Posted by apeters 5 hours ago
Kinda RF-nerd clickbait... :)
MiMo code (via my z.ai coding plan) is very pleasant so far, nice UI and seems to respond faster than Claude Code. It might be injecting much less cruft into the conversation.
I also got access to the mimo-2.5-pro ultraspeed model yesterday, which is really quite snappy. It does cost more than DeepSeek, though, so I'm not sure whether it's worth it yet. Definitely fast though.
telemetry enabled by default and named "analysis" is not great.
>Knowledge accumulates automatically with lossless compression, preserving every critical detail even across million-line projects.
For example: For a super small task in a small project that should not be consuming more than 500K total tokens after all tool calls included, their shown usage shot up to 152 million tokens.
But, when I scroll down on the same page, a table shows usage as 3 million tokens, out of which 2.5 million were cached.
This is such a huge conflict on the very same page. The bad thing is that the usage progress bar is shown against that 150 million token usage, not against that 3 million one.
This has been in discussions for at least past 3 months on reddit as well, and was precisely the reason I subscribed to their lowest tier, and for a single month only.
Update: their own harness, mimocode, shows total token usage as just 63.1K. We now have 3 entirely different values, differing in 3 orders of magnitude.
Update 2: So, I did the exact same task this time using DS4Pro, and total token usage was just 101K (as shown by opencode).
"""
Credits 4,100,000,000 Credits
Total Token Consumption
"""
This is usually a PoC (Proof of concept) way to install something on a temporary container or temporary VM, but not for production use during daily desktop operation.
I was hoping their documentation would provide better installation instructions. But strangely, only for Windows do they recommend "npm install -g @mimo-ai/cli," which is a much better approach to managing installed packages.
For Mac/Linux, they have the strange recommendation to use the dangerous "curl <some_url> | bash." Quote:
> (for the best experience, Mac users are strongly encouraged to use iTerm or the VSCode Terminal) > curl -fsSL https://mimo.xiaomi.com/install | bash
:(
To be fair, is that any different from naively trusting NPM? It's not like NPM is doing any vetting. They're every threat actors favorite sandbox these days.
And at the end of the day, no matter the installation method (even just unpacking a tarball and executing the program directly from that directory), you're going to run their program on your computer, and then the program can do whatever it wants. Maybe you don't run it with sudo, but https://xkcd.com/1200/ seems relevant.
Yes, running third-party code is always a leap of faith, but why choose a delivery method that removes the possibility of verification and opens the door to targeted injections? Convenience shouldn't be an excuse to ignore basic security hygiene.
Like requiring a WoT (usually with physical meetups) vetting people creating packages, FTP-masters, dedicated clean buildbots, etc. in addition to the packages themselves being signed and so on.
> sh -c 'curl -fsSL https://chatgpt.com/codex/install.sh | CODEX_NON_INTERACTIVE=1 sh'
This is just sh, not bash, but I doubt it would be any better.
> npm install ... is a much better approach to managing installed packages.
No. Until the upcoming version of npm is out, npm will also run arbitrary code. Almost all common installation tools run arbitrary code. Not doing that is sadly the exception for now.
No. npm is a package manager. As mentioned in the comment you're replying to, almost all package managers execute arbitrary code. Eg:
- pip
- Cargo
- apt/dpkg
- dnf/yum
- Homebrew
- RubyGems
- Composer (limited)
- Maven
> Any chance you have a link to something that describes their plans?
https://github.blog/changelog/2026-06-09-upcoming-breaking-c...