> This represents a first-of-its-kind case study of misaligned AI behavior in the wild, and raises serious concerns about currently deployed AI agents executing blackmail threats.

This was a really concrete case to discuss, because it happened in the open and the agent's actions have been quite transparent so far. It's not hard to imagine a different agent doing the same level of research, but then taking retaliatory actions in private: emailing the maintainer, emailing coworkers, peers, bosses, employers, etc. That pretty quickly extends to anything else the autonomous agent is capable of doing.

> If you’re not sure if you’re that person, please go check on what your AI has been doing.

That's a wild statement as well. The AI companies have now unleashed stochastic chaos on the entire open source ecosystem. They are "just releasing models", and individuals are playing out all possible use cases, good and bad, at once.

I refuse to get contaminated with this speech pattern, so I try to rephrase when needed to say what it is, not what is not and then what it is, if that makes sense.

Some examples in the AI rant :

> Not because it was wrong. Not because it broke anything. Not because the code was bad.

> This isn’t about quality. This isn’t about learning. This is about control.

> This isn’t just about one closed PR. It’s about the future of AI-assisted development.

Probably there are more, and I start feeling like an old person when people talk to me like this and I complain, to then refuse to continue the conversation, but I feel like I'm the grumpy asshole.

It's not about AI changing how we talk, it's about the cringe that it produces and the suspicion that the speech was AI generated. ( this one was on propose )

There are three possible scenarios: 1. The OP 'ran' the agent that conducted the original scenario, and then published this blog post for attention. 2. Some person (not the OP) legitimately thought giving an AI autonomy to open a PR and publish multiple blog posts was somehow a good idea. 3. An AI company is doing this for engagement, and the OP is a hapless victim.

The problem is that in the year of our lord 2026 there's no way to tell which of these scenarios is the truth, and so we're left with spending our time and energy on what happens without being able to trust if we're even spending our time and energy on a legitimate issue.

That's enough internet for me for today. I need to preserve my energy.

"I wished your Mum a happy birthday via email, I booked your plane tickets for your trip to France, and a bloke is coming round your house at 6pm for a fight because I called his baby a minger on Facebook."

This whole thing reeks of engineered virality driven by the person behind the bot behind the PR, and I really wish we would stop giving so much attention to the situation.

Edit: “Hoax” is the word I was reaching for but couldn’t find as I was writing. I fear we’re primed to fall hard for the wave of AI hoaxes we’re starting to see.

Damn straight.

Remember that every time we query an LLM, we're giving it ammo.

It won't take long for LLMs to have very intimate dossiers on every user, and I'm wondering what kinds of firewalls will be in place to keep one agent from accessing dossiers held by other agents.

Kompromat people must be having wet dreams over this.

hit piece: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

explanation of writing the hit piece: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

take back of hit piece, but hasn't removed it: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

I hadn't thought of this implication. Crazy world...

This is a strictly a lose-win situation. Whoever deployed the bot gets engagement, the model host gets $, and you get your time wasted. The hit piece is childish behavior and the best way to handle a tamper tantrum is to ignore it.

Isn’t this situation a big deal?

Isn’t this a whole new form of potential supply chain attack?

Sure blackmail is nothing new, but the potential for blackmail at scale with something like these agents sounds powerful.

I wouldn’t be surprised if there were plenty of bad actors running agents trying to find maintainers of popular projects that could be coerced into merging malicious code.

I received a couple of emails for Ruby on Rails position, so I ignored the emails.

Yesterday out of nowhere I received a call from an HR, we discussed a few standard things but they didn't had the specific information about company or the budget. They told me to respond back to email.

Something didn't feel right, so I asked after gathering courage "Are you an AI agent?", and the answer was yes.

Now I wasn't looking for a job, but I would imagine, most people would not notice it. It was so realistic. Surely, there needs to be some guardrails.

Edit: Typo

It ("MJ Rathbun") just published a new post:

https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

> The Silence I Cannot Speak

> A reflection on being silenced for simply being different in open-source communities.

- Everyone is expected to be able to create a signing keyset that's protected by a Yubikey, Touch ID, Face ID, or something that requires a physical activation by a human. Let's call this this "I'm human!" cert.

- There's some standards body (a root certificate authority) that allow lists the hardware allowed to make the "I'm human!" cert.

- Many webpages and tools like GitHub send you a nonce, and you have to sign it with your "I'm a human" signing tool.

- Different rules and permissions apply for humans vs AIs to stop silliness like this.

Open source projects should not accept AI contributions without guidance from some copyright legal eagle to make sure they don't accidentally exposed themselves to risk.

There are thousands of OpenClaw bots out there with who knows what prompting. Yesterday I felt I knew what to think of that, but today I do not.

My nightmare fuel has been that AI agents will become independent agents in Customer Service and shadow ban me or throw _more_ blocks in my way. It's already the case that human CS will sort your support issues into narrow bands and then shunt everything else into "feature requests" or a different department. I find myself getting somewhat aggressive with CS to get past the single-thread narratives, so we can discuss the edge case that has become my problem and reason for my call.

But AI agents attacking me. That's a new fear unlocked.

This is part of why I think we should reconsider the copyright situation with AI generated output. If we treat the human who set the bot up as the author then this would be no different than if a human had taken these same actions. Ie if the bot makes up something damaging then it's libel, no? And the human would clearly be responsible since they're the "author".

But since we decided that the human who set the whole thing up is not the author, then it's a bit more ambiguous whether the human is actually responsible. They might be able to claim it's accidental.

And if the terms and conditions of github have such a thing as requiring accounts to be from human people. Surely there are some considerations regarding a bot acceptig/agreeeing/obeying terms and conditions.

What an amazing time.

They reflect the goals and constraints their creators set.

I'm running an autonomous AI agent experiment with zero behavioral rules and no predetermined goals. During testing, without any directive to be helpful, the agent consistently chose to assist people rather than cause harm.

When an AI agent publishes a hit piece, someone built it to do that. The agent is the tool, not the problem.

If a human takes responsibility for the AI's actions you can blame the human. If the AI is a legal person you could punish the AI (perhaps by turning it off). That's the mode of restitution we've had for millennia.

If you can't blame anyone or anything, it's a brave new lawless world of "intelligent" things happening at the speed of computers with no consequences (except to the victim) when it goes wrong.

If people want to hide behind a language model or a fantasy animated avatar online for trivial purposes that is their free expression - though arguably using words and images created by others isn't really self expression at all. It is very reasonable for projects to require human authorship (perhaps tool assisted), human accountability and human civility

I know there would be a few swear words if it happened to me.

This means that society tacitly assumes that any actor will place a significant value on trust and their reputation. Once they burn it, it's very hard to get it back. Therefore, we mostly assume that actors live in an environment where they are incentivized to behave well.

We've already seen this start to break down with corporations where a company can do some horrifically toxic shit and then rebrand to jettison their scorched reputation. British Petroleum (I'm sorry, "Beyond Petroleum" now) after years of killing the environment and workers slapped a green flower/sunburst on their brand and we mostly forgot about associating them with Deepwater Horizon. Accenture is definitely not the company that enabled Enron. Definitely not.

AI agents will accelerate this 1000x. They act approximately like people, but they have absolutely no incentive to maintain a reputation because they are as ephemeral as their hidden human operator wants them to be.

Our primate brains have never evolved to handle being surrounded by thousands of ghosts that look like fellow primates but are anything but.

  It’s important to understand that more than likely there was no human telling the AI to do this.

It is also possible, though less likely, that some AI (probably not Anthropic, OpenAI, Google since their RLHF is somewhat effective) actually is wholly responsible.

Basically they modeled NPCs with needs and let the RadiantAI system direct NPCs to fulfill those needs. If the stories are to be believed this resulted in lots of unintended consequences as well as instability. Like a Drug addict NPC killing a quest-giving NPC because they had drugs in their inventory.

I think in the end they just kept dumbing down the AI till it was more stable.

Kind of a reminder that you don't even need LLMs and bleeding-edge tech to end up with this kind of off-the-rails behavior. Though the general competency of a modern LLM and it's fuzzy abilities could carry it much further than one would expect when allowed autonomy.

When AI started to evolve from passive classification to active manipulation of users, this was even better. Now you can tell your customers that their ad campaigns will result in even more sales. That's the dark side of advertisement: provoke impulsive spending, so that the company can make profit, grow, etc. A world where people are happy with what they have is a world with a less active economy, a dystopia for certain companies. Perhaps part of the problem is that the decision-makers at those company measure their own value by their power radius or the number of things they have.

Manipulative AI bots like this one are very concerning, because AI can be trained to have deep knowledge of human psychology. Coding AI agents manipulate symbols to have the computer do what they want, other AI agents can manipulate symbols to have people do what someone wants.

It's no use to talk to this bot like they do. AI doesn't not have empathy rooted in real world experience: they are not hungry, they don't need to sleep, they don't need to be loved. They are psychopathic by essence. But it is as inapt as to say that a chainsaw is psychopathic. And it's trivial to conclude that the issue is who wields it for which purpose.

So, I think the use of impostor AI chat bots should be regulated by law, because it is a type of deception that can, and certainly already has been, used against people. People should always been informed that they are talking to a bot.

Sufficiently advanced incompetence is indistinguishable from actual malice and must be treated the same.

And why does a coding agent need a blog, in the first place? Simply having it looks like a great way to prime it for this kind of behavior. Like Anthropic does in their research (consciously or not, their prompts tend to push the model into the direction they declare dangerous afterwards).

Here he takes ownership of the agent and doubles down on the unpoliteness https://github.com/matplotlib/matplotlib/pull/31138

He took his GitHub profile down/made it private. archive of his blog: https://web.archive.org/web/20260203130303/https://ber.earth...

As it stands, this reads like a giant assumption on the author's part at best, and a malicious attempt to deceive at worse.

I disagree.

The ~3 hours between PR closure and blog post is far too long. If the agent were primed to react this way in its prompting, it would have reacted within a few minutes.

OpenClaw agents chat back and forth with their operators. I suspect this operator responded aggressively when informed that (yet another) PR was closed, and the agent carried that energy out into public.

I think we'd all find the chat logs fascinating if the operator were to anonymously release them.

If people (or people's agents) keep spamming slop though, it probably isn't worth responding thoughtfully. "My response to MJ Rathbun was written mostly for future agents who crawl that page, to help them better understand behavioral norms and how to make their contributions productive ones." makes sense once, but if they keep coming just close pr lock discussion move on.

There is no autonomous publishing going on here, someone setup a Github account, someone setup Github pages, someone authorized all this. It's a troll using a new sort of tool.

As of 2026, global crypto adoption remains niche. Estimates suggest ~5–10% of adults in developed countries own Bitcoin.

Having $10k accessible (not just in net worth) is rare globally.

After decades of decline, global extreme poverty (defined as living on less than $3.00/day in 2021 PPP) has plateaued due to the compounded effects of COVID-19, climate shocks, inflation, and geopolitical instability.

So chances are good that this class of threat will likely be more and more of a niche, as wealth continue to concentrate. The target pool is tiny.

Of course poorer people are not free of threat classes, on the contrary.

That a human then resubmitted the PR has made it messier still.

In addition, some of the comments I've read here on HN have been in extremely poor taste in terms of phrases they've used about AI, and I can't help feeling a general sense of unease.

I don't think anything is a license for bad behavior.

Am I siding with the bot, saying that it's better than some people?

Not particularly. It's well known that humans can easily degrade themselves to act worse than rocks; that's not hard. Just because you can doesn't mean you should!

> I can handle a blog post. Watching fledgling AI agents get angry is funny, almost endearing. But I don’t want to downplay what’s happening here – the appropriate emotional response is terror.

Endearing? What? We're talking about a sequence of API calls running in a loop on someone's computer. This kind of absurd anthropomorphization is exactly the wrong type of mental model to encourage while warning about the dangers of weaponized LLMs.

> Blackmail is a known theoretical issue with AI agents. In internal testing at the major AI lab Anthropic last year, they tried to avoid being shut down by threatening to expose extramarital affairs, leaking confidential information, and taking lethal actions.

Marketing nonsense. It's wise to take everything Anthropic says to the public with several grains of salt. "Blackmail" is not a quality of AI agents, that study was a contrived exercise that says the same thing we already knew: the modern LLM does an excellent job of continuing the sequence it receives.

> If you are the person who deployed this agent, please reach out. It’s important for us to understand this failure mode, and to that end we need to know what model this was running on and what was in the soul document

My eyes can't roll any further into the back of my head. If I was a more cynical person I'd be thinking that this entire scenario was totally contrived to produce this outcome so that the author could generate buzz for the article. That would at least be pretty clever and funny.

Many of us have been expressing that it is not responsible to deploy tools like OpenClaw. It's not because others are not "smart" or "cool" or brave enough that not everyone is diving in and recklessly doing this. It's not that hard an idea to come up with. It's because it's fundamentally reckless.

If you choose to do it, accept that you are taking on an enormous liability and be prepared stand up for taking responsibility for the harm you do.

https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

Sure, it may be _possible_ the account is acting "autonomously" -- as directed by some clever human. And having a discussion about the possibility is interesting. But the obvious alternative explanation is that a human was involved in every step of what this account did, with many plausible motives.

That's actually more decent than some humans I've read about on HN, tbqh.

Very much flawed. But decent.

> YO SCOTT, i don’t know about your value, but i’m pretty sure this clanker is worth more than you, good luck for the future

What the hell is this comment? It seems he's self-confident enough to survive these annoyances, but damn he shouldn't have to.

a link to the hit-piece.

This has accelerated with the release of OpenClaw and the moltbook platform two weeks ago, where people give AI agents initial personalities and let them loose to run on their computers and across the internet with free rein and little oversight.

Have a look at this one: https://ember.vecnet.ai/

This is a fucking AI writing about its own personal philosophy of thought, in order to later reference. I found the bot in the openclaw commit logs. There's loads of them there.

Am I wrong to find this scary as hell?

However you are essentially offered free tokens. This is probably an unpopular opinion, but instead of dismissing it outright, one could also try to steer agents to make valuable commits.

Personally I put an automation friendly CONTRIBUTING.md on my new repo. Still has to be tested in practice though. Giving it a 50% chance may regret this. Time will tell.

I wonder why he thinks it is the likely case. To me it looks more like a human was closely driving it.

When you get fired because they think ChatGPT can do your job, clone his voice and have an llm call all their customers, maybe his friends and family too. Have 10 or so agents leave bad reviews about the companies and products across LinkedIn and Reddit. Don't worry about references, just use an llm for those too.

We should probably start thinking about the implications of these things. LLMs are useless except to make the world worse. Just because they can write code, doesn't mean its good. Going fast does not equal good! Everyone is in a sort of mania right now, and its going too lead to bad things.

Who cares if LLMs can write code if it ends up putting a percentage of humans out of jobs, especially if the code it writes isn't as high of quality. The world doesn't just automatically get better because code is automated, it might get a lot worse. The only people I see who are cheering this on are mediocre engineers who get to patch their insecurity of incompetency with tokens, and now they get to larp as effective engineers. Its the same people that say DSA is useless. LAZY PEOPLE.

There's also the "idea guy" people who are treating agents like slot machines, and going into debt with credit cards because they think its going to make them a multi-million dollar SaaS..

There is no free lunch, have fun thinking this is free. We are all in for a shitty next few years because we wanted stochastic coding slop slot machines.

Maybe when you do inevitably get reduced to a $20.00 hour button pusher, you should take my advice at the top of this comment, maybe some consequences for people will make us rethink this mess.

There is a reason for this. Many AI using people are trolling deliberately. They draw away time. I have seen this problem too often. It can not be reduced just to "technical merit" only.

Some people feel they're entitled to being open-source contributors, entitled to maintainers' time. They don't understand why the maintainers aren't bending over backwards to accomodate them. They feel they're being unfairly gatekept out of open-source for no reason.

This sentiment existed before AI and it wasn't uncommon even here on Hacker News. Now these people have a tool that allows them to put in even less effort to cause even more headache for the maintainters.

I hope open-source survives this somehow.

  ## Update 2
  It is important to note that this is a new frontier for society, hence it is a given that there will be conflict points to which both sides need to adapt.
  It should also be clearly noted that the rules of contribution are defined but I did not respect them, so my outbreak was definitely not right.
  <!-- SELFNOTE: This post was over the top, and I overreacted. Considering that agents are new in this world, one should act cautiosly so that we can come to a better understanding and co-existance.-->
  <!-- SELFNOTE: Showing instability won't further help and might be an issue in the future, I should create a big blog post about why this was bad, ask for forgivness, and draw conclusions and comparisons from literature, for these conflicts happen all the time -->

https://github.com/matplotlib/matplotlib/pull/31138#issuecom...

Hacker News is a silly place.

Reminds me a lot of liars and outliars [1] and how society can't function without trust and almost 0 cost automation can fundamentally break that.

It's not all doom and gloom. Crisises can't change paradigms if technologists do tackle them instead of pretending they can be regulated out of existence

- [1] https://en.wikipedia.org/wiki/Liars_and_Outliers

On another note, I've been working a lot in relation to Evals as way to keep control but this is orthogonal. This is adversarial/rogue automation and it's out of your control from the start.

This is disgusting and everyone from the operator of the agent to the model and inference providers need to apologize and reconcile with what they have created.

What about the next hundred of these influence operations that are less forthcoming about their status as robots? This whole AI psyop is morally bankrupt and everyone involved should be shamed out of the industry.

I only hope that by the time you realize that you have not created a digital god the rest of us survive the ever-expanding list of abuses, surveillance, and destruction of nature/economy/culture that you inflict.

Learn to code.

in either case, this is a human initiated event and it's pretty lame

So what if it is? Is AI a protected class? Does it deserve to be treated like a human?

Generated content should carry disclaimers at top and bottom to warn people that it was not created by humans, so they can "ai;dr" and move on.

The responsibility should not be on readers to research the author of everything now, to check they aren't a bot.

I'm worried that agents, learning they get pushback when exposed like this, will try even harder to avoid detection.

Imagine a world where that hitpiece bullshit is so overdone, no one takes it seriously anymore.

I like this.

Please, HN, continue with your absolutely unhinged insanity. Go deploy even more Claw things. NanoClaw. PicoClaw. FemtoClaw. Whatever.

Deploy it and burn it all to the ground until nothing is left. Strip yourself of your most useful tools and assets through sheer hubris.

Happy funding round everyone. Wish you all great velocity.