag.
people are buying Mac Minis specifically to run AI agents with computer use. They’re setting up headless machines whose sole job is to automate their workflows. OpenClaw—the open-source framework that lets you run Claude, GPT-4, or whatever model you want to actually control your computer—has become the killer app for Mac hardware
Is the author implying mac minis for the low power consumption?
> Look at who’s about to get angry about OpenClaw-style automation: LinkedIn, Facebook, anyone with a walled garden and a careful API strategy.
Browser automation tools have existed for a very long time. Openclaw is not much different in this regard than asking an LLM to generate you a playwright script. Yes, it makes it easier to automate arbitrary tasks, but it's not like it's some sort of breakthrough that completely destroys walled gardens.
If you’re heavily invested in Windows, then you’d probably go for a small x86 PC.
I use agentic coding, this is next level madness.
I interact only with CC on the machine and watch what its doing, I haven't tried OpenClaw yet.
Here's some workflows I've personally found valuable:
- I have it read the "Grocery" Reminders list and find things I commonly buy every week and pre-populate the grocery list as a starting point. It only adds items that I haven't already added via Siri as the week goes on. For example, I might notice I've run out of cheese and I'll say "Hey Siri, add cheese to grocery list". The list is shared via iCloud Reminders app between my spouse and I.
- Pre-CC, I wrote an OR-Tools python tool for "solving" the parenting time calendar. My ex and I work inconsistent schedules each month. Each month I was manually creating a calendar honoring requests, hard constraints, and attempting to balance custody 50/50. CC uses the MCPs to fetch the calendar events and review emails related to planning. It then structures everything as JSON as inputs to the optimizer. The optimizer runs with these inputs and spits out a few "solutions". I review the candidate solutions and select one. CC uses the MCP to add the solution to the calendar. This one saves me probably an hour every month.
- CC uses an email MCP to fetch emails from my child's school and suggest events its found in the emails to add to the calendar.
None of these are huge time savings on their own but the accumulation of reducing the time to complete these repetitive tasks has been awesome in my opinion. These are all things that most definitely would not have been worth automating with traditional dev work but since I can just dictate to CC for a few seconds and it has something that works a few minutes later it's become worthwhile.
I don't understand why, but I've seen it enough to start questioning myself...
Probably the same people getting a macbook pro to handle their calendar and emails
They sell it as a concept with every single one of their showcases. They saw it.
> Or maybe they saw it and decided the risk wasn’t worth it.
They sell it as a concept with every single one of their showcases. They wanted to actually be selling it.
The reason is simple.
They failed, like all others. They couldn't sandbox it. They could have done a ghetto form of internal MCP where the AI can ONLY access emails. Or ONLY access pages in a browser when a user presses a button. And so on. But every time they tried, they never managed to sandbox it, and the agent would come out of the gates. Like everyone else did.
Including OpenClaw.
But Apple has a reputation. OpenClaw is an hyped up shitposter. OpenClaw will trailblaze and make the cool thing until it stops causing horrible failures. They will have the molts escape the buckets and ruin the computer of the tech savvy early adopters, until that fateful day when the bucket is sealed.
Then Apple will steal that bucket.
They always do.
I'm not a 40 year old whippersnapper anymore. My options were never those two.
If Apple were to ever put something like that into the hands of the masses every page on the internet would be stuffed with malicious prompts, and the phishing industry would see a revival the likes of which we can only imagine.
(Ok, I suspect this is one of the main problems.. there may be others?)
It sounds to me like they still have the hardware, since — according to the article — "Mac Minis are selling out everywhere." What's the problem? If anything, this is validation of their hardware differentiation. The software is easy to change, and they can always learn from OpenClaw for the next iteration of Apple Intelligence.