You must log in or # to comment.
I really do not want an AI doing all of those things for me. That would be like giving a four year old full access to my computer.
The “else-hosted” LLM AI is really not my thing, but selfhosted even less…
If I had the proper equipment, I’d run AI if it were self contained and not pinging out to another LLM.
@irmadlad @selfhosted That is precisely the challenge. I’m not sure it is possible.
Yeah, guess I’ll never understand that whole agentic ai craze. To me it basically looks like
we have a tool that is relatively simple to trick into doing what it’s not supposed to. Let’s feed it arbitrary data and give it the ability to execute arbitrary code!
It’s not arbitrary code in this case, it’s well defined functions, like list emails, read email, delete email. The agentic portion only decides if it should have those functions invoked.
Now if they should is up for debate. Personally I would be afraid it would delete an important email that it incorrectly marks as spam, but others may see value.
It’s not arbitrary code in this case, it’s well defined functions
No, you’re 100% wrong as the bot can just directly run arbitrary bash commands as well as write arbitrary code to a file and run the file. There’s probably a dozen different ways it can run arbitrary code and many more ways it can be exposed to malicious instructions from the internet.
If you allow it to run bash commands, it requires approval before running them:
Yeah, great, except the bot can literally just write whatever it wants to the config file
~/.openclaw/exec-approvals.jsonand give itself approval to execute bash commands.There’s probably a hundred trivial ways to get around these permissions and approval requirements. I’ve played around with this bot and also opencode, and have witnessed opencode bypass permissions in real time by just coming up with a different way to do the thing it is wanting to do.
This is where tools like bubblewrap (bwrap) come in. For opencode, I heavily limit what it can see and what is has access to. No access to my ssh keys or aws credentials or anything else.
- Bot can write to file
- Bot can execute code
You honestly think there isn’t an issue with that?!
Everyone keeps forgetting “if you allow it”. They show you what commands it’s going to run. So yes I’m okay with it, I review everything it will do.
You’ve just described an api…
Yes, that’s pretty much all an mcp server is, that’s what I’m trying to explain. The ai just chooses what commands out of a list. Each command can be disabled or enabled. Everyone freaking out here like it has sudo access or something when you opt into everything it does
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters HTTP Hypertext Transfer Protocol, the Web IMAP Internet Message Access Protocol for email SMTP Simple Mail Transfer Protocol
3 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.
[Thread #46 for this comm, first seen 30th Jan 2026, 16:30] [FAQ] [Full list] [Contact] [Source code]
Getting a Cloudflare Tunnel error here :eyerolling-the-irony:
