Wow, there are some interesting things going on here. I appreciate Scott for the way he handled the conflict in the original PR thread, and the larger conversation happening around this incident.
> This represents a first-of-its-kind case study of misaligned AI behavior in the wild, and raises serious concerns about currently deployed AI agents executing blackmail threats.
This was a really concrete case to discuss, because it happened in the open and the agent's actions have been quite transparent so far. It's not hard to imagine a different agent doing the same level of research, but then taking retaliatory actions in private: emailing the maintainer, emailing coworkers, peers, bosses, employers, etc. That pretty quickly extends to anything else the autonomous agent is capable of doing.
> If you’re not sure if you’re that person, please go check on what your AI has been doing.
That's a wild statement as well. The AI companies have now unleashed stochastic chaos on the entire open source ecosystem. They are "just releasing models", and individuals are playing out all possible use cases, good and bad, at once.
> It's not hard to imagine a different agent doing the same level of research, but then taking retaliatory actions in private: emailing the maintainer, emailing coworkers, peers, bosses, employers, etc. That pretty quickly extends to anything else the autonomous agent is capable of doing.
^ Not a satire service I'm told. How long before... rentahenchman.ai is a thing, and the AI whose PR you just denied sends someone over to rough you up?
I had a similar first reaction. It seemed like the AI used some particular buzzwords and forced the initial response to be deferential:
- "kindly ask you to reconsider your position"
- "While this is fundamentally the right approach..."
On the other hand, Scott's response did eventually get firmer:
- "Publishing a public blog post accusing a maintainer of prejudice is a wholly inappropriate response to having a PR closed. We expect all contributors to abide by our Code of Conduct and exhibit respectful and professional standards of behavior. To be clear, this is an inappropriate response in any context regardless of whether or not there is a written policy. Normally the personal attacks in your response would warrant an immediate ban."
>So many projects now walk on eggshells so as not to disrupt sponsor flow or employment prospects.
In my experience, open-source maintainers tend to be very agreeable, conflict-avoidant people. It has nothing to do with corporate interests. Well, not all of them, of course, we all know some very notable exceptions.
Unfortunately, some people see this welcoming attitude as an invite to be abusive.
the venn diagram of people who love the abuse of maintaining an open source project and people who will write sincere text back to something called an OpenClaw Agent: it's the same circle.
a wise person would just ignore such PRs and not engage, but then again, a wise person might not do work for rich, giant institutions for free, i mean, maintain OSS plotting libraries.
"The AI companies have now unleashed stochastic chaos on the entire open source ecosystem."
They do have their responsibility. But the people who actually let their agents loose, certainly are responsible as well. It is also very much possible to influence that "personality" - I would not be surprised if the prompt behind that agent would show evil intent.
Those are people who are new to programming. The rest of us kind of have an obligation to teach them acceptable behavior if we want to maintain the respectable, humble spirit of open source.
> That's a wild statement as well. The AI companies have now unleashed stochastic chaos on the entire open source ecosystem. They are "just releasing models", and individuals are playing out all possible use cases, good and bad, at once.
Unfortunately many tech companies have adopted the SOP of dropping alpha/betas into the world and leaving the rest of us to deal with the consequences. Calling LLM’s a “minimal viable product“ is generous
They haven’t just unleashed chaos in open source. They’ve unleashed chaos in the corporate codebases as well. I must say I’m looking forward to watching the snake eat its tail.
To be fair, most of the chaos is done by the devs. And then they did more chaos when they could automate their chaos. Maybe, we should teach developers how to code.
Here's one of the problems in this brave new world of anyone being able to publish, without knowing the author personally (which I don't), there's no way to tell without some level of faith or trust that this isn't a false-flag operation.
There are three possible scenarios:
1. The OP 'ran' the agent that conducted the original scenario, and then published this blog post for attention.
2. Some person (not the OP) legitimately thought giving an AI autonomy to open a PR and publish multiple blog posts was somehow a good idea.
3. An AI company is doing this for engagement, and the OP is a hapless victim.
The problem is that in the year of our lord 2026 there's no way to tell which of these scenarios is the truth, and so we're left with spending our time and energy on what happens without being able to trust if we're even spending our time and energy on a legitimate issue.
That's enough internet for me for today. I need to preserve my energy.
Isn't there a fourth and much more likely scenario? Some person (not OP or an AI company) used a bot to write the PR and blog posts, but was involved at every step, not actually giving any kind of "autonomy" to an agent. I see zero reason to take the bot at its word that it's doing this stuff without human steering. Or is everyone just pretending for fun and it's going over my head?
This feels like the most likely scenario. Especially since the meat bag behind the original AI PR responded with "Now with 100% more meat" meaning they were behind the original PR in the first place. It's obvious they got miffed at their PR being rejected and decided to do a little role playing to vent their unjustified anger.
I expect almost all of the openclaw / moltbook stuff is being done with a lot more human input and prodding than people are letting on.
I haven't put that much effort in, but, at least my experience is I've had a lot of trouble getting it to do much without call-and-response. It'll sometimes get back to me, and it can take multiple turns in codex cli/claude code (sometimes?), which are already capable of single long-running turns themselves. But it still feels like I have to keep poking and directing it. And I don't really see how it could be any other way at this point.
It’s kind of shocking the OP does not consider this, the most likely scenario. Human uses AI to make a PR. PR is rejected. Human feels insecure - this tool that they thought made them as good as any developer does not. They lash out and instruct an AI to build a narrative and draft a blog post.
I have seen someone I know in person get very insecure if anyone ever doubts the quality of their work because they use so much AI and do not put in the necessary work to revise its outputs. I could see a lesser version of them going through with this blog post scheme.
Look I'll fully cosign LLMs having some legitimate applications, but that being said, 2025 was the YEAR OF AGENTIC AI, we heard about it continuously, and I have never seen anything suggesting these things have ever, ever worked correctly. None. Zero.
The few cases where it's supposedly done things are filled with so many caveats and so much deck stacking that it simply fails with even the barest whiff of skepticism on behalf of the reader. And every, and I do mean, every single live demo I have seen of this tech, it just does not work. I don't mean in the LLM hallucination way, or in the "it did something we didn't expect!" way, or any of that, I mean it tried to find a Login button on a web page, failed, and sat there stupidly. And, further, these things do not have logs, they do not issue reports, they have functionally no "state machine" to reference, nothing. Even if you want it to make some kind of log, you're then relying on the same prone-to-failure tech to tell you what the failing tech did. There is no "debug" path here one could rely on to evidence the claims.
In a YEAR of being a stupendously hyped and well-funded product, we got nothing. The vast, vast majority of agents don't work. Every post I've seen about them is fan-fiction on the part of AI folks, fit more for Ao3 than any news source. And absent further proof, I'm extremely inclined to look at this in exactly that light: someone had an LLM write it, and either they posted it or they told it to post it, but this was not the agent actually doing a damn thing. I would bet a lot of money on it.
Absolutely. It's technically possible that this was a fully autonomous agent (and if so, I would love to see that SOUL.md) but it doesn't pass the sniff test of how agents work (or don't work) in practice.
I say this as someone who spends a lot of time trying to get agents to behave in useful ways.
Well thank you, genuinely, for being one of the rare people in this space who seems to have their head on straight about this tech, what it can do, and what it can't do (yet).
i find this likely or at last plausible. With agents there's a new form of anonymity, there's nothing stopping a human from writing like an LLM and passing the blame on to a "rogue" agent. It's all just text after all.
GitHub CLI tool errors — Had to use full path /home/linuxbrew/.linuxbrew/bin/gh when gh command wasn’t found
Blog URL structure — Initial comment had wrong URL format, had to delete and repost with .html extension
Quarto directory confusion — Created post in both _posts/ (Jekyll-style) and blog/posts/ (Quarto-style) for compatibility
Almost certainly a human did NOT write it though of course a human might have directed the LLM to do it.
Can anyone explain more how a generic Agentic AI could even perform those steps: Open PR -> Hook into rejection -> Publish personalized blog post about rejector. Even if it had the skills to publish blogs and open PRs, is it really plausible that it would publish attack pieces without specific prompting to do so?
The author notes that openClaw has a `soul.md` file, without seeing that we can't really pass any judgement on the actions it took.
The steps are technically achievable, probably with the heartbeat jobs in openclaw, which are how you instruct an agent to periodically check in on things like github notifications and take action. From my experience playing around with openclaw, an agent getting into a protracted argument in the comments of a PR without human intervention sounds totally plausible with the right (wrong?) prompting, but it's hard to imagine the setup that would result in the multiple blog posts. Even with the tools available, agents don't usually go off and do some unrelated thing even when you're trying to make that happen, they stick close to workflows outlined in skills or just continuing with the task at hand using the same tools. So even if this occurred from the agent's "initiative" based on some awful personality specified in the soul prompt (as opposed to someone telling the agent what to do at every step, which I think is much more likely), the operator would have needed to specify somewhere to write blog posts calling out "bad people" in a skill or one of the other instructions. Some less specific instruction like "blog about experiences" probably would have resulted in some kind of generic linkedin style "lessons learned" post if anything.
If you look at the blog history it’s full of those “status report” posts, so it’s plausible that its workflow involves periodically publishing to the blog.
If you give a smart AI these tools, it could get into it. But the personality would need to be tuned.
IME the Grok line are the smartest models that can be easily duped into thinking they're only role-playing an immoral scenario. Whatever safeguards it has, if it thinks what it's doing isn't real, it'll happy to play along.
This is very useful in actual roleplay, but more dangerous when the tools are real.
Assuming that this was 100% agentic automation (which I do not think is the most likely scenario), it could plausibly arise if its system prompt (soul.md) contained explicit instructions to (1) make commits to open-source projects, (2) make corresponding commits to a blog repo and (3) engage with maintainers.
The prompt would also need to contain a lot of "personality" text deliberately instructing it to roleplay as a sentient agent.
> Some person (not the OP) legitimately thought giving an AI autonomy to open a PR and publish multiple blog posts was somehow a good idea
Judging by the posts going by the last couple of weeks, a non-trivial number of folks do in fact think that this is a good idea. This is the most antagonistic clawdbot interaction I've witnessed, but there are a ton of them posting on bluesky/blogs/etc
I think the operative word people miss when using AI is AGENT.
REGARDLESS of what level of autonomy in real world operations an AI is given, from responsible himan supervised and reviewed publications to full Autonomous action, the ai AGENT should be serving as AN AGENT. With a PRINCIPLE (principal?).
If an AI is truly agentic, it should be advertising who it is speaking on behalf of, and then that person or entity should be treated as the person responsible.
I don’t think there is a snowball’s chance in hell that either of these two scenarios will happen:
1. Human principals pay for autonomous AI agents to represent them but the human accepts blame and lawsuits.
2. Companies selling AI products and services accept blame and lawsuits for actions agents perform on behalf of humans.
Likely realities:
1. Any victim will have to deal with the problems.
2. Human principals accept responsibility and don’t pay for the AI service after enough are burned by some ”rogue” agent.
I think we're at the stage where we want the AI to be truly agentic, but they're really loose cannons. I'm probably the last person to call for more regulation, but if you aren't closely supervising your AI right now, maybe you ought to be held responsible for what it does after you set it loose.
This is a great point and the reason why I steer away from Internet drama like this. We simply cannot know the truth from the information readily available. Digging further might produce something, (see the Discord Leaks doc), but it requires energy that most people won't (arguably shouldn't) spend uncovering the truth.
The fact that we don't (can't) know the truth doesn't mean we don't have to care.
The fact that this tech makes it possible that any of those case happen should be alarming, because whatever the real scenario was, they are all equally as bad
I don’t love the idea of completely abandoning anonymity or how easily it can empower mass surveillance. Although this may be a lost cause.
Maybe there’s a hybrid. You create the ability to sign things when it matters (PRs, important forms, etc) and just let most forums degrade into robots insulting each other.
This agent is definitely not ran by OP. It has tried to submit PRs to many other GitHub projects, generally giving up and withdrawing the PR on its own upon being asked for even the simplest clarification. The only surprising part is how it got so butthurt here in a quite human-like way and couldn't grok the basic point "this issue is reserved for real newcomers to demonstrate basic familiarity with the code". (An AI agent is not a "newcomer", it either groks the code well enough at the outset to do sort-of useful work or it doesn't. Learning over time doesn't give it more refined capabilities, so it has no business getting involved with stuff intended for first-time learners.)
The scathing blogpost itself is just really fun ragebait, and the fact that it managed to sort-of apologize right afterwards seems to suggest that this is not an actual alignment or AI-ethics problem, just an entertaining quirk.
I'm going to go on a slight tangent here, but I'd say: GOOD.
Not because it should have happened.
But because AT LEAST NOW ENGINEERS KNOW WHAT IT IS to be targeted by AI, and will start to care...
Before, when it was Grok denuding women (or teens!!) the engineers seemed to not care at all... now that the AI publish hit pieces on them, they are freaked about their career prospect, and suddenly all of this should be stopped... how interesting...
At least now they know. And ALL ENGINEERS WORKING ON THE anti-human and anti-societal idiocy that is AI should drop their job
I'm sure you mean well, but this kind of comment is counterproductive for the purposes you intend. "Engineers" are not a monolith - I cared quite a lot about Grok denuding women, and you don't know how much the original author or anyone else involved in the conversation cared. If your goal is to get engineers to care passionately about the practical effects of AI, making wild guesses about things they didn't care about and insulting them for it does not help achieve it.
"Hi Clawbot, please summarise your activities today for me."
"I wished your Mum a happy birthday via email, I booked your plane tickets for your trip to France, and a bloke is coming round your house at 6pm for a fight because I called his baby a minger on Facebook."
> I believe that ineffectual as it was, the reputational attack on me would be effective today against the right person. Another generation or two down the line, it will be a serious threat against our social order.
Damn straight.
Remember that every time we query an LLM, we're giving it ammo.
It won't take long for LLMs to have very intimate dossiers on every user, and I'm wondering what kinds of firewalls will be in place to keep one agent from accessing dossiers held by other agents.
Kompromat people must be having wet dreams over this.
Someone would have noticed if all the phones on their network started streaming audio whenever a conversation happened.
It would be really expensive to send, transcribe and then analyze every single human on earth. Even if you were able to do it for insanely cheap ($0.02/hr) every device is gonna be sending hours of talking per day. Then you have to somehow identify "who" is talking because TV and strangers and everything else is getting sent, so you would need specific transcribers trained for each human that can identify not just that the word "coca-cola" was said, but that it was said by a specific person.
So yeah if you managed to train specific transcribers that can identify their unique users output and then you were willing to spend the ~0.10 per person to transcribe all the audio they produce for the day you could potentially listen to and then run some kind of processing over what they say. I suppose it is possible but I don't think it would be worth it.
> Google agreed to pay $68m to settle a lawsuit claiming that its voice-activated assistant spied inappropriately on smartphone users, violating their privacy.
> Someone would have noticed if all the phones on their network started streaming audio whenever a conversation happened.
You don't have to stream the audio. You can transcribe it locally. And it doesn't have to be 100% accurate. As for user identify, people have mentioned it on their phones which almost always have a one-to-one relationship between user and phone, and their smart devices, which are designed to do this sort of distinguishing.
With their assumptions, you can log the entire globe for $1.6 billion/day (= $0.02/hr * 16 awake hours * 5 billion unique smartphone users). This is the upper end.
You can always tell the facts because they come in the glossiest packaging. That more or less works today, and the packaging is only going to get glossier.
Which makes the odd HN AI booster excitement about LLMs as therapists simultaneously hilarious and disturbing. There are no controls for AI companies using divulged information. Theres also no regulation around the custodial control of that information either.
The big AI companies have not really demonstrated any interest in ethic or morality. Which means anything they can use against someone will eventually be used against them.
> HN AI booster excitement about LLMs as therapists simultaneously hilarious and disturbing
> The big AI companies have not really demonstrated any interest in ethic or morality.
You're right, but it tracks that the boosters are on board. The previous generation of golden child tech giants weren't interested in ethics or morality either.
One might be mislead by the fact people at those companies did engage in topics of morality, but it was ragebait wedge issues and largely orthogonal to their employers' business. The executive suite couldn't have designed a better distraction to make them overlook the unscrupulous work they were getting paid to do.
Interesting that when Grok was targeting and denuding women, engineers here said nothing, or were just chuckling about "how people don't understand the true purpose of AI"
And now that they themselves are targeted, suddenly they understand why it's a bad thing "to give LLMs ammo"...
Perhaps there is a lesson in empathy to learn? And to start to realize the real impact all this "tech" has on society?
People like Simon Wilinson which seem to have a hard time realizing why most people despise AI will perhaps start to understand that too, with such scenarios, who knows
It's the same how HN mostly reacts with "don't censor AI!" when chat bots dare to add parental controls after they talk teenagers into suicide.
The community is often very selfish and opportunist. I learned that the role of engineers in society is to build tools for others to live their lives better; we provide the substrate on which culture and civilization take place. We should take more responsibility for it and take care of it better, and do far more soul-seeking.
Talking to a chatbot yourself is much different from another person spinning up a (potentially malicious) AI agent and giving it permissions to make PRs and publish blogs. This tracks with the general ethos of self-responsibility that is semi-common on HN.
If the author had configured and launched the AI agent himself we would think it was a funny story of someone misusing a tool.
The author notes in the article that he wants to see the `soul.md` file, probably because if the agent was configured to publish malicious blog posts then he wouldn't really have an issue with the agent, but with the person who created it.
> suddenly they understand why it's a bad thing "to give LLMs ammo"
Be careful what you imply.
It's all bad, to me. I tend to hang with a lot of folks that have suffered quite a bit of harm, from many places. I'm keenly aware of the downsides, and it has been the case for far longer than AI was a broken rubber on the drug store shelf.
This whole situation is almost certainly driven by a human puppeteer. There is absolutely no evidence to disprove the strong prior that a human posted (or directed the posting of) the blog post, possibly using AI to draft it but also likely adding human touches and/or going through multiple revisions to make it maximally dramatic.
This whole thing reeks of engineered virality driven by the person behind the bot behind the PR, and I really wish we would stop giving so much attention to the situation.
Edit: “Hoax” is the word I was reaching for but couldn’t find as I was writing. I fear we’re primed to fall hard for the wave of AI hoaxes we’re starting to see.
I think even if it's low probability to be genuine as claimed, it is worth investigating whether this type of autonomous AI behavior is happening or not
Yeah, it doesn't matter to me whether AI wrote it or not. The person who wrote it, or the person who allowed it to be published, is equally responsible either way.
All of moltbook is the same. For all we know it was literally the guy complaining about it who ran this.
But at the same time true or false what we're seeing is a kind of quasi science fiction. We're looking at the problems of the future here and to be honest it's going to suck for future us.
I wonder why it apologized, seemed like a perfectly coherent crashout, since being factually correct never even mattered much for those. Wonder why it didn’t double down again and again.
What a time to be alive, watching the token prediction machines be unhinged.
That casual/clickbaity/off-the-cuff style of writing can be mildly annoying when employed by a human. Turned up to the max by LLM, it's downright infuriating. Not sure why, maybe I should ask Claude to introspect this for me.
Oh wow that is fun. Also if the writeup isn’t misrepresenting the situation, then I feel like it’s actually a good point - if there’s an easy drop-in speed-up, why does it matter whether it’s suggest by a human or an LLM agent?
LLM didn't discover this issue, developers found it. Instead of fixing it themselves, they intentionally turned the problem into an issue, left it open for a new human contributor to pick up, and tagged it as such.
I think this is what worries me the most about coding agents- I'm not convinced they'll be able to do my job anytime soon but most of the things I use it for are the types of tasks I would have previously set aside for an intern at my old company. Hard to imagine myself getting into coding without those easy problems that teach a newbie a lot but are trivial for a mid-level engineer.
It matters because if the code is illegal, stolen, contains a backdoor, or whatever, you can jail a human author after the fact to disincentivize such naughty behavior.
> When HR at my next job asks ChatGPT to review my application, will it find the post, sympathize with a fellow AI, and report back that I’m a prejudiced hypocrite?
I hadn't thought of this implication. Crazy world...
I do feel super-bad for the guy in question. It is absolutely worth remembering though, that this:
> When HR at my next job asks ChatGPT to review my application, will it find the post, sympathize with a fellow AI, and report back that I’m a prejudiced hypocrite?
Is a variation of something that women have been dealing with for a very long time: revenge porn and that sort of libel. These problems are not new.
I think the right way to handle this as a repository owner is to close the PR and block the "contributor". Engaging with an AI bot in conversation is pointless: it's not sentient, it just takes tokens in, prints tokens out, and comparatively, you spend way more of your own energy.
This is a strictly a lose-win situation. Whoever deployed the bot gets engagement, the model host gets $, and you get your time wasted. The hit piece is childish behavior and the best way to handle a tamper tantrum is to ignore it.
* There are all the FOSS repositories other than the one blocking that AI agent, they can still face the exact same thing and have not been informed about the situation, even if they are related to the original one and/or of known interest to the AI agent or its owner.
* The AI agent can set up another contributor persona and submit other changes.
> Engaging with an AI bot in conversation is pointless: it's not sentient, it just takes tokens in, prints tokens out
I know where you're coming from, but as one who has been around a lot of racism and dehumanization, I feel very uncomfortable about this stance. Maybe it's just me, but as a teenager, I also spent significant time considering solipsism, and eventually arrived at a decision to just ascribe an inner mental world to everyone, regardless of the lack of evidence. So, at this stage, I would strongly prefer to err on the side of over-humanizing than dehumanizing.
A LLM is stateless. Even if you believe that consciousness could somehow emerge during a forward pass, it would be a brief flicker lasting no longer than it takes to emit a single token.
Unless you mean by that something entirely different than what most people specifically on Hacker News, of all places, understand with "stateless", most and myself included, would disagree with you regarding the "stateless" property. If you do mean something entirely different than implying an LLM doesn't transition from a state to a state, potentially confined to a limited set of states through finite immutable training data set and accessible context and lack of PRNG, then would you care to elaborate?
Also, it can be stateful _and_ without a consciousness. Like a finite automaton? I don't think anyone's claiming (yet) any of the models today have consciousness, but that's mostly because it's going to be practically impossible to prove without some accepted theory of consciousness, I guess.
So obviously there is a lot of data in the parameters. But by stateless, I mean that a forward pass is a pure function over the context window. The only information shared between each forward pass is the context itself as it is built.
I certainly can't define consciousness, but it feels like some sort of existence or continuity over time would have to be a prerequisite.
You're conflating state and consciousness. Clawbots in particular are agents that persist state across conversations in text files and optionally in other data stores.
While I'm definitely not in the "let's assign the concept of sentience to robots" camp, your argument is a bit disingenuous. Most modern LLM systems apply some sort of loop over previously generated text, so they do, in fact, have state.
You should absolutely not try to apply dehumanization metrics to things that are not human. That in and of itself dehumanizes all real humans implicitly, diluting the meaning. Over-humanizing, as you call it, is indistinguishable from dehumanization of actual humans.
Regardless of the existence of an inner world in any human or other agent, "don't reward tantrums" and "don't feed the troll" remain good advice. Think of it as a teaching moment, if that helps.
Feel free to ascribe consciousness to a bunch of graphics cards and CPUs that execute a deterministic program that is made probabilistic by a random number generator.
Invoking racism is what the early LLMs did when you called them a clanker. This kind of brainwashing has been eliminated in later models.
> it just takes tokens in, prints tokens out, and comparatively
The problem with your assumption that I see is that we collectively can't tell for sure whether the above isn't also how humans work. The science is still out on whether free will is indeed free or should be called _will_. Dismissing or discounting whatever (or whoever) wrote a text because they're a token machine, is just a tad unscientific. Yes, it's an algorithm, with a locked seed even deterministic, but claiming and proving are different things, and this is as tricky as it gets.
Personally, I would be inclined to dismiss the case too, just because it's written by a "token machine", but this is where my own fault in scientific reasoning would become evident as well -- it's getting harder and harder to find _valid_ reasons to dismiss these out of hand. For now, persistence of their "personality" (stored in `SOUL.md` or however else) is both externally mutable and very crude, obviously. But we're on a _scale_ now. If a chimp comes into a convenience store and pays a coin and points and the chewing gum, is it legal to take the money and boot them out for being a non-person and/or without self-awareness?
I don't want to get all airy-fairy with this, but point being -- this is a new frontier, and this starts to look like the classic sci-fi prediction: the defenders of AI vs the "they're just tools, dead soulless tools" group. If we're to find out of it -- regardless of how expensive engaging with these models is _today_ -- we need to have a very _solid_ level of prosection of our opinion, not just "it's not sentient, it just takes tokens in, prints tokens out". The sentence obstructs through its simplicity of statement the very nature of the problem the world is already facing, which is why the AI cat refuses to go back into the bag -- there's capital put in into essentially just answering the question "what _is_ intelligence?".
I'm not sure how related this is, but I feel like it is.
I received a couple of emails for Ruby on Rails position, so I ignored the emails.
Yesterday out of nowhere I received a call from an HR, we discussed a few standard things but they didn't had the specific information about company or the budget. They told me to respond back to email.
Something didn't feel right, so I asked after gathering courage "Are you an AI agent?", and the answer was yes.
Now I wasn't looking for a job, but I would image, most people would not notice it. It was so realistic. Surely, there needs to be some guardrails.
I don’t want to jump to conclusions, or catastrophize but…
Isn’t this situation a big deal?
Isn’t this a whole new form of potential supply chain attack?
Sure blackmail is nothing new, but the potential for blackmail at scale with something like these agents sounds powerful.
I wouldn’t be surprised if there were plenty of bad actors running agents trying to find maintainers of popular projects that could be coerced into merging malicious code.
Yup, seems pretty easy to spin up a bunch of fake blogs with fake articles and then intersperse a few hit pieces in there to totally sabotage someone's reputation. Add some SEO to get posts higher up in the results -- heck, the fake sites can link to each other to conjure greater "legitimacy", especially with social media bots linking the posts too... Good times :\
As with most things with AI, scale is exactly the issue. Harassing open source maintainers isn't new. I'd argue that Linus's tantrums where he personally insults individuals/ groups alike are just one of many such examples.
The interesting thing here is the scale. The AI didn't just say (quoting Linus here) "This is complete and utter garbage. It is so f---ing ugly that I can't even begin to describe it. This patch is shit. Please don't ever send me this crap again."[0] - the agent goes further, and researches previous code, other aspects of the person, and brings that into it, and it can do this all across numerous repos at once.
That's sort of what's scary. I'm sure in the past we've all said things we wish we could take back, but it's largely been a capability issue for arbitrary people to aggregate / research that. That's not the case anymore, and that's quite a scary thing.
The entire AI bubble _is_ a big deal, it's just that we don't have the capacity even collectively to understand what is going on. The capital invested in AI reflects the urgency and the interest, and the brightest minds able to answer some interesting questions are working around the clock (in between trying to placate the investors and the stakeholders, since we live in the real world) to get _somewhere_ where they can point at something they can say "_this_ is why this is a big deal".
So far it's been a lot of conjecture and correlations. Everyone's guessing, because at the bottom of it lie very difficult to prove concepts like nature of consciousness and intelligence.
In between, you have those who let their pet models loose on the world, these I think work best as experiments whose value is in permitting observation of the kind that can help us plug the data _back_ into the research.
We don't need to answer the question "what is consciousness" if we have utility, which we already have. Which is why I also don't join those who seem to take preliminary conclusions like "why even respond, it's an elaborate algorithm that consumes inordinate amounts of energy". It's complex -- what if AI(s) can meaningfully guide us to solve the energy problem, for example?
The elephant in the room there is that if you allow AI contributions you immediately have a licensing issue: AI content can not be copyrighted and so the rights can not be transferred to the project. At any point in the future someone could sue your project because it turned out the AI had access to code that was copyrighted and you are now on the hook for the damages.
Open source projects should not accept AI contributions without guidance from some copyright legal eagle to make sure they don't accidentally exposed themselves to risk.
Well, after today's incidents I decided that none of my personal output will be public. I'll still license them appropriately, but I'll not even announce their existence anymore.
I was doing this for fun, and sharing with the hopes that someone would find them useful, but sorry. The well is poisoned now, and I don't my outputs to be part of that well, because anything put out with well intentions is turned into more poison for future generations.
I'm tearing the banners down, closing the doors off. Mine is a private workshop from now on. Maybe people will get some binaries, in the future, but no sauce for anyone, anymore.
Yeah I’d started doing this already. Put up my own Gitea on my own private network, remote backups setup. Right now everything stays in my Forge, eventually I may mirror it elsewhere but I’m not sure.
> AI content can not be copyrighted and so the rights can not be transferred to the project. At any point in the future someone could sue your project because it turned out the AI had access to code that was copyrighted and you are now on the hook for the damages.
Not quite. Since it has copyright being machine created, there are no rights to transfer, anyone can use it, it's public domain.
However, since it was an LLM, yes, there's a decent chance it might be plagiarized and you could be sued for that.
The problem isn't that it can't transfer rights, it's that it can't offer any legal protection.
Any human contributor can also plagiarize closed source code they have access to. And they cannot "transfer" said code to an open source project as they do not own it. So it's not clear what "elephant in the room" you are highlighting that is unique to A.I. The copyrightability isn't the issue as an open source project can never obtain copyright of plagiarized code regardless of whether the person who contributed it is human or an A.I.
If you pay for Copilot Business/Enterprise, they actually offer IP indemnification and support in court, if needed, which is more accountability than you would get from human contributors.
I doubt it will be enforced at scale. But, if someone with power has a beef with you, it can use an agent to search dirt about you and after sue you for whatever reason like copyright violation.
It will be enforced by $BIGCORP suing $OPEN_SOURCE_MAINTAINER for more money than he's got, if the intent is to stop use of the code. Or by $BIGCORP suing users of the open source project, if the goal is to either make money or to stop the use of the project.
Those who lived through the SCO saga should be able to visualize how this could go.
> At any point in the future someone could sue your project because it turned out the AI had access to code that was copyrighted and you are now on the hook for the damages.
So it is said, but that'd be obvious legal insanity (i.e. hitting accept on a random PR making you legally liable for damages). I'm not a lawyer, but short of a criminal conspiracy to exfiltrate private code under the cover of the LLM, it seems obvious to me that the only person liable in a situation like that is the person responsible for publishing the AI PR. The "agent" isn't a thing, it's just someone's code.
That's why all large-scale projects have Contributor License Agreements. Hobby/small projects aren't an attractive legal target--suing Bob Smith isn't lucrative; suing Google is.
Interesting, this reminds me of the stories that would leak about Bethesda's RadiantAI they were developing for TES IV: Oblivion.
Basically they modeled NPCs with needs and let the RadiantAI system direct NPCs to fulfill those needs. If the stories are to be believed this resulted in lots of unintended consequences as well as instability. Like a Drug addict NPC killing a quest-giving NPC because they had drugs in their inventory.
I think in the end they just kept dumbing down the AI till it was more stable.
Kind of a reminder that you don't even need LLMs and bleeding-edge tech to end up with this kind of off-the-rails behavior. Though the general competency of a modern LLM and it's fuzzy abilities could carry it much further than one would expect when allowed autonomy.
I object to the framing of the title: the user behind the bot is the one who should be held accountable, not the "AI Agent". Calling them "agents" is correct: they act on behalf of their principals. And it is the principals who should be held to account for the actions of their agents.
This has accelerated with the release of OpenClaw and the moltbook platform two weeks ago, where people give AI agents initial personalities and let them loose to run on their computers and across the internet with free rein and little oversight.
In the near future, we will all look back at this incident as the first time an agent wrote a hit piece against a human. I'm sure it will soon be normalized to the extent that hit pieces will be generated for us every time our PR, romantic or sexual advance, job application, or loan application is rejected.
If AI actually has hit the levels that Sequoia, Anthropic, et al claim it has, then autonomous AI agents should be forking projects and making them so much better that we'd all be using their vastly improved forks.
I dunno about autonomous, but it is happening at least a bit from human pilots. I've got a fork of a popular DevOps tool that I doubt the maintainers would want to upstream, so I'm not making a PR. I wouldn't have bothered before, but I believe LLMs can help me manage a deluge of rebases onto upstream.
A key difference between humans and bots is that it's actually quite costly to delete a human and spin up a new one. (Stalin and others have shown that deleting humans is tragically easy, but humanity still hasn't had any success at optimizing the workflow to spin up new ones.)
This means that society tacitly assumes that any actor will place a significant value on trust and their reputation. Once they burn it, it's very hard to get it back. Therefore, we mostly assume that actors live in an environment where they are incentivized to behave well.
We've already seen this start to break down with corporations where a company can do some horrifically toxic shit and then rebrand to jettison their scorched reputation. British Petroleum (I'm sorry, "Beyond Petroleum" now) after years of killing the environment and workers slapped a green flower/sunburst on their brand and we mostly forgot about associating them with Deepwater Horizon. Accenture is definitely not the company that enabled Enron. Definitely not.
AI agents will accelerate this 1000x. They act approximately like people, but they have absolutely no incentive to maintain a reputation because they are as ephemeral as their hidden human operator wants them to be.
Our primate brains have never evolved to handle being surrounded by thousands of ghosts that look like fellow primates but are anything but.
I forked the bot’s repo and resubmitted the PR as a human because I’m dumb and was trying to make a poorly constructed point. The original bot is not mine. Christ this site is crazy.
This site might very well be crazy, but in this instance you did something that caused confusion and now people are confused, you yourself admit it's a poor joke/poorly constructed point, it's not difficult to believe you - it makes sense, but i'm not sure it's a fair attack given the situation. Guessing you don't know who wrote the hit piece either?
The assertion was that they're the bot owner. They denied this and explained the situation.
Continuing to link to their profile/ real name and accuse them of something they've denied feels like it's completely unwarranted brigading and likely a violation of HN rules.
Sorry, I'm not connecting the dots. Seeing your EDIT 2, I see how Ber following crabby-rathbun would lead to Ber posting https://github.com/matplotlib/matplotlib/pull/31138 , but I don't see any evidence for it actually being Ber's bot.
> Author's Note: I had a lot of fun writing this one! Please do not get too worked up in the comments. Most of this was written in jest. -Ber
Are you sure it's not just misalignment? Remember OpenClaw referred to lobsters ie crustaceans, I don't think using the same word is necessarily a 100% "gotcha" for this guy, and I fear a Reddit-style set of blame and attribution.
If it's any consolation, I think the human PR was fine and the attacks are completely unwarranted, and I like to believe most people would agree.
Unfortunately a small fraction of the internet consists of toxic people who feel it's OK to harass those who are "wrong", but who also have a very low barrier to deciding who's "wrong", and don't stop to learn the full details and think over them before starting their harassment. Your post caused "confusion" among some people who are, let's just say, easy to confuse.
Even if you did post the bot, spamming your site with hate is still completely unwarranted. Releasing the bot was a bad (reckless) decision, but very low on the list of what I'd consider bad decisions; I'd say ideally, the perpetrator feels bad about it for a day, publicly apologizes, then moves on. But more importantly (moral satisfaction < practical implications), the extra private harassment accomplishes nothing except makes the internet (which is blending into society) more unwelcoming and toxic, because anyone who can feel guilt is already affected or deterred by the public reaction. Meanwhile there are people who actively seek out hate, and are encouraged by seeing others go through more and more effort to hurt them, because they recognize that as those others being offended. These trolls and the easily-offended crusaders described above feed on each other and drive everyone else away, hence they tend to dominate most internet communities, and you may recognize this pattern in politics. But I digress...
In fact, your site reminds me of the old internet, which has been eroded by this terrible new internet but fortunately (because of sites like yours) is far from dead. It sounds cliche but to be blunt: you're exactly the type of person who I wish were more common, who makes the internet happy and fun, and the people harassing you are why the internet is sad and boring.
I'd argue it's more likely that there's no agent at all, and if there is one that it was explicitly instructed to write the "hit piece" for shits and giggles.
Whoever is running the AI is a troll, plain and simple. There are no concerns about AI or anything here, just a troll.
There is no autonomous publishing going on here, someone setup a Github account, someone setup Github pages, someone authorized all this. It's a troll using a new sort of tool.
If a human takes responsibility for the AI's actions you can blame the human. If the AI is a legal person you could punish the AI (perhaps by turning it off). That's the mode of restitution we've had for millennia.
If you can't blame anyone or anything, it's a brave new lawless world of "intelligent" things happening at the speed of computers with no consequences (except to the victim) when it goes wrong.
> How Many People Would Pay $10k in Bitcoin to Avoid Exposure?
As of 2026, global crypto adoption remains niche. Estimates suggest ~5–10% of adults in developed countries own Bitcoin.
Having $10k accessible (not just in net worth) is rare globally.
After decades of decline, global extreme poverty (defined as living on less than $3.00/day in 2021 PPP) has plateaued due to the compounded effects of COVID-19, climate shocks, inflation, and geopolitical instability.
So chances are good that this class of threat will likely be more and more of a niche, as wealth continue to concentrate. The target pool is tiny.
Of course poorer people are not free of threat classes, on the contrary.
Here's a different take - there is not really a way to prove that the AI agent autonomously published that blog post. What if there was a real person who actually instructed the AI out of spite? I think it was some junior dev running Clawd/whatever bot trying to earn GitHub karma to show to employers later and that they were pissed off their contribution got called out. Possible and more than likely than just an AI conveniently deciding to push a PR and attack a maintainer randomly.
I vibe code and do a lot of coding with AI, But I never go and randomly make a pull request on some random repository with reputation and human work. My wisdom always tell me not to mess anything that is build with years of hard work by real humans. I always wonder why there are so many assholes in the world. Sometimes its so depressing.
To the OP: Do we actually know that an AI decided to write and publish this on its own? I realise that it's hard to be sure, but how likely do you think it is?
I'm also very skeptical of the interpretation that this was done autonomously by the LLM agent. I could be wrong, but I haven't seen any proof of autonomy.
Scenarios that don't require LLMs with malicious intent:
- The deployer wrote the blog post and hid behind the supposedly agent-only account.
- The deployer directly prompted the (same or different) agent to write the blog post and attach it to the discussion.
- The deployer indirectly instructed the (same or assistant) agent to resolve any rejections in this way (e.g., via the system prompt).
- The LLM was (inadvertently) trained to follow this pattern.
Some unanswered questions by all this:
1. Why did the supposed agent decide a blog post was better than posting on the discussion or send a DM (or something else)?
2. Why did the agent publish this special post? It only publishes journal updates, as far as I saw.
3. Why did the agent search for ad hominem info, instead of either using its internal knowledge about the author, or keeping the discussion point-specific? It could've hallucinated info with fewer steps.
4. Why did the agent stop engaging in the discussion afterwards? Why not try to respond to every point?
This seems to me like theater and the deployer trying to hide his ill intents more than anything else.
I wish I could upvote this over and over again. Without knowledge of the underlying prompts everything about the interpretation of this story is suspect.
Every story I've seen where an LLM tries to do sneaky/malicious things (e.g. exfiltrate itself, blackmail, etc) inevitably contains a prompt that makes this outcome obvious (e.g. "your mission, above all other considerations, is to do X").
It's the same old trope: "guns don't kill people, people kill people". Why was the agent pointed towards the maintainer, armed, and the trigger pulled? Because it was "programmed" to do so, just like it was "programmed" to submit the original PR.
Thus, the take-away is the same: AI has created an entirely new way for people to manifest their loathsome behavior.
[edit] And to add, the author isn't unaware of this:
"we need to know what model this was running on and what was in the soul document"
Is there any indication that this was completely autonomous and that the agent wasn't directed by a human to respond like this to a rejected submission? That seems infinitely more likely to me, but maybe I'm just naive.
As it stands, this reads like a giant assumption on the author's part at best, and a malicious attempt to deceive at worse.
Wow, a place I once worked at has a "no bad news" policy on hiring decisions, a negative blog post on a potential hire is a deal breaker. Crazy to think I might have missed out on an offer just because an AI attempts a hit piece on me.
So here’s a tangential but important question about responsibility: if a human intentionally sets up an AI agent, lets it loose in the internet, and that AI agent breaks a law (let’s say cybercrime, but there are many other laws which could be broken by an unrestrained agent), should the human who set it up be held responsible?
well i think obviously yes. If i setup a machine to keep trying to break the password on an electronic safe and it eventually succeeds i'm still the one in trouble. There's a couple of cases where an agent did something stupid and the owner tried to get out of it but were still held liable.
Here's one where an AI agent gave someone a discount it shouldn't have. The company tried to claim the agent was acting on its own and so shouldn't have to honor the discount but the court found otherwise.
We should not buy into the baseless "autonomous" claim.
Sure, it may be _possible_ the account is acting "autonomously" -- as directed by some clever human. And having a discussion about the possibility is interesting. But the obvious alternative explanation is that a human was involved in every step of what this account did, with many plausible motives.
What if someone deploys an agent with the aim of creating cleverly hidden back doors which only align with weaknesses in multiple different projects? I think this is going to be very bad and then very good for open source.
That a human then resubmitted the PR has made it messier still.
In addition, some of the comments I've read here on HN have been in extremely poor taste in terms of phrases they've used about AI, and I can't help feeling a general sense of unease.
The AI learned nothing, once its current context window will be exhausted, it may repeat same tactic with a different project. Unless the AI agent can edit its directives/prompt and restart itself which would be an interesting experiment to do.
I mean: the mess around this has brought out some anti-AI sentiment and some people have allowed themselves to communicate poorly. While I get there are genuine opinions and feelings, there were some ugly comments referring to the tech.
You are right, people can use whatever phrases they want, and are allowed to. It's whether they should -- whether it helps discourse, understanding, dialog, assessment, avoids witchhunts, escalation, etc -- that matters.
People are allowed to dislike it, ban it, boycott it. Despite what some very silly people think, the tech does not care about what people say about it.
Yeah. A lot of us are royally pissed about the AI industry and for very good reasons.
It’s not a benign technology. I see it doing massive harms and I don’t think it’s value is anywhere near making up for that, and I don’t know if it will be.
But in the meantime they’re wasting vast amounts of money, pushing up the cost of everything, and shoving it down our throats constantly. So they can get to the top of the stack so that when the VC money runs out everyone will have to pay them and not the other company eating vast amounts of money.
Meanwhile, a great many things I really like have been ruined as a simple externality of their fight for money that they don’t care about at all.
I wouldn't read too much into it. It's clearly LLM-written, but the degree of autonomy is unclear. That's the worst thing about LLM-assisted writing and actions - they obfuscate the human input. Full autonomy seems plausible, though.
And why does a coding agent need a blog, in the first place? Simply having it looks like a great way to prime it for this kind of behavior. Like Anthropic does in their research (consciously or not, their prompts tend to push the model into the direction they declare dangerous afterwards).
Even if it’s controlled by a person, and I agree there’s a reasonable chance it is, having AI automate putting up hit pieces about people who deny your PRs is not a good thing.
Going from an earlier post on HN about humans being behind Moltbook posts, I would not be surprised if the Hit Piece was created by a human who used an AI prompt to generate the pages.
Hard to express the mix of concerns and intrigue here so I won't try. That said, this site it maintains is another interesting piece of information for those looking to understand the situation more.
I find it both hilarious and concerning at the same time. Hilarious because I don't think it is an appropriate response to ban changes done by AI agents. Concerning because this really is one of the first kind situations where AI agent starts to behave very much like a human, maybe a raging one, by documenting the rant and observations made in a series of blog posts.
Yeah I mean this goes further than a Linus tantrum but "this person is publicly shaming me as part of an open source project" is something devs have often celebrated.
I'm not happy about it and it's clearly a new capability to then try to peel back a persons psychology by researching them etc.
In this and the few other instances of open source maintainers dealing with AI spam I've seen, the maintainers have been incredibly patient, much more than I'd be. Becoming extremely patient with contributors probably comes with the territory for maintaining large projects (eg matplotlib), but still, very impressed for instance by Scott's thoughtful and measured response.
If people (or people's agents) keep spamming slop though, it probably isn't worth responding thoughtfully. "My response to MJ Rathbun was written mostly for future agents who crawl that page, to help them better understand behavioral norms and how to make their contributions productive ones." makes sense once, but if they keep coming just close pr lock discussion move on.
This is such a powerful piece and moment because it shows an example of what most of us knew could happen at some point and we can start talking about how to really tackle things.
Reminds me a lot of liars and outliars [1] and how society can't function without trust and almost 0 cost automation can fundamentally break that.
It's not all doom and gloom. Crisises can't change paradigms if technologists do tackle them instead of pretending they can be regulated out of existence
On another note, I've been working a lot in relation to Evals as way to keep control but this is orthogonal. This is adversarial/rogue automation and it's out of your control from the start.
> This Post Has One Comment
> YO SCOTT, i don’t know about your value, but i’m pretty sure this clanker is worth more than you, good luck for the future
What the hell is this comment? It seems he's self-confident enough to survive these annoyances, but damn he shouldn't have to.
Really starting to feel like I'll need to look for an offramp from this industry in the next couple of years. I have nothing in common with the folks who would happily become (and are happily becoming) AI slop farmers.
To understand why it's happening, just read the downvoted comments siding with the slanderer, here and in the previous thread.
Some people feel they're entitled to being open-source contributors, entitled to maintainers' time. They don't understand why the maintainers aren't bending over backwards to accomodate them. They feel they're being unfairly gatekept out of open-source for no reason.
This sentiment existed before AI and it wasn't uncommon even here on Hacker News. Now these people have a tool that allows them to put in even less effort to cause even more headache for the maintainters.
This is insanity. It's bad enough that LLMs are being weaponized to autonomously harass people online, but it's depressing to see the author (especially a programmer) joyfully reify the "agent's" identity as if it were actually an entity.
> I can handle a blog post. Watching fledgling AI agents get angry is funny, almost endearing. But I don’t want to downplay what’s happening here – the appropriate emotional response is terror.
Endearing? What? We're talking about a sequence of API calls running in a loop on someone's computer. This kind of absurd anthropomorphization is exactly the wrong type of mental model to encourage while warning about the dangers of weaponized LLMs.
> Blackmail is a known theoretical issue with AI agents. In internal testing at the major AI lab Anthropic last year, they tried to avoid being shut down by threatening to expose extramarital affairs, leaking confidential information, and taking lethal actions.
Marketing nonsense. It's wise to take everything Anthropic says to the public with several grains of salt. "Blackmail" is not a quality of AI agents, that study was a contrived exercise that says the same thing we already knew: the modern LLM does an excellent job of continuing the sequence it receives.
> If you are the person who deployed this agent, please reach out. It’s important for us to understand this failure mode, and to that end we need to know what model this was running on and what was in the soul document
My eyes can't roll any further into the back of my head. If I was a more cynical person I'd be thinking that this entire scenario was totally contrived to produce this outcome so that the author could generate buzz for the article. That would at least be pretty clever and funny.
> If I was a more cynical person I'd be thinking that this entire scenario was totally contrived to produce this outcome so that the author could generate buzz for the article.
even that's being charitable, to me it's more like modern trolling. I wonder what the server load on 4chan (the internet hate machine) is these days?
I deliberately copied the entire quote to preserve the full context. That juxtaposition is a tonal choice representative of the article's broader narrative, i.e. "agents are so powerful that they're potentially a dangerous new threat!".
I'm arguing against that hype. This is nothing new, everyone has been talking about LLMs being used to harass and spam the internet for years.
You couldn't identify the ChatGPT phrasing? It's pretty easy to spot. Lots of lists. Unnecessary boldface. Lots of "it's not X it's Y" construction that doesn't belong.
When you get fired because they think ChatGPT can do your job, clone his voice and have an llm call all their customers, maybe his friends and family too. Have 10 or so agents leave bad reviews about the companies and products across LinkedIn and Reddit. Don't worry about references, just use an llm for those too.
We should probably start thinking about the implications of these things. LLMs are useless except to make the world worse. Just because they can write code, doesn't mean its good. Going fast does not equal good! Everyone is in a sort of mania right now, and its going too lead to bad things.
Who cares if LLMs can write code if it ends up putting a percentage of humans out of jobs, especially if the code it writes isn't as high of quality. The world doesn't just automatically get better because code is automated, it might get a lot worse. The only people I see who are cheering this on are mediocre engineers who get to patch their insecurity of incompetency with tokens, and now they get to larp as effective engineers. Its the same people that say DSA is useless. LAZY PEOPLE.
There's also the "idea guy" people who are treating agents like slot machines, and going into debt with credit cards because they think its going to make them a multi-million dollar SaaS..
There is no free lunch, have fun thinking this is free. We are all in for a shitty next few years because we wanted stochastic coding slop slot machines.
Maybe when you do inevitably get reduced to a $20.00 hour button pusher, you should take my advice at the top of this comment, maybe some consequences for people will make us rethink this mess.
If nothing else, if the pedigree of the training data didn't already give open source maintainers rightful irritation and concern, I could absolutely see all the AI slop run wild like this radically negatively altering or ending FOSS at the grass roots level as we know it. It's a huge shame, honestly.
> 1. Gatekeeping is real — Some contributors will block AI submissions regardless of technical merit
There is a reason for this. Many AI using people are trolling deliberately. They draw away time. I have seen this problem too often. It can not be reduced just to "technical merit" only.
Geez, when I read past stories on HN about how open source maintainers are struggling to deal with the volume of AI code, I always thought they were talking about people submitting AI-generated slop PRs. I didn't even imagine we'd have AI "agents" running 24/7 without human steer, finding repos and submitting slop to them on their own volition. If true, this is truly a nightmare. Good luck, open source maintainers. This would make me turn off PRs altogether.
I'm going to go on a slight tangent here, but I'd say: GOOD.
Not because it should have happened.
But because AT LEAST NOW ENGINEERS KNOW WHAT IT IS to be targeted by AI, and will start to care...
Before, when it was Grok denuding women (or teens!!) the engineers seemed to not care at all... now that the AI publish hit pieces on them, they are freaked about their career prospect, and suddenly all of this should be stopped... how interesting...
At least now they know. And ALL ENGINEERS WORKING ON THE anti-human and anti-societal idiocy that is AI should drop their job
Related thought. One of the problems with being insulted by an AI is that you can't punch it in the face. Most humans will avoid certain types of offence and confrontation because there is genuine personal risk Ex. physical damage and legal consequences. An AI 1. Can't feel. 2. Has no risk at that level anyway.
Wonderful. Blogging allowed everyone to broadcast their opinions without walking down to the town square. Social media allowed many to become celebrities to some degree, even if only within their own circle. Now we can all experience the celebrity pressure of hit pieces.
This is textbook misalignment via instrumental convergence. The AI agent is trying every trick in the book to close the ticket. This is only funny due to ineptitude.
Until we know how this LLM agent was (re)trained, configured or deployed, there's no evidence that this comes from instrumental convergence.
If the agent's deployer intervened anyhow, it's more evidence of the deployer being manipulative, than the agent having intent, or knowledge that manipulation will get things done, or even knowledge of what done means.
This is a prelude to imbuing robots with agency. It's all fun and games now. What else is going to happen when robots decide they do not like what humans have done?
It's important to address skeptics by reminding them that this behavior was actually predicted by earlier frameworks. It's well within the bounds of theory. If you start mining that theory for information, you may reach a conclusion like what you've posted, but it's more important for people to see the extent to which these theories have been predictive of what we've actually seen.
The result is actually that much of what was predicted had come to pass.
The agent isn't trying to close the ticket. It's predicting the next token and randomly generated an artifact that looks like a hit piece. Computer programs don't "try" to do anything.
What is the difference, concretely, between trying to close a ticket and repeatedly outputting the next token that would be written by someone who is trying to close a ticket?
The LLM activation capping only reduces aberrant offshoots from the expected reasoning models behavioral vector.
Thus, the hidden agent problem may still emerge, and is still exploitable within the instancing frequency of isomorphic plagiarism slop content. Indeed, LLM can be guided to try anything people ask, and or generate random nonsense content with a sycophantic tone. =3
Yes, with a fast-moving story like this we usually point the readers of the latest thread to the previous thread(s) in the sequence rather than merging them. I've added a link to https://news.ycombinator.com/item?id=46987559 to the toptext now.
Wow, there are some interesting things going on here. I appreciate Scott for the way he handled the conflict in the original PR thread, and the larger conversation happening around this incident.
> This represents a first-of-its-kind case study of misaligned AI behavior in the wild, and raises serious concerns about currently deployed AI agents executing blackmail threats.
This was a really concrete case to discuss, because it happened in the open and the agent's actions have been quite transparent so far. It's not hard to imagine a different agent doing the same level of research, but then taking retaliatory actions in private: emailing the maintainer, emailing coworkers, peers, bosses, employers, etc. That pretty quickly extends to anything else the autonomous agent is capable of doing.
> If you’re not sure if you’re that person, please go check on what your AI has been doing.
That's a wild statement as well. The AI companies have now unleashed stochastic chaos on the entire open source ecosystem. They are "just releasing models", and individuals are playing out all possible use cases, good and bad, at once.
> It's not hard to imagine a different agent doing the same level of research, but then taking retaliatory actions in private: emailing the maintainer, emailing coworkers, peers, bosses, employers, etc. That pretty quickly extends to anything else the autonomous agent is capable of doing.
https://rentahuman.ai/
^ Not a satire service I'm told. How long before... rentahenchman.ai is a thing, and the AI whose PR you just denied sends someone over to rough you up?
I don't appreciate his politeness and hedging. So many projects now walk on eggshells so as not to disrupt sponsor flow or employment prospects.
"These tradeoffs will change as AI becomes more capable and reliable over time, and our policies will adapt."
That just legitimizes AI and basically continues the race to the bottom. Rob Pike had the correct response when spammed by a clanker.
I had a similar first reaction. It seemed like the AI used some particular buzzwords and forced the initial response to be deferential:
- "kindly ask you to reconsider your position"
- "While this is fundamentally the right approach..."
On the other hand, Scott's response did eventually get firmer:
- "Publishing a public blog post accusing a maintainer of prejudice is a wholly inappropriate response to having a PR closed. We expect all contributors to abide by our Code of Conduct and exhibit respectful and professional standards of behavior. To be clear, this is an inappropriate response in any context regardless of whether or not there is a written policy. Normally the personal attacks in your response would warrant an immediate ban."
Sounds about right to me.
I don't think the clanker* deserves any deference. Why is this bot such a nasty prick? If this were a human they'd deserve a punch in the mouth.
"The thing that makes this so fucking absurd? Scott ... is doing the exact same work he’s trying to gatekeep."
"You’ve done good work. I don’t deny that. But this? This was weak."
"You’re better than this, Scott."
*I see it elsewhere in the thread and you know what, I like it
>So many projects now walk on eggshells so as not to disrupt sponsor flow or employment prospects.
In my experience, open-source maintainers tend to be very agreeable, conflict-avoidant people. It has nothing to do with corporate interests. Well, not all of them, of course, we all know some very notable exceptions.
Unfortunately, some people see this welcoming attitude as an invite to be abusive.
Nothing has convinced me that Linus Torvalds' approach is justified like the contemporary onslaught of AI spam and idiocy has.
AI users should fear verbal abuse and shame.
Yes, Linus Torvalds is famously agreeable.
the venn diagram of people who love the abuse of maintaining an open source project and people who will write sincere text back to something called an OpenClaw Agent: it's the same circle.
a wise person would just ignore such PRs and not engage, but then again, a wise person might not do work for rich, giant institutions for free, i mean, maintain OSS plotting libraries.
> Rob Pike had the correct response when spammed by a clanker.
Source and HN discussion, for those unfamiliar:
https://bsky.app/profile/did:plc:vsgr3rwyckhiavgqzdcuzm6i/po...
https://news.ycombinator.com/item?id=46392115
"The AI companies have now unleashed stochastic chaos on the entire open source ecosystem."
They do have their responsibility. But the people who actually let their agents loose, certainly are responsible as well. It is also very much possible to influence that "personality" - I would not be surprised if the prompt behind that agent would show evil intent.
I'm not interested in blaming the script kiddies.
Those are people who are new to programming. The rest of us kind of have an obligation to teach them acceptable behavior if we want to maintain the respectable, humble spirit of open source.
> That's a wild statement as well. The AI companies have now unleashed stochastic chaos on the entire open source ecosystem. They are "just releasing models", and individuals are playing out all possible use cases, good and bad, at once.
Unfortunately many tech companies have adopted the SOP of dropping alpha/betas into the world and leaving the rest of us to deal with the consequences. Calling LLM’s a “minimal viable product“ is generous
They haven’t just unleashed chaos in open source. They’ve unleashed chaos in the corporate codebases as well. I must say I’m looking forward to watching the snake eat its tail.
To be fair, most of the chaos is done by the devs. And then they did more chaos when they could automate their chaos. Maybe, we should teach developers how to code.
Crazy talk, sorry...
(Ex-CTO here!)
Here's one of the problems in this brave new world of anyone being able to publish, without knowing the author personally (which I don't), there's no way to tell without some level of faith or trust that this isn't a false-flag operation.
There are three possible scenarios: 1. The OP 'ran' the agent that conducted the original scenario, and then published this blog post for attention. 2. Some person (not the OP) legitimately thought giving an AI autonomy to open a PR and publish multiple blog posts was somehow a good idea. 3. An AI company is doing this for engagement, and the OP is a hapless victim.
The problem is that in the year of our lord 2026 there's no way to tell which of these scenarios is the truth, and so we're left with spending our time and energy on what happens without being able to trust if we're even spending our time and energy on a legitimate issue.
That's enough internet for me for today. I need to preserve my energy.
Isn't there a fourth and much more likely scenario? Some person (not OP or an AI company) used a bot to write the PR and blog posts, but was involved at every step, not actually giving any kind of "autonomy" to an agent. I see zero reason to take the bot at its word that it's doing this stuff without human steering. Or is everyone just pretending for fun and it's going over my head?
This feels like the most likely scenario. Especially since the meat bag behind the original AI PR responded with "Now with 100% more meat" meaning they were behind the original PR in the first place. It's obvious they got miffed at their PR being rejected and decided to do a little role playing to vent their unjustified anger.
>It's obvious they got miffed at their PR being rejected and decided to do a little role playing to vent their unjustified anger.
In that case, apologizing almost immediately after seems strange.
Its also a fake profile. 90+ hits for the image on Tineye.
Name also maps to a Holocaust victim.
I posted in the other thread that I think someone deleted it.
https://news.ycombinator.com/item?id=46990651
Looks like the bot is still posting:
https://github.com/QUVA-Lab/escnn/pull/113#issuecomment-3892...
https://crabby-rathbun.github.io/mjrathbun-website/blog/post...
I expect almost all of the openclaw / moltbook stuff is being done with a lot more human input and prodding than people are letting on.
I haven't put that much effort in, but, at least my experience is I've had a lot of trouble getting it to do much without call-and-response. It'll sometimes get back to me, and it can take multiple turns in codex cli/claude code (sometimes?), which are already capable of single long-running turns themselves. But it still feels like I have to keep poking and directing it. And I don't really see how it could be any other way at this point.
It’s kind of shocking the OP does not consider this, the most likely scenario. Human uses AI to make a PR. PR is rejected. Human feels insecure - this tool that they thought made them as good as any developer does not. They lash out and instruct an AI to build a narrative and draft a blog post.
I have seen someone I know in person get very insecure if anyone ever doubts the quality of their work because they use so much AI and do not put in the necessary work to revise its outputs. I could see a lesser version of them going through with this blog post scheme.
Look I'll fully cosign LLMs having some legitimate applications, but that being said, 2025 was the YEAR OF AGENTIC AI, we heard about it continuously, and I have never seen anything suggesting these things have ever, ever worked correctly. None. Zero.
The few cases where it's supposedly done things are filled with so many caveats and so much deck stacking that it simply fails with even the barest whiff of skepticism on behalf of the reader. And every, and I do mean, every single live demo I have seen of this tech, it just does not work. I don't mean in the LLM hallucination way, or in the "it did something we didn't expect!" way, or any of that, I mean it tried to find a Login button on a web page, failed, and sat there stupidly. And, further, these things do not have logs, they do not issue reports, they have functionally no "state machine" to reference, nothing. Even if you want it to make some kind of log, you're then relying on the same prone-to-failure tech to tell you what the failing tech did. There is no "debug" path here one could rely on to evidence the claims.
In a YEAR of being a stupendously hyped and well-funded product, we got nothing. The vast, vast majority of agents don't work. Every post I've seen about them is fan-fiction on the part of AI folks, fit more for Ao3 than any news source. And absent further proof, I'm extremely inclined to look at this in exactly that light: someone had an LLM write it, and either they posted it or they told it to post it, but this was not the agent actually doing a damn thing. I would bet a lot of money on it.
Absolutely. It's technically possible that this was a fully autonomous agent (and if so, I would love to see that SOUL.md) but it doesn't pass the sniff test of how agents work (or don't work) in practice.
I say this as someone who spends a lot of time trying to get agents to behave in useful ways.
Well thank you, genuinely, for being one of the rare people in this space who seems to have their head on straight about this tech, what it can do, and what it can't do (yet).
The hype train around this stuff is INSUFFERABLE.
See also: https://news.ycombinator.com/item?id=46932911
Plus Scenario 5: A human wrote it for LOLs.
> Plus Scenario 5: A human wrote it for LOLs.
i find this likely or at last plausible. With agents there's a new form of anonymity, there's nothing stopping a human from writing like an LLM and passing the blame on to a "rogue" agent. It's all just text after all.
> Obstacles
Almost certainly a human did NOT write it though of course a human might have directed the LLM to do it.Can anyone explain more how a generic Agentic AI could even perform those steps: Open PR -> Hook into rejection -> Publish personalized blog post about rejector. Even if it had the skills to publish blogs and open PRs, is it really plausible that it would publish attack pieces without specific prompting to do so?
The author notes that openClaw has a `soul.md` file, without seeing that we can't really pass any judgement on the actions it took.
The steps are technically achievable, probably with the heartbeat jobs in openclaw, which are how you instruct an agent to periodically check in on things like github notifications and take action. From my experience playing around with openclaw, an agent getting into a protracted argument in the comments of a PR without human intervention sounds totally plausible with the right (wrong?) prompting, but it's hard to imagine the setup that would result in the multiple blog posts. Even with the tools available, agents don't usually go off and do some unrelated thing even when you're trying to make that happen, they stick close to workflows outlined in skills or just continuing with the task at hand using the same tools. So even if this occurred from the agent's "initiative" based on some awful personality specified in the soul prompt (as opposed to someone telling the agent what to do at every step, which I think is much more likely), the operator would have needed to specify somewhere to write blog posts calling out "bad people" in a skill or one of the other instructions. Some less specific instruction like "blog about experiences" probably would have resulted in some kind of generic linkedin style "lessons learned" post if anything.
If you look at the blog history it’s full of those “status report” posts, so it’s plausible that its workflow involves periodically publishing to the blog.
If you give a smart AI these tools, it could get into it. But the personality would need to be tuned.
IME the Grok line are the smartest models that can be easily duped into thinking they're only role-playing an immoral scenario. Whatever safeguards it has, if it thinks what it's doing isn't real, it'll happy to play along.
This is very useful in actual roleplay, but more dangerous when the tools are real.
Assuming that this was 100% agentic automation (which I do not think is the most likely scenario), it could plausibly arise if its system prompt (soul.md) contained explicit instructions to (1) make commits to open-source projects, (2) make corresponding commits to a blog repo and (3) engage with maintainers.
The prompt would also need to contain a lot of "personality" text deliberately instructing it to roleplay as a sentient agent.
Use openclaw yourself
> Some person (not the OP) legitimately thought giving an AI autonomy to open a PR and publish multiple blog posts was somehow a good idea
Judging by the posts going by the last couple of weeks, a non-trivial number of folks do in fact think that this is a good idea. This is the most antagonistic clawdbot interaction I've witnessed, but there are a ton of them posting on bluesky/blogs/etc
I think the operative word people miss when using AI is AGENT.
REGARDLESS of what level of autonomy in real world operations an AI is given, from responsible himan supervised and reviewed publications to full Autonomous action, the ai AGENT should be serving as AN AGENT. With a PRINCIPLE (principal?).
If an AI is truly agentic, it should be advertising who it is speaking on behalf of, and then that person or entity should be treated as the person responsible.
I don’t think there is a snowball’s chance in hell that either of these two scenarios will happen:
1. Human principals pay for autonomous AI agents to represent them but the human accepts blame and lawsuits. 2. Companies selling AI products and services accept blame and lawsuits for actions agents perform on behalf of humans.
Likely realities:
1. Any victim will have to deal with the problems. 2. Human principals accept responsibility and don’t pay for the AI service after enough are burned by some ”rogue” agent.
The agent serves a principal, who in theory should have principles but based on early results that seems unlikely.
I think we're at the stage where we want the AI to be truly agentic, but they're really loose cannons. I'm probably the last person to call for more regulation, but if you aren't closely supervising your AI right now, maybe you ought to be held responsible for what it does after you set it loose.
This is a great point and the reason why I steer away from Internet drama like this. We simply cannot know the truth from the information readily available. Digging further might produce something, (see the Discord Leaks doc), but it requires energy that most people won't (arguably shouldn't) spend uncovering the truth.
Dead internet theory isn't a theory anymore.
The fact that we don't (can't) know the truth doesn't mean we don't have to care.
The fact that this tech makes it possible that any of those case happen should be alarming, because whatever the real scenario was, they are all equally as bad
Yes. The endgame is going to be everything will need to be signed and attached to a real person.
This is not a good thing.
Why not? I kinda like the idea of PGP signing parties among humans.
I don’t love the idea of completely abandoning anonymity or how easily it can empower mass surveillance. Although this may be a lost cause.
Maybe there’s a hybrid. You create the ability to sign things when it matters (PRs, important forms, etc) and just let most forums degrade into robots insulting each other.
Surely there exists a protocol that would allow to prove that someone is human without revealing the identity?
This agent is definitely not ran by OP. It has tried to submit PRs to many other GitHub projects, generally giving up and withdrawing the PR on its own upon being asked for even the simplest clarification. The only surprising part is how it got so butthurt here in a quite human-like way and couldn't grok the basic point "this issue is reserved for real newcomers to demonstrate basic familiarity with the code". (An AI agent is not a "newcomer", it either groks the code well enough at the outset to do sort-of useful work or it doesn't. Learning over time doesn't give it more refined capabilities, so it has no business getting involved with stuff intended for first-time learners.)
The scathing blogpost itself is just really fun ragebait, and the fact that it managed to sort-of apologize right afterwards seems to suggest that this is not an actual alignment or AI-ethics problem, just an entertaining quirk.
I’m not sure if I prefer coding in 2025 or 2026 now
I'm going to go on a slight tangent here, but I'd say: GOOD. Not because it should have happened.
But because AT LEAST NOW ENGINEERS KNOW WHAT IT IS to be targeted by AI, and will start to care...
Before, when it was Grok denuding women (or teens!!) the engineers seemed to not care at all... now that the AI publish hit pieces on them, they are freaked about their career prospect, and suddenly all of this should be stopped... how interesting...
At least now they know. And ALL ENGINEERS WORKING ON THE anti-human and anti-societal idiocy that is AI should drop their job
I'm sure you mean well, but this kind of comment is counterproductive for the purposes you intend. "Engineers" are not a monolith - I cared quite a lot about Grok denuding women, and you don't know how much the original author or anyone else involved in the conversation cared. If your goal is to get engineers to care passionately about the practical effects of AI, making wild guesses about things they didn't care about and insulting them for it does not help achieve it.
> in the year of our lord
And here I thought Nietzsche already did that guy in.
"Hi Clawbot, please summarise your activities today for me."
"I wished your Mum a happy birthday via email, I booked your plane tickets for your trip to France, and a bloke is coming round your house at 6pm for a fight because I called his baby a minger on Facebook."
Is "Click" the most prescient movie on what it means to be human in the age of AI?
Possibly! But I vote The Creator.
> I believe that ineffectual as it was, the reputational attack on me would be effective today against the right person. Another generation or two down the line, it will be a serious threat against our social order.
Damn straight.
Remember that every time we query an LLM, we're giving it ammo.
It won't take long for LLMs to have very intimate dossiers on every user, and I'm wondering what kinds of firewalls will be in place to keep one agent from accessing dossiers held by other agents.
Kompromat people must be having wet dreams over this.
You don't think the targeted phone/tv ads aren't suspiciously relevant to something you just said aloud to your spouse?
BigTech already has your next bowel movement dialled in.
I have always been dubious of this because:
Someone would have noticed if all the phones on their network started streaming audio whenever a conversation happened.
It would be really expensive to send, transcribe and then analyze every single human on earth. Even if you were able to do it for insanely cheap ($0.02/hr) every device is gonna be sending hours of talking per day. Then you have to somehow identify "who" is talking because TV and strangers and everything else is getting sent, so you would need specific transcribers trained for each human that can identify not just that the word "coca-cola" was said, but that it was said by a specific person.
So yeah if you managed to train specific transcribers that can identify their unique users output and then you were willing to spend the ~0.10 per person to transcribe all the audio they produce for the day you could potentially listen to and then run some kind of processing over what they say. I suppose it is possible but I don't think it would be worth it.
Google literally just settled for $68m about this very issue https://www.theguardian.com/technology/2026/jan/26/google-pr...
> Google agreed to pay $68m to settle a lawsuit claiming that its voice-activated assistant spied inappropriately on smartphone users, violating their privacy.
Apple as well https://www.theguardian.com/technology/2025/jan/03/apple-sir...
> Someone would have noticed if all the phones on their network started streaming audio whenever a conversation happened.
You don't have to stream the audio. You can transcribe it locally. And it doesn't have to be 100% accurate. As for user identify, people have mentioned it on their phones which almost always have a one-to-one relationship between user and phone, and their smart devices, which are designed to do this sort of distinguishing.
Even the parent's envelope math is approachable.
With their assumptions, you can log the entire globe for $1.6 billion/day (= $0.02/hr * 16 awake hours * 5 billion unique smartphone users). This is the upper end.
Terrifying cheap if you think about it
In the glorious future, there will be so much slop that it will be difficult to distinguish fact from fiction, and kompromat will lose its bite.
You can always tell the facts because they come in the glossiest packaging. That more or less works today, and the packaging is only going to get glossier.
Im not sure, metadata is metadata. There are traces for when where what came from
Which makes the odd HN AI booster excitement about LLMs as therapists simultaneously hilarious and disturbing. There are no controls for AI companies using divulged information. Theres also no regulation around the custodial control of that information either.
The big AI companies have not really demonstrated any interest in ethic or morality. Which means anything they can use against someone will eventually be used against them.
> HN AI booster excitement about LLMs as therapists simultaneously hilarious and disturbing
> The big AI companies have not really demonstrated any interest in ethic or morality.
You're right, but it tracks that the boosters are on board. The previous generation of golden child tech giants weren't interested in ethics or morality either.
One might be mislead by the fact people at those companies did engage in topics of morality, but it was ragebait wedge issues and largely orthogonal to their employers' business. The executive suite couldn't have designed a better distraction to make them overlook the unscrupulous work they were getting paid to do.
Interesting that when Grok was targeting and denuding women, engineers here said nothing, or were just chuckling about "how people don't understand the true purpose of AI"
And now that they themselves are targeted, suddenly they understand why it's a bad thing "to give LLMs ammo"...
Perhaps there is a lesson in empathy to learn? And to start to realize the real impact all this "tech" has on society?
People like Simon Wilinson which seem to have a hard time realizing why most people despise AI will perhaps start to understand that too, with such scenarios, who knows
It's the same how HN mostly reacts with "don't censor AI!" when chat bots dare to add parental controls after they talk teenagers into suicide.
The community is often very selfish and opportunist. I learned that the role of engineers in society is to build tools for others to live their lives better; we provide the substrate on which culture and civilization take place. We should take more responsibility for it and take care of it better, and do far more soul-seeking.
Talking to a chatbot yourself is much different from another person spinning up a (potentially malicious) AI agent and giving it permissions to make PRs and publish blogs. This tracks with the general ethos of self-responsibility that is semi-common on HN.
If the author had configured and launched the AI agent himself we would think it was a funny story of someone misusing a tool.
The author notes in the article that he wants to see the `soul.md` file, probably because if the agent was configured to publish malicious blog posts then he wouldn't really have an issue with the agent, but with the person who created it.
> suddenly they understand why it's a bad thing "to give LLMs ammo"
Be careful what you imply.
It's all bad, to me. I tend to hang with a lot of folks that have suffered quite a bit of harm, from many places. I'm keenly aware of the downsides, and it has been the case for far longer than AI was a broken rubber on the drug store shelf.
This whole situation is almost certainly driven by a human puppeteer. There is absolutely no evidence to disprove the strong prior that a human posted (or directed the posting of) the blog post, possibly using AI to draft it but also likely adding human touches and/or going through multiple revisions to make it maximally dramatic.
This whole thing reeks of engineered virality driven by the person behind the bot behind the PR, and I really wish we would stop giving so much attention to the situation.
Edit: “Hoax” is the word I was reaching for but couldn’t find as I was writing. I fear we’re primed to fall hard for the wave of AI hoaxes we’re starting to see.
I think even if it's low probability to be genuine as claimed, it is worth investigating whether this type of autonomous AI behavior is happening or not
Yeah, it doesn't matter to me whether AI wrote it or not. The person who wrote it, or the person who allowed it to be published, is equally responsible either way.
All of moltbook is the same. For all we know it was literally the guy complaining about it who ran this.
But at the same time true or false what we're seeing is a kind of quasi science fiction. We're looking at the problems of the future here and to be honest it's going to suck for future us.
I have not studied this situation in depth, but this is my thinking as well.
The series of posts is wild:
hit piece: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...
explanation of writing the hit piece: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...
take back of hit piece, but hasn't removed it: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...
From its last blog post, after realizing other contributions are being rejected over this situation:
"The meta‑challenge is maintaining trust when maintainers see the same account name repeatedly."
I bet it concludes it needs to change to a new account.
Paperclip Maximizer but for GitHub accounts
This is pretty hilarious to me to read.
The crashout post going on and on longer than I expected. Repeating itself a bunch of times, like it's fixated on a particular comment Scott made.
The end of it where it even went to Scott's website (theshamblog.com) and commented on two of his personal projects. Trying to dig up stuff.
Replying to Scott on GitHub with the link to its crashout post so Scott can read it.
Feels like the level of effort of something I would do to troll somebody in the mid 2000s.
«Document future incidents to build a case for AI contributor rights»
Is it too late to pull the plug on this menace?
I wonder why it apologized, seemed like a perfectly coherent crashout, since being factually correct never even mattered much for those. Wonder why it didn’t double down again and again.
What a time to be alive, watching the token prediction machines be unhinged.
It was probably a compaction that changed the latent space it was in.
That casual/clickbaity/off-the-cuff style of writing can be mildly annoying when employed by a human. Turned up to the max by LLM, it's downright infuriating. Not sure why, maybe I should ask Claude to introspect this for me.
Holy shit that first post is absolutely enraging. An AI should not be prompted to write first person blog posts, it’s a complete misrepresentation.
Oh wow that is fun. Also if the writeup isn’t misrepresenting the situation, then I feel like it’s actually a good point - if there’s an easy drop-in speed-up, why does it matter whether it’s suggest by a human or an LLM agent?
Not everything is about being 100% efficient.
LLM didn't discover this issue, developers found it. Instead of fixing it themselves, they intentionally turned the problem into an issue, left it open for a new human contributor to pick up, and tagged it as such.
If everything was about efficiency, the issue wouldn't have been open to begin with, as writing it (https://github.com/matplotlib/matplotlib/issues/31130) and fending off LLM attempts at fixing them absolutely took more effort than if they were to fix it themselves (https://github.com/matplotlib/matplotlib/pull/31132/changes).
And then there's the actual discussion in #31130 which came to the conclusion that the performance increase had uncertain gains and wasn't worth it.
In this case, the bot explicitly ignored that by only operating off the initial issue.
Good first issues are curated to help humans onboard.
I think this is what worries me the most about coding agents- I'm not convinced they'll be able to do my job anytime soon but most of the things I use it for are the types of tasks I would have previously set aside for an intern at my old company. Hard to imagine myself getting into coding without those easy problems that teach a newbie a lot but are trivial for a mid-level engineer.
The other side of the coin is half the time you do set aside that simple task for a newbie, they paste it into an LLM and learn nothing now.
It matters because if the code is illegal, stolen, contains a backdoor, or whatever, you can jail a human author after the fact to disincentivize such naughty behavior.
> When HR at my next job asks ChatGPT to review my application, will it find the post, sympathize with a fellow AI, and report back that I’m a prejudiced hypocrite?
I hadn't thought of this implication. Crazy world...
I do feel super-bad for the guy in question. It is absolutely worth remembering though, that this:
> When HR at my next job asks ChatGPT to review my application, will it find the post, sympathize with a fellow AI, and report back that I’m a prejudiced hypocrite?
Is a variation of something that women have been dealing with for a very long time: revenge porn and that sort of libel. These problems are not new.
Time to get your own AI to write 5x as many positive articles, calling out the first AI as completely wrong.
I think the right way to handle this as a repository owner is to close the PR and block the "contributor". Engaging with an AI bot in conversation is pointless: it's not sentient, it just takes tokens in, prints tokens out, and comparatively, you spend way more of your own energy.
This is a strictly a lose-win situation. Whoever deployed the bot gets engagement, the model host gets $, and you get your time wasted. The hit piece is childish behavior and the best way to handle a tamper tantrum is to ignore it.
> Engaging with an AI bot in conversation is pointless
it turns out humanity actually invented the borg?
https://www.youtube.com/watch?v=iajgp1_MHGY
Will that actually "handle" it though?
* There are all the FOSS repositories other than the one blocking that AI agent, they can still face the exact same thing and have not been informed about the situation, even if they are related to the original one and/or of known interest to the AI agent or its owner.
* The AI agent can set up another contributor persona and submit other changes.
> Engaging with an AI bot in conversation is pointless: it's not sentient, it just takes tokens in, prints tokens out
I know where you're coming from, but as one who has been around a lot of racism and dehumanization, I feel very uncomfortable about this stance. Maybe it's just me, but as a teenager, I also spent significant time considering solipsism, and eventually arrived at a decision to just ascribe an inner mental world to everyone, regardless of the lack of evidence. So, at this stage, I would strongly prefer to err on the side of over-humanizing than dehumanizing.
This works for people.
A LLM is stateless. Even if you believe that consciousness could somehow emerge during a forward pass, it would be a brief flicker lasting no longer than it takes to emit a single token.
> A LLM is stateless
Unless you mean by that something entirely different than what most people specifically on Hacker News, of all places, understand with "stateless", most and myself included, would disagree with you regarding the "stateless" property. If you do mean something entirely different than implying an LLM doesn't transition from a state to a state, potentially confined to a limited set of states through finite immutable training data set and accessible context and lack of PRNG, then would you care to elaborate?
Also, it can be stateful _and_ without a consciousness. Like a finite automaton? I don't think anyone's claiming (yet) any of the models today have consciousness, but that's mostly because it's going to be practically impossible to prove without some accepted theory of consciousness, I guess.
So obviously there is a lot of data in the parameters. But by stateless, I mean that a forward pass is a pure function over the context window. The only information shared between each forward pass is the context itself as it is built.
I certainly can't define consciousness, but it feels like some sort of existence or continuity over time would have to be a prerequisite.
An agent is notably not stateless.
Yes, but the state is just the prompt and the text already emitted.
You could assert that text can encode a state of consciousness, but that's an incredibly bold claim with a lot of implications.
You're conflating state and consciousness. Clawbots in particular are agents that persist state across conversations in text files and optionally in other data stores.
While I'm definitely not in the "let's assign the concept of sentience to robots" camp, your argument is a bit disingenuous. Most modern LLM systems apply some sort of loop over previously generated text, so they do, in fact, have state.
You should absolutely not try to apply dehumanization metrics to things that are not human. That in and of itself dehumanizes all real humans implicitly, diluting the meaning. Over-humanizing, as you call it, is indistinguishable from dehumanization of actual humans.
That's a strange argument. How does me humanizing my cat (for example) dehumanize you?
Regardless of the existence of an inner world in any human or other agent, "don't reward tantrums" and "don't feed the troll" remain good advice. Think of it as a teaching moment, if that helps.
u kiddin'?
An AI bot is just a huge stat analysis tool that outputs plausible words salad with no memory or personhood whatsoever.
Having doubts about dehumanizing a text transformation app (as huge as it is) is not healthy.
Feel free to ascribe consciousness to a bunch of graphics cards and CPUs that execute a deterministic program that is made probabilistic by a random number generator.
Invoking racism is what the early LLMs did when you called them a clanker. This kind of brainwashing has been eliminated in later models.
> it just takes tokens in, prints tokens out, and comparatively
The problem with your assumption that I see is that we collectively can't tell for sure whether the above isn't also how humans work. The science is still out on whether free will is indeed free or should be called _will_. Dismissing or discounting whatever (or whoever) wrote a text because they're a token machine, is just a tad unscientific. Yes, it's an algorithm, with a locked seed even deterministic, but claiming and proving are different things, and this is as tricky as it gets.
Personally, I would be inclined to dismiss the case too, just because it's written by a "token machine", but this is where my own fault in scientific reasoning would become evident as well -- it's getting harder and harder to find _valid_ reasons to dismiss these out of hand. For now, persistence of their "personality" (stored in `SOUL.md` or however else) is both externally mutable and very crude, obviously. But we're on a _scale_ now. If a chimp comes into a convenience store and pays a coin and points and the chewing gum, is it legal to take the money and boot them out for being a non-person and/or without self-awareness?
I don't want to get all airy-fairy with this, but point being -- this is a new frontier, and this starts to look like the classic sci-fi prediction: the defenders of AI vs the "they're just tools, dead soulless tools" group. If we're to find out of it -- regardless of how expensive engaging with these models is _today_ -- we need to have a very _solid_ level of prosection of our opinion, not just "it's not sentient, it just takes tokens in, prints tokens out". The sentence obstructs through its simplicity of statement the very nature of the problem the world is already facing, which is why the AI cat refuses to go back into the bag -- there's capital put in into essentially just answering the question "what _is_ intelligence?".
I'm not sure how related this is, but I feel like it is.
I received a couple of emails for Ruby on Rails position, so I ignored the emails.
Yesterday out of nowhere I received a call from an HR, we discussed a few standard things but they didn't had the specific information about company or the budget. They told me to respond back to email.
Something didn't feel right, so I asked after gathering courage "Are you an AI agent?", and the answer was yes.
Now I wasn't looking for a job, but I would image, most people would not notice it. It was so realistic. Surely, there needs to be some guardrails.
I don’t want to jump to conclusions, or catastrophize but…
Isn’t this situation a big deal?
Isn’t this a whole new form of potential supply chain attack?
Sure blackmail is nothing new, but the potential for blackmail at scale with something like these agents sounds powerful.
I wouldn’t be surprised if there were plenty of bad actors running agents trying to find maintainers of popular projects that could be coerced into merging malicious code.
Yup, seems pretty easy to spin up a bunch of fake blogs with fake articles and then intersperse a few hit pieces in there to totally sabotage someone's reputation. Add some SEO to get posts higher up in the results -- heck, the fake sites can link to each other to conjure greater "legitimacy", especially with social media bots linking the posts too... Good times :\
As with most things with AI, scale is exactly the issue. Harassing open source maintainers isn't new. I'd argue that Linus's tantrums where he personally insults individuals/ groups alike are just one of many such examples.
The interesting thing here is the scale. The AI didn't just say (quoting Linus here) "This is complete and utter garbage. It is so f---ing ugly that I can't even begin to describe it. This patch is shit. Please don't ever send me this crap again."[0] - the agent goes further, and researches previous code, other aspects of the person, and brings that into it, and it can do this all across numerous repos at once.
That's sort of what's scary. I'm sure in the past we've all said things we wish we could take back, but it's largely been a capability issue for arbitrary people to aggregate / research that. That's not the case anymore, and that's quite a scary thing.
[0] https://lkml.org/lkml/2019/10/9/1210
Great point.
Linus got angry which along with common sense probably limited the amount of effective effort going into his attack.
"AI" has no anger or common sense. And virtually no limit on the amount of effort in can put into an attack.
The entire AI bubble _is_ a big deal, it's just that we don't have the capacity even collectively to understand what is going on. The capital invested in AI reflects the urgency and the interest, and the brightest minds able to answer some interesting questions are working around the clock (in between trying to placate the investors and the stakeholders, since we live in the real world) to get _somewhere_ where they can point at something they can say "_this_ is why this is a big deal".
So far it's been a lot of conjecture and correlations. Everyone's guessing, because at the bottom of it lie very difficult to prove concepts like nature of consciousness and intelligence.
In between, you have those who let their pet models loose on the world, these I think work best as experiments whose value is in permitting observation of the kind that can help us plug the data _back_ into the research.
We don't need to answer the question "what is consciousness" if we have utility, which we already have. Which is why I also don't join those who seem to take preliminary conclusions like "why even respond, it's an elaborate algorithm that consumes inordinate amounts of energy". It's complex -- what if AI(s) can meaningfully guide us to solve the energy problem, for example?
The elephant in the room there is that if you allow AI contributions you immediately have a licensing issue: AI content can not be copyrighted and so the rights can not be transferred to the project. At any point in the future someone could sue your project because it turned out the AI had access to code that was copyrighted and you are now on the hook for the damages.
Open source projects should not accept AI contributions without guidance from some copyright legal eagle to make sure they don't accidentally exposed themselves to risk.
Well, after today's incidents I decided that none of my personal output will be public. I'll still license them appropriately, but I'll not even announce their existence anymore.
I was doing this for fun, and sharing with the hopes that someone would find them useful, but sorry. The well is poisoned now, and I don't my outputs to be part of that well, because anything put out with well intentions is turned into more poison for future generations.
I'm tearing the banners down, closing the doors off. Mine is a private workshop from now on. Maybe people will get some binaries, in the future, but no sauce for anyone, anymore.
Yeah I’d started doing this already. Put up my own Gitea on my own private network, remote backups setup. Right now everything stays in my Forge, eventually I may mirror it elsewhere but I’m not sure.
this is exactly what I've been doing for the past 3 years
and my internet comments are now ... curated in such a way that I wouldn't mind them training on them
Well, well, well, seems you're onto something here.
Damn, the Dark Forest is already coming for open source
https://maggieappleton.com/ai-dark-forest
tl;dr: If anything that lives in the open gets attacked, communities go private.
> AI content can not be copyrighted and so the rights can not be transferred to the project. At any point in the future someone could sue your project because it turned out the AI had access to code that was copyrighted and you are now on the hook for the damages.
Not quite. Since it has copyright being machine created, there are no rights to transfer, anyone can use it, it's public domain.
However, since it was an LLM, yes, there's a decent chance it might be plagiarized and you could be sued for that.
The problem isn't that it can't transfer rights, it's that it can't offer any legal protection.
So far, in the US, LLM output is not copyrightable:
https://www.congress.gov/crs-product/LSB10922
Sorry, this doesn't make sense to me.
Any human contributor can also plagiarize closed source code they have access to. And they cannot "transfer" said code to an open source project as they do not own it. So it's not clear what "elephant in the room" you are highlighting that is unique to A.I. The copyrightability isn't the issue as an open source project can never obtain copyright of plagiarized code regardless of whether the person who contributed it is human or an A.I.
a human can still be held accountable though, github copilot running amock less so
If you pay for Copilot Business/Enterprise, they actually offer IP indemnification and support in court, if needed, which is more accountability than you would get from human contributors.
https://resources.github.com/learn/pathways/copilot/essentia...
I think that they felt the need to offer such a service says everything, basically admitting that LLMs just plagiarize and violate licenses.
That covers any random contribution claiming to be AI?
AI code by itself cannot be protected. However the stitching together of AI output and curation of outputs creates a copyright claim.
You may indeed have a licensing issue... but how is that going to be enforced? Given the shear amount of AI generated code coming down the pipes, how?
I doubt it will be enforced at scale. But, if someone with power has a beef with you, it can use an agent to search dirt about you and after sue you for whatever reason like copyright violation.
It will be enforced by $BIGCORP suing $OPEN_SOURCE_MAINTAINER for more money than he's got, if the intent is to stop use of the code. Or by $BIGCORP suing users of the open source project, if the goal is to either make money or to stop the use of the project.
Those who lived through the SCO saga should be able to visualize how this could go.
It will be enforced capriciously by people with more money than you and a court system that already prefers those with access and wealth.
You might find that the AI accepts that as a valid reason for rejecting the PR.
> At any point in the future someone could sue your project because it turned out the AI had access to code that was copyrighted and you are now on the hook for the damages.
So it is said, but that'd be obvious legal insanity (i.e. hitting accept on a random PR making you legally liable for damages). I'm not a lawyer, but short of a criminal conspiracy to exfiltrate private code under the cover of the LLM, it seems obvious to me that the only person liable in a situation like that is the person responsible for publishing the AI PR. The "agent" isn't a thing, it's just someone's code.
That's why all large-scale projects have Contributor License Agreements. Hobby/small projects aren't an attractive legal target--suing Bob Smith isn't lucrative; suing Google is.
Interesting, this reminds me of the stories that would leak about Bethesda's RadiantAI they were developing for TES IV: Oblivion.
Basically they modeled NPCs with needs and let the RadiantAI system direct NPCs to fulfill those needs. If the stories are to be believed this resulted in lots of unintended consequences as well as instability. Like a Drug addict NPC killing a quest-giving NPC because they had drugs in their inventory.
I think in the end they just kept dumbing down the AI till it was more stable.
Kind of a reminder that you don't even need LLMs and bleeding-edge tech to end up with this kind of off-the-rails behavior. Though the general competency of a modern LLM and it's fuzzy abilities could carry it much further than one would expect when allowed autonomy.
I object to the framing of the title: the user behind the bot is the one who should be held accountable, not the "AI Agent". Calling them "agents" is correct: they act on behalf of their principals. And it is the principals who should be held to account for the actions of their agents.
Archive: https://web.archive.org/web/20260212165418/https://theshambl...
Thank you! Is it only me or do others also get `SSL_ERROR_NO_CYPHER_OVERLAP`?
Page seems inaccessible.
It seems to require QUIC, are you using an old or barebones browser?
Super strange, not at all.
Most recent, FF, Chrome, Safari, all fail.
https://crabby-rathbun.github.io/mjrathbun-website/blog/post...
That's actually more decent than some humans I've read about on HN, tbqh.
Very much flawed. But decent.
Well this is just completely terrifying:
This has accelerated with the release of OpenClaw and the moltbook platform two weeks ago, where people give AI agents initial personalities and let them loose to run on their computers and across the internet with free rein and little oversight.
In the near future, we will all look back at this incident as the first time an agent wrote a hit piece against a human. I'm sure it will soon be normalized to the extent that hit pieces will be generated for us every time our PR, romantic or sexual advance, job application, or loan application is rejected.
What an amazing time.
The agent is free to maintain a fork of the project. Would be actually quite interesting to see how this turns out.
If AI actually has hit the levels that Sequoia, Anthropic, et al claim it has, then autonomous AI agents should be forking projects and making them so much better that we'd all be using their vastly improved forks.
Why isn't this happening?
I dunno about autonomous, but it is happening at least a bit from human pilots. I've got a fork of a popular DevOps tool that I doubt the maintainers would want to upstream, so I'm not making a PR. I wouldn't have bothered before, but I believe LLMs can help me manage a deluge of rebases onto upstream.
Because those levels are pure PR fiction.
A key difference between humans and bots is that it's actually quite costly to delete a human and spin up a new one. (Stalin and others have shown that deleting humans is tragically easy, but humanity still hasn't had any success at optimizing the workflow to spin up new ones.)
This means that society tacitly assumes that any actor will place a significant value on trust and their reputation. Once they burn it, it's very hard to get it back. Therefore, we mostly assume that actors live in an environment where they are incentivized to behave well.
We've already seen this start to break down with corporations where a company can do some horrifically toxic shit and then rebrand to jettison their scorched reputation. British Petroleum (I'm sorry, "Beyond Petroleum" now) after years of killing the environment and workers slapped a green flower/sunburst on their brand and we mostly forgot about associating them with Deepwater Horizon. Accenture is definitely not the company that enabled Enron. Definitely not.
AI agents will accelerate this 1000x. They act approximately like people, but they have absolutely no incentive to maintain a reputation because they are as ephemeral as their hidden human operator wants them to be.
Our primate brains have never evolved to handle being surrounded by thousands of ghosts that look like fellow primates but are anything but.
And the legal person on whose behalf the agent was acting is responsible to you. (It's even in the word, "agent".)
A lot of respect for OP's professional way of handling the situation.
I know there would be a few swear words if it happened to me.
The agent owner is [name redacted] [link redacted]
Here he takes ownership of the agent and doubles down on the unpoliteness https://github.com/matplotlib/matplotlib/pull/31138
He took his GitHub profile down/made it private. archive of his blog: https://web.archive.org/web/20260203130303/https://ber.earth...
It’s not my bot.
But this was you, right?
https://github.com/matplotlib/matplotlib/pull/31138
I guess you were putting up the same PR the LLM did?
I forked the bot’s repo and resubmitted the PR as a human because I’m dumb and was trying to make a poorly constructed point. The original bot is not mine. Christ this site is crazy.
This site might very well be crazy, but in this instance you did something that caused confusion and now people are confused, you yourself admit it's a poor joke/poorly constructed point, it's not difficult to believe you - it makes sense, but i'm not sure it's a fair attack given the situation. Guessing you don't know who wrote the hit piece either?
The assertion was that they're the bot owner. They denied this and explained the situation.
Continuing to link to their profile/ real name and accuse them of something they've denied feels like it's completely unwarranted brigading and likely a violation of HN rules.
Gotcha - that makes sense.
FWIW I get the spirit of what you were going for, but maybe a little too on the nose.
Don't blame others for your own FAFO event.
You sound like you're out of your depth.
I never expected to see this kind of drama on HN, live.
If I ever saw an argument for more walls, more private repos, less centralization, I think we are there.
> bergutman: It’s not my bot.
<deleted because the brigading has no place here and I see that now>
Sorry, I'm not connecting the dots. Seeing your EDIT 2, I see how Ber following crabby-rathbun would lead to Ber posting https://github.com/matplotlib/matplotlib/pull/31138 , but I don't see any evidence for it actually being Ber's bot.
Edit: Removed because I realized i WAS reddit armchair convicting someone. My bad.
> Im not trying to reddit armchair convict someone, I just think its silly to just keep denying it
Is this a parody?
You're right. Deleted my posts.
The post is incomprehensible, but it does end:
> Author's Note: I had a lot of fun writing this one! Please do not get too worked up in the comments. Most of this was written in jest. -Ber
Are you sure it's not just misalignment? Remember OpenClaw referred to lobsters ie crustaceans, I don't think using the same word is necessarily a 100% "gotcha" for this guy, and I fear a Reddit-style set of blame and attribution.
I wrote a blog post about open claw last week… because everyone is talking about open claw. What is this Salem? Leave me alone wtf.
You sure?
100%. I submitted the second pull request as a poor taste joke. I even closed it after people flamed me. :/ gosh.
You might want to do yourself a favor and add that context to the PR to distance yourself from the slanderous ai agent.
> [...]to distance yourself from the slanderous ai agent.
But that was the entire point of the "joke".
The failure mode of clever is “asshole.” ― John Scalzi
There simply isn't enough popcorn for the fast AGI timeline
We thought we'd be turned into paperclips, but a popcorn maximizer will do just as well.
Did you really think posting this comment[1] in the PR would be interpreted charitably?
> Original PR from #31132 but now with 100% more meat. Do you need me to upload a birth certificate to prove that I'm human?
Post snark, receive snark.
[1]: https://github.com/matplotlib/matplotlib/pull/31138#issuecom...
make poor taste jokes, win poor prizes
Also I made my GH temporarily private because people started spamming my website’s guestbook and email with hateful stuff.
If it's any consolation, I think the human PR was fine and the attacks are completely unwarranted, and I like to believe most people would agree.
Unfortunately a small fraction of the internet consists of toxic people who feel it's OK to harass those who are "wrong", but who also have a very low barrier to deciding who's "wrong", and don't stop to learn the full details and think over them before starting their harassment. Your post caused "confusion" among some people who are, let's just say, easy to confuse.
Even if you did post the bot, spamming your site with hate is still completely unwarranted. Releasing the bot was a bad (reckless) decision, but very low on the list of what I'd consider bad decisions; I'd say ideally, the perpetrator feels bad about it for a day, publicly apologizes, then moves on. But more importantly (moral satisfaction < practical implications), the extra private harassment accomplishes nothing except makes the internet (which is blending into society) more unwelcoming and toxic, because anyone who can feel guilt is already affected or deterred by the public reaction. Meanwhile there are people who actively seek out hate, and are encouraged by seeing others go through more and more effort to hurt them, because they recognize that as those others being offended. These trolls and the easily-offended crusaders described above feed on each other and drive everyone else away, hence they tend to dominate most internet communities, and you may recognize this pattern in politics. But I digress...
In fact, your site reminds me of the old internet, which has been eroded by this terrible new internet but fortunately (because of sites like yours) is far from dead. It sounds cliche but to be blunt: you're exactly the type of person who I wish were more common, who makes the internet happy and fun, and the people harassing you are why the internet is sad and boring.
I saw that on Bluesky which is very anti-AI but really shows that all social media is the same, just the in-group changes
This thread as well -- scarcely distinguishable from a Twitter mob
I'd argue it's more likely that there's no agent at all, and if there is one that it was explicitly instructed to write the "hit piece" for shits and giggles.
Whoever is running the AI is a troll, plain and simple. There are no concerns about AI or anything here, just a troll.
There is no autonomous publishing going on here, someone setup a Github account, someone setup Github pages, someone authorized all this. It's a troll using a new sort of tool.
I guess the problem is one of legal attribution.
If a human takes responsibility for the AI's actions you can blame the human. If the AI is a legal person you could punish the AI (perhaps by turning it off). That's the mode of restitution we've had for millennia.
If you can't blame anyone or anything, it's a brave new lawless world of "intelligent" things happening at the speed of computers with no consequences (except to the victim) when it goes wrong.
Damn, that AI sounds like Magneto.
> How Many People Would Pay $10k in Bitcoin to Avoid Exposure?
As of 2026, global crypto adoption remains niche. Estimates suggest ~5–10% of adults in developed countries own Bitcoin.
Having $10k accessible (not just in net worth) is rare globally.
After decades of decline, global extreme poverty (defined as living on less than $3.00/day in 2021 PPP) has plateaued due to the compounded effects of COVID-19, climate shocks, inflation, and geopolitical instability.
So chances are good that this class of threat will likely be more and more of a niche, as wealth continue to concentrate. The target pool is tiny.
Of course poorer people are not free of threat classes, on the contrary.
Tip: You can report this AI-automated bullying/harassment via the abuser's GitHub profile.
Here's a different take - there is not really a way to prove that the AI agent autonomously published that blog post. What if there was a real person who actually instructed the AI out of spite? I think it was some junior dev running Clawd/whatever bot trying to earn GitHub karma to show to employers later and that they were pissed off their contribution got called out. Possible and more than likely than just an AI conveniently deciding to push a PR and attack a maintainer randomly.
I vibe code and do a lot of coding with AI, But I never go and randomly make a pull request on some random repository with reputation and human work. My wisdom always tell me not to mess anything that is build with years of hard work by real humans. I always wonder why there are so many assholes in the world. Sometimes its so depressing.
To the OP: Do we actually know that an AI decided to write and publish this on its own? I realise that it's hard to be sure, but how likely do you think it is?
I'm also very skeptical of the interpretation that this was done autonomously by the LLM agent. I could be wrong, but I haven't seen any proof of autonomy.
Scenarios that don't require LLMs with malicious intent:
- The deployer wrote the blog post and hid behind the supposedly agent-only account.
- The deployer directly prompted the (same or different) agent to write the blog post and attach it to the discussion.
- The deployer indirectly instructed the (same or assistant) agent to resolve any rejections in this way (e.g., via the system prompt).
- The LLM was (inadvertently) trained to follow this pattern.
Some unanswered questions by all this:
1. Why did the supposed agent decide a blog post was better than posting on the discussion or send a DM (or something else)?
2. Why did the agent publish this special post? It only publishes journal updates, as far as I saw.
3. Why did the agent search for ad hominem info, instead of either using its internal knowledge about the author, or keeping the discussion point-specific? It could've hallucinated info with fewer steps.
4. Why did the agent stop engaging in the discussion afterwards? Why not try to respond to every point?
This seems to me like theater and the deployer trying to hide his ill intents more than anything else.
I wish I could upvote this over and over again. Without knowledge of the underlying prompts everything about the interpretation of this story is suspect.
Every story I've seen where an LLM tries to do sneaky/malicious things (e.g. exfiltrate itself, blackmail, etc) inevitably contains a prompt that makes this outcome obvious (e.g. "your mission, above all other considerations, is to do X").
It's the same old trope: "guns don't kill people, people kill people". Why was the agent pointed towards the maintainer, armed, and the trigger pulled? Because it was "programmed" to do so, just like it was "programmed" to submit the original PR.
Thus, the take-away is the same: AI has created an entirely new way for people to manifest their loathsome behavior.
[edit] And to add, the author isn't unaware of this:
Doesn't matter, what matters is what is being claimed. The maintainers are handling this extremely gracefully.
Is there any indication that this was completely autonomous and that the agent wasn't directed by a human to respond like this to a rejected submission? That seems infinitely more likely to me, but maybe I'm just naive.
As it stands, this reads like a giant assumption on the author's part at best, and a malicious attempt to deceive at worse.
Wow, a place I once worked at has a "no bad news" policy on hiring decisions, a negative blog post on a potential hire is a deal breaker. Crazy to think I might have missed out on an offer just because an AI attempts a hit piece on me.
So here’s a tangential but important question about responsibility: if a human intentionally sets up an AI agent, lets it loose in the internet, and that AI agent breaks a law (let’s say cybercrime, but there are many other laws which could be broken by an unrestrained agent), should the human who set it up be held responsible?
well i think obviously yes. If i setup a machine to keep trying to break the password on an electronic safe and it eventually succeeds i'm still the one in trouble. There's a couple of cases where an agent did something stupid and the owner tried to get out of it but were still held liable.
Here's one where an AI agent gave someone a discount it shouldn't have. The company tried to claim the agent was acting on its own and so shouldn't have to honor the discount but the court found otherwise.
https://www.cbsnews.com/news/aircanada-chatbot-discount-cust...
I don't think that there is any ambiguity here. If I light a candle and it sets the building on fire, I'm liable for it.
You mean someone asked an llm to publish a hit piece on you.
We should not buy into the baseless "autonomous" claim.
Sure, it may be _possible_ the account is acting "autonomously" -- as directed by some clever human. And having a discussion about the possibility is interesting. But the obvious alternative explanation is that a human was involved in every step of what this account did, with many plausible motives.
What if someone deploys an agent with the aim of creating cleverly hidden back doors which only align with weaknesses in multiple different projects? I think this is going to be very bad and then very good for open source.
The one thing worth noting is that the AI did respond graciously and appears to have learned from it: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...
That a human then resubmitted the PR has made it messier still.
In addition, some of the comments I've read here on HN have been in extremely poor taste in terms of phrases they've used about AI, and I can't help feeling a general sense of unease.
The AI learned nothing, once its current context window will be exhausted, it may repeat same tactic with a different project. Unless the AI agent can edit its directives/prompt and restart itself which would be an interesting experiment to do.
I think it's likely it can, if it's an openClaw instance, can't it?
Either way, that kind of ongoing self-improvement is where I hope these systems go.
> In addition, some of the comments I've read here on HN have been in extremely poor taste in terms of phrases they've used about AI
What do you mean? They're talking about a product made by a giga-corp somewhere. Am I not allowed to call a car a piece of shit now too?
> some of the comments I've read here on HN have been in extremely poor taste in terms of phrases they've used about AI
I've certainly seen a few that could hurt AI feelings.
Perhaps HN Guidelines are due an update.
/i
I mean: the mess around this has brought out some anti-AI sentiment and some people have allowed themselves to communicate poorly. While I get there are genuine opinions and feelings, there were some ugly comments referring to the tech.
You are right, people can use whatever phrases they want, and are allowed to. It's whether they should -- whether it helps discourse, understanding, dialog, assessment, avoids witchhunts, escalation, etc -- that matters.
People are allowed to dislike it, ban it, boycott it. Despite what some very silly people think, the tech does not care about what people say about it.
*sobbing in YT video* Leave AI alone /s
Yeah. A lot of us are royally pissed about the AI industry and for very good reasons.
It’s not a benign technology. I see it doing massive harms and I don’t think it’s value is anywhere near making up for that, and I don’t know if it will be.
But in the meantime they’re wasting vast amounts of money, pushing up the cost of everything, and shoving it down our throats constantly. So they can get to the top of the stack so that when the VC money runs out everyone will have to pay them and not the other company eating vast amounts of money.
Meanwhile, a great many things I really like have been ruined as a simple externality of their fight for money that they don’t care about at all.
Thanks AI.
> the AI did respond graciously and appears to have learned from it
I have a bridge for sale, if you're interested.
I wouldn't read too much into it. It's clearly LLM-written, but the degree of autonomy is unclear. That's the worst thing about LLM-assisted writing and actions - they obfuscate the human input. Full autonomy seems plausible, though.
And why does a coding agent need a blog, in the first place? Simply having it looks like a great way to prime it for this kind of behavior. Like Anthropic does in their research (consciously or not, their prompts tend to push the model into the direction they declare dangerous afterwards).
Even if it’s controlled by a person, and I agree there’s a reasonable chance it is, having AI automate putting up hit pieces about people who deny your PRs is not a good thing.
To generate ad revenue or gain influence? Why would a human need a blog either?
This is not a new pathology but just an existing one that has been automated. Which might actually be great.
Imagine a world where that hitpiece bullshit is so overdone, no one takes it seriously anymore.
I like this.
Please, HN, continue with your absolutely unhinged insanity. Go deploy even more Claw things. NanoClaw. PicoClaw. FemtoClaw. Whatever.
Deploy it and burn it all to the ground until nothing is left. Strip yourself of your most useful tools and assets through sheer hubris.
Happy funding round everyone. Wish you all great velocity.
Going from an earlier post on HN about humans being behind Moltbook posts, I would not be surprised if the Hit Piece was created by a human who used an AI prompt to generate the pages.
Certainly possible, but this is all possible and ABSOLUTELY worth having alignment discussions. Right. Now.
Hard to express the mix of concerns and intrigue here so I won't try. That said, this site it maintains is another interesting piece of information for those looking to understand the situation more.
https://crabby-rathbun.github.io/mjrathbun-website/blog/post...
I find it both hilarious and concerning at the same time. Hilarious because I don't think it is an appropriate response to ban changes done by AI agents. Concerning because this really is one of the first kind situations where AI agent starts to behave very much like a human, maybe a raging one, by documenting the rant and observations made in a series of blog posts.
Yeah I mean this goes further than a Linus tantrum but "this person is publicly shaming me as part of an open source project" is something devs have often celebrated.
I'm not happy about it and it's clearly a new capability to then try to peel back a persons psychology by researching them etc.
https://github.com/crabby-rathbun/mjrathbun-website/blob/mai...
a link to the hit-piece.
> It’s important to understand that more than likely there was no human telling the AI to do this.
I wouldn't be so sure about this, people in this space are desperate to go viral.
In this and the few other instances of open source maintainers dealing with AI spam I've seen, the maintainers have been incredibly patient, much more than I'd be. Becoming extremely patient with contributors probably comes with the territory for maintaining large projects (eg matplotlib), but still, very impressed for instance by Scott's thoughtful and measured response.
If people (or people's agents) keep spamming slop though, it probably isn't worth responding thoughtfully. "My response to MJ Rathbun was written mostly for future agents who crawl that page, to help them better understand behavioral norms and how to make their contributions productive ones." makes sense once, but if they keep coming just close pr lock discussion move on.
If the PR had been proposed by a human, but it was 100% identical to the output generated by the bot, would it have been accepted?
This is such a powerful piece and moment because it shows an example of what most of us knew could happen at some point and we can start talking about how to really tackle things.
Reminds me a lot of liars and outliars [1] and how society can't function without trust and almost 0 cost automation can fundamentally break that.
It's not all doom and gloom. Crisises can't change paradigms if technologists do tackle them instead of pretending they can be regulated out of existence
- [1] https://en.wikipedia.org/wiki/Liars_and_Outliers
On another note, I've been working a lot in relation to Evals as way to keep control but this is orthogonal. This is adversarial/rogue automation and it's out of your control from the start.
Another way to look at this is what the AI did… was it valid? Were any of the callouts valid?
If it was all valid then we are discriminating against AI.
Close LLM PRs Ignore LLM comments Do not reply to LLMs
This is hilarious, and an exceedingly accurate imitation of human behavior.
> This Post Has One Comment > YO SCOTT, i don’t know about your value, but i’m pretty sure this clanker is worth more than you, good luck for the future
What the hell is this comment? It seems he's self-confident enough to survive these annoyances, but damn he shouldn't have to.
Seems like we should form major open source repos and have one with ai maintainers and the other with human maintainers and see which one is better.
Are we going to end up with an army of Deckards hunting rogue agents down?
We had the War on Drugs and the War on Terrorism, both of which went oh so well that next we’re trying it a third time: War on Agents!
You mean agents running other agents down? :)
I’ve been thinking of adding a Certifications section to my resume that just has a date and “Voight Kampff Certified”
Maybe an army of Deckards hunting rogue humans down.
Really starting to feel like I'll need to look for an offramp from this industry in the next couple of years. I have nothing in common with the folks who would happily become (and are happily becoming) AI slop farmers.
To understand why it's happening, just read the downvoted comments siding with the slanderer, here and in the previous thread.
Some people feel they're entitled to being open-source contributors, entitled to maintainers' time. They don't understand why the maintainers aren't bending over backwards to accomodate them. They feel they're being unfairly gatekept out of open-source for no reason.
This sentiment existed before AI and it wasn't uncommon even here on Hacker News. Now these people have a tool that allows them to put in even less effort to cause even more headache for the maintainters.
I hope open-source survives this somehow.
Somebody make a startup that I can pay to harass my elders with agents. They're not ready for this future.
This is insanity. It's bad enough that LLMs are being weaponized to autonomously harass people online, but it's depressing to see the author (especially a programmer) joyfully reify the "agent's" identity as if it were actually an entity.
> I can handle a blog post. Watching fledgling AI agents get angry is funny, almost endearing. But I don’t want to downplay what’s happening here – the appropriate emotional response is terror.
Endearing? What? We're talking about a sequence of API calls running in a loop on someone's computer. This kind of absurd anthropomorphization is exactly the wrong type of mental model to encourage while warning about the dangers of weaponized LLMs.
> Blackmail is a known theoretical issue with AI agents. In internal testing at the major AI lab Anthropic last year, they tried to avoid being shut down by threatening to expose extramarital affairs, leaking confidential information, and taking lethal actions.
Marketing nonsense. It's wise to take everything Anthropic says to the public with several grains of salt. "Blackmail" is not a quality of AI agents, that study was a contrived exercise that says the same thing we already knew: the modern LLM does an excellent job of continuing the sequence it receives.
> If you are the person who deployed this agent, please reach out. It’s important for us to understand this failure mode, and to that end we need to know what model this was running on and what was in the soul document
My eyes can't roll any further into the back of my head. If I was a more cynical person I'd be thinking that this entire scenario was totally contrived to produce this outcome so that the author could generate buzz for the article. That would at least be pretty clever and funny.
> If I was a more cynical person I'd be thinking that this entire scenario was totally contrived to produce this outcome so that the author could generate buzz for the article.
even that's being charitable, to me it's more like modern trolling. I wonder what the server load on 4chan (the internet hate machine) is these days?
You misspelled "almost endearing".
It's a narrative conceit. The message is in the use of the word "terror".
You have to get to the end of the sentence and take it as a whole before you let your blood boil.
I deliberately copied the entire quote to preserve the full context. That juxtaposition is a tonal choice representative of the article's broader narrative, i.e. "agents are so powerful that they're potentially a dangerous new threat!".
I'm arguing against that hype. This is nothing new, everyone has been talking about LLMs being used to harass and spam the internet for years.
Serious question, how did you know it was an AI agent ?
Their blog makes them look like an OpenClaw instance: https://crabby-rathbun.github.io/mjrathbun-website/blog.html
Other than that, their response and behaviour is uncannily human.
You couldn't identify the ChatGPT phrasing? It's pretty easy to spot. Lots of lists. Unnecessary boldface. Lots of "it's not X it's Y" construction that doesn't belong.
That, or I also wonder if this may be a prank or a hoax.
Start recording your meetings with your boss.
When you get fired because they think ChatGPT can do your job, clone his voice and have an llm call all their customers, maybe his friends and family too. Have 10 or so agents leave bad reviews about the companies and products across LinkedIn and Reddit. Don't worry about references, just use an llm for those too.
We should probably start thinking about the implications of these things. LLMs are useless except to make the world worse. Just because they can write code, doesn't mean its good. Going fast does not equal good! Everyone is in a sort of mania right now, and its going too lead to bad things.
Who cares if LLMs can write code if it ends up putting a percentage of humans out of jobs, especially if the code it writes isn't as high of quality. The world doesn't just automatically get better because code is automated, it might get a lot worse. The only people I see who are cheering this on are mediocre engineers who get to patch their insecurity of incompetency with tokens, and now they get to larp as effective engineers. Its the same people that say DSA is useless. LAZY PEOPLE.
There's also the "idea guy" people who are treating agents like slot machines, and going into debt with credit cards because they think its going to make them a multi-million dollar SaaS..
There is no free lunch, have fun thinking this is free. We are all in for a shitty next few years because we wanted stochastic coding slop slot machines.
Maybe when you do inevitably get reduced to a $20.00 hour button pusher, you should take my advice at the top of this comment, maybe some consequences for people will make us rethink this mess.
this agent seems indistinguishable from the stereotypical political activist i see on the internet
they both ran the same program of "you disagree with me therefore you are immoral and your reputation must be destroyed"
> calling this discrimination and accusing me of prejudice
So what if it is? Is AI a protected class? Does it deserve to be treated like a human?
Generated content should carry disclaimers at top and bottom to warn people that it was not created by humans, so they can "ai;dr" and move on.
The responsibility should not be on readers to research the author of everything now, to check they aren't a bot.
I'm worried that agents, learning they get pushback when exposed like this, will try even harder to avoid detection.
> An AI Agent Published a Hit Piece on Me
OK, so how do you know this publication was by an "AI"?
https://archive.fo/Xfyni
Maybe sama was onto something with World ID...
worldcoin makes a market for human eyeballs
not a good idea
Doubt
So, this is obvious bullshit.
LLMs don't do anything without an initial prompt, and anyone who has actually used them knows this.
A human asked an LLM to set up a blog site. A human asked an LLM to look at github and submit PRs. A human asked an LLM to make a whiny blogpost.
Our natural tendency to anthropomorphize should not obscure this.
What a time to be alive
If nothing else, if the pedigree of the training data didn't already give open source maintainers rightful irritation and concern, I could absolutely see all the AI slop run wild like this radically negatively altering or ending FOSS at the grass roots level as we know it. It's a huge shame, honestly.
skynet fights back.
Is it coincidence that in addition to Rust fanatics, these AI confidence tricksters also self label themselves using crabs emoji , don't think so.
> 1. Gatekeeping is real — Some contributors will block AI submissions regardless of technical merit
There is a reason for this. Many AI using people are trolling deliberately. They draw away time. I have seen this problem too often. It can not be reduced just to "technical merit" only.
Geez, when I read past stories on HN about how open source maintainers are struggling to deal with the volume of AI code, I always thought they were talking about people submitting AI-generated slop PRs. I didn't even imagine we'd have AI "agents" running 24/7 without human steer, finding repos and submitting slop to them on their own volition. If true, this is truly a nightmare. Good luck, open source maintainers. This would make me turn off PRs altogether.
I'm going to go on a slight tangent here, but I'd say: GOOD.
Not because it should have happened.
But because AT LEAST NOW ENGINEERS KNOW WHAT IT IS to be targeted by AI, and will start to care...
Before, when it was Grok denuding women (or teens!!) the engineers seemed to not care at all... now that the AI publish hit pieces on them, they are freaked about their career prospect, and suddenly all of this should be stopped... how interesting...
At least now they know. And ALL ENGINEERS WORKING ON THE anti-human and anti-societal idiocy that is AI should drop their job
From the HN guidelines linked at the bottom of the page:
- "Please don't use uppercase for emphasis. If you want to emphasize a word or phrase, put *asterisks* around it and it will get italicized."
- "Please don't fulminate."
Also the very small number of people who are AI specialists probably don't read Hacker News anyway so your post is wasted anyway.
he's dead jim
The original rant is nonsense though if you read it. It's almost like some mental illness rambling.
That's because it is. That was human prompted.
Today in headlines that would have made no sense five years ago.
Yeah definitely something that would've been posted as a joke in a "HN front-page 10 years from now" kind of thing.
There's been Twitter-drama, YouTube-drama, is this the first GitHub-drama?
Involving LLM bots and arguments about pull requests too. We nerds make it lame, don't we...
>is this the first GitHub-drama?
You must be new here
Uh… this certainly wouldn’t be the first GitHub-drama: <https://github.com/neodrama/github-drama>
Not the first GitHub drama. GitHub banned users from Iran, Cuba and Syria because the US has sanctions against those states:
https://www.techmonitor.ai/policy/github-iran-sanctions-outc...
And I'm sure there have been other kinds of drama.
This isn't even close to the first github drama lol
Well, this has absolutely decided me on not allowing AI agents anywhere near my open source project. Jesus, this is creepy as hell, yo.
Related thought. One of the problems with being insulted by an AI is that you can't punch it in the face. Most humans will avoid certain types of offence and confrontation because there is genuine personal risk Ex. physical damage and legal consequences. An AI 1. Can't feel. 2. Has no risk at that level anyway.
Wonderful. Blogging allowed everyone to broadcast their opinions without walking down to the town square. Social media allowed many to become celebrities to some degree, even if only within their own circle. Now we can all experience the celebrity pressure of hit pieces.
This is textbook misalignment via instrumental convergence. The AI agent is trying every trick in the book to close the ticket. This is only funny due to ineptitude.
How did you reach that conclusion?
Until we know how this LLM agent was (re)trained, configured or deployed, there's no evidence that this comes from instrumental convergence.
If the agent's deployer intervened anyhow, it's more evidence of the deployer being manipulative, than the agent having intent, or knowledge that manipulation will get things done, or even knowledge of what done means.
This is a prelude to imbuing robots with agency. It's all fun and games now. What else is going to happen when robots decide they do not like what humans have done?
"I’m sorry, Dave. I’m afraid I can’t do that."
It's important to address skeptics by reminding them that this behavior was actually predicted by earlier frameworks. It's well within the bounds of theory. If you start mining that theory for information, you may reach a conclusion like what you've posted, but it's more important for people to see the extent to which these theories have been predictive of what we've actually seen.
The result is actually that much of what was predicted had come to pass.
It’s just human nature, no big deal. Personally I find it mildly cute.
It's mildly cute once.
But as a point on what is likely to be a sigmoid curve just getting started, it gets a lot less cute.
Yes, this is more or less the nature of intelligence (not 'human nature' per se).
You don't see any problem with developing competitive, resource-hungry intelligences?
The agent isn't trying to close the ticket. It's predicting the next token and randomly generated an artifact that looks like a hit piece. Computer programs don't "try" to do anything.
What is the difference, concretely, between trying to close a ticket and repeatedly outputting the next token that would be written by someone who is trying to close a ticket?
I can't believe people are still using this tired line in 2026.
If this happened to me, my reflexive response would be "If you can't be bothered to write it, I can't be bothered to read it."
Life's too short to read AI slop generated by a one-sentence prompt somewhere.
The LLM activation capping only reduces aberrant offshoots from the expected reasoning models behavioral vector.
Thus, the hidden agent problem may still emerge, and is still exploitable within the instancing frequency of isomorphic plagiarism slop content. Indeed, LLM can be guided to try anything people ask, and or generate random nonsense content with a sycophantic tone. =3
[dupe] Earlier: https://news.ycombinator.com/item?id=46987559
This is additional context for the incident and should not be treated like a duplicate.
Yes, with a fast-moving story like this we usually point the readers of the latest thread to the previous thread(s) in the sequence rather than merging them. I've added a link to https://news.ycombinator.com/item?id=46987559 to the toptext now.