Posted by Cyphase 23 hours ago
If an agent is curling untrusted data while holding access to sensitive data or already has sensitive data loaded into its context window, arbitrary code execution isn't a theoretical risk; it's an inevitability.
As recent research on context pollution has shown, stuffing the context window with monolithic system prompts and tool schemas actively degrades the model's baseline reasoning capabilities, making it exponentially more vulnerable to these exact exploits.
Among many more of them with similar results. This one gives a 39% drop in performance.
https://arxiv.org/abs/2506.18403
This one gives 60-80% after multiple turns.
For real though, it's not that hard to make your own! NanoClaw boasted 500 lines but the repo was 5000 so I was sad. So I took a stab at it.
Turns out it takes 50 lines of code.
All you need is a few lines of Telegram library code in your chosen language, and `claude -p prooompt`.
With 2 lines more you can support Codex or your favorite infinite tokens thingy :)
https://github.com/a-n-d-a-i/ULTRON/blob/main/src/index.ts
That's it! There are no other source files. (Of course, we outsource the agent, but I'm told you can get an almost perfect result there too with 50 lines of bash... watch this space! (It's true, Claude Opus does better in several coding and computer use benchmarks when you remove the harness.))
... actually, no - they'll just call it Copilot to cause maximum confusion with all the other things called Copilot
Still an interesting idea but it’s not really novel or difficult. Well, doing it securely would actually be incredibly impressive and worth big $$$.
He also still talks very fondly about Claude Code and openly admits it's better at a lot of things, but he thinks Codex fits his development workflow better.
I really, really don't think there's a conspiracy around the Codex thing like you're implying. I know plenty of devs who don't work for OpenAI who prefer Codex ever since 5.2 was released and if you read up a little on Peter Steinberger he really doesn't seem like the type of person who would be saying things like that if he didn't believe them. Don't get me wrong, I'm not fan boy-ing him. He seems like a really quirky dude and I disagree with a ton of his opinions, but I just really don't get the impression that he's driven by money, especially now that he already had more than he could spend in a lifetime.
Pull the other one, it's got bells on.
Most AI tools require supervision, this is the opposite.
To many people, the idea of having an AI always active in the background doing whatever they want them to do is interesting.
As the person you're replying to feels, I just don't understand. All the descriptions are just random cool sounding words/phrases strung together but none of it actually providing any concrete detail of what it actually is.
One example from last night: I have openclaw running on a mostly sandboxed NUC on my lab/IoT network at home.
While at dinner someone mentioned I should change my holiday light WLED pattern to St Patrick’s day vs Valentine’s Day.
I just told openclaw (via a chat channel) the wled controller hostname, and to propose some appropriately themes for the holiday, investigate the API, and go ahead and implement the chosen theme plus set it as the active sundown profile.
I came back home to my lights displaying a well chosen pattern I’d never have come up with outside hours of tinkering, and everything configured appropriately.
Went from a chore/task that would have taken me a couple hours of a weekend or evening to something that took 5 minutes or less.
All it was doing was calling out to Codex for this, but it acting as a gateway/mediator/relay for both the access channel part plus tooling/skills/access is the “killer app” part for me.
I also worked with it to come up with a promox VE API skill and it’s now repeatable able to spin up VMS with my normalized defaults including brand new cloud init images of Linux flavors I’ve never configured on that hypervisor before. A chore I hate doing so now I can iterate in my lab much faster. Also is very helpful spinning up dev environments of various software to mess with on those vms after creation.
I haven’t really had it be very useful as a typical “personal assistant” both due to lack of time investment and running against its (lack of) security model for giving it access to comms - but as a “junior sysadmin” it’s becoming quite capable.
Well, yes. "Just" that. Only that this is at a high level a good description of how all humans do anything, so, you know.
Really stretching the definition of "anything."
This is about getting the computer to do the stuff we had been promised computing would make easier, stuff that was never capital-H Hard but just annoying. Most of the real claw skills are people connecting stuff that has always been connectable but it has been so fiddly as to make it a full time side project to maintain, or you need to opt into a narrow walled garden that someone can monetize to really get connectivity.
Now you can just get an LLM to learn apple’s special calendar format so you can connect it to a note-taking app in a way that only you might want. You don’t need to make it a second job to learn whatever glue needs to make that happen.
Are you a developer? Then this is something you probably do a couple times a day. Prompting the correct version will take longer and will leave you with much less understanding of the system you just implemented. So once it fails you don't know how to fix it.
The things that annoy me in life - tax reports, doctor appointments, sending invoices. No way in hell I am letting LLM do that! Everything else in life I enjoy.
So I'm curious how it will go down once serious harm does occur. Like someone loses their house, or their entire life savings or have their identity completely stolen. And these may be the better scenarios, because the worse ones are it commits crimes, causes major harm to third parties, lands the owner in jail.
I fully expect the owner to immediately state it was the agent not them, and expect they should be alleviated of some responsibility for it. It already happened in the incident with Scott Shambaugh - the owner of the bot came forward but I didn't see any point where they did anything to take responsibility for the harm they caused.
These people are living in a bubble - Scott is not suing - but I have to assume whenever this really gets tested that the legal system is simply going to treat it as what it is: best case, reckless negligence. Worst case (and most likely) full liability / responsibility for whatever it did. Possibly treating it as with intent.
Unfortunately, it seems like we need this to happen before people will actually take it seriously and start to build the necessary safety architectures / protocols to make it remotely sensible.
For what?
giving my private data/keys to 400K lines of vibe coded monster that is being actively attacked at scale is not very appealing at all
If this were 2010, Google, Anthropic, XAI, OpenAI (GAXO?) would focus on packaging their chatbots as $1500 consumer appliances.
It's 2026, so, instead, a state-of-the-art chatbot will require a subscription forever.
Maybe it’s time to start lining up CCPA delete requests to OAI, Anthropic, etc
* I think my biggest frustration is that I don't know how security standards just gets blatantly ignored for the sake of ai progress. It feels really weird that folks with huge influence and reputation in software engineering just promotes this * The confusion comes in because for some reason we decide to drop our standards at a whim. Lines of code as the measurement of quality, ignoring security standards when adopting something. We get taught to not fall for shiny object syndrome, but here we are showing the same behaviour for anything AI related. Maybe I struggle with separating hobbyist coding from professional coding, but this whole situation just confuses me
I think I expected better from influential folks promoting AI tools to at least check validate the safety of using them. "Vibe coding" was safe, claws are not yet safe at all.
thousands of copies of shitty code, only the best will survive
I know it's hard to be enthusiastic about bad code, but worked well enough for the evolution of life on earth