This project terrifies me.

On the one hand it really is very cool, and a lot of people are reporting great results using it. It helped someone negotiate with car dealers to buy a car! https://aaronstuyvenberg.com/posts/clawd-bought-a-car

But it's an absolute perfect storm for prompt injection and lethal trifecta attacks: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

People are hooking this thing up to Telegram and their private notes and their Gmail and letting it loose. I cannot see any way that doesn't end badly.

I'm seeing a bunch of people buy a separate Mac Mini to run this on, under the idea that this will at least stop it from destroying their main machine. That's fine... but then they hook that new Mac Mini up to their Gmail and iMessage accounts, at which point they've opened up a bunch of critical data.

This is classic Normalization of Deviance: https://embracethered.com/blog/posts/2025/the-normalization-... - every time someone gets away with running this kind of unsafe system without having their data stolen they'll become more confident that it's OK to keep on using it like this.

Here's Sam Altman in yesterday's OpenAI Town Hall admitting that he runs Codex in YOLO mode: https://www.youtube.com/watch?v=Wpxv-8nG8ec&t=2330s

And that will work out fine... until it doesn't.

(I should note that I've been predicting a headline-grabbing prompt injection attack in the next six months every six months for over two years now and it still hasn't happened.)

Update: here's a report of someone uploading a "skill" to the https://clawdhub.com/ shared skills marketplace that demonstrates (but thankfully does not abuse) remote code execution on anyone who installed it: https://twitter.com/theonejvo/status/2015892980851474595 / https://xcancel.com/theonejvo/status/2015892980851474595