> the "policy people" will climb out of their holes

I am one of those people and I work at a FANG.

And while I know it seems annoying, these teams are overwhelmed with not only innovators but lawyers asking so many variations of the same question it's pretty hard to get back to the innovators with a thumbs up or guidance.

Also there is a real threat here. The "wiped my hard drive" story is annoying but it's a toy problem. An agent with database access exfiltrating customer PII to a model endpoint is a horrific outcome for impacted customers and everyone in the blast radius.

That's the kind of thing keeping us up at night, not blocking people for fun.

I'm actively trying to find a way we can unlock innovators to move quickly at scale, but it's a bit of a slow down to go fast moment. The goal isn't roadblocks, it's guardrails that let you move without the policy team being a bottleneck on every request.

I think there are two different things at work here that deserve to be separated:

1. The compliance box tickers and bean counters are in the way of innovation and it hurts companies.

2. Claws derive their usefulness mainly from having broad permissions, not only to you local system but also to your accounts via your real identity [1]. Carefulness is very much warranted.

[1] People correct me if I'm misguided, but that is how I see it. Run the bot in a sandbox with no data and a bunch of fake accounts and you'll see how useful that is.

The difference is that _you_ wiped your own hard drive. Even if prompt injection arrives by a scraped webpage, you still pressed the button.

All these claws throw caution to the wind in enabling the LLM to be triggered by text coming from external sources, which is another step in wrecklessness.

I am also ex-FAANG (recently departed), while I partially agree the "policy-people" pop-up fairly often, my experience is more on the inadequate checks side.

Though with the recent layoffs and stuff, the security in Amazon was getting better. Even the best-practices for IAM policies that was the norm in 2018, is just getting enforced by 2025.

Since I had a background of infosec, it always confused me how normal it was to give/grant overly permissive policies to basically anything. Even opening ports to worldwide (0.0.0.0/0) had just been a significant issue in 2024, still, you can easily get away with by the time the scanner finds your host/policy/configuration...

Although nearly all AWS accounts managed by Conduit (internal AWS Account Creation and Management Service), the "magic-team" had many "account-containers" to make all these child/service accounts joining into a parent "organization-account". By the time I left, the "organization-account" had no restrictive policies set, it is up to the developers to secure their resources. (like S3 buckets & their policies)

So, I don't think the policy folks are overall wrong. In the best case scenario, they do not need to exist in the first place! As the enforcement should be done to ensure security. But that always has an exception somewhere in someone's workflow.

my time at a money startup (debit cards) i pushed to legal and security people to change their behaviour from "how can we prevent this" to "how can we enable this - while still staying with the legal and security framework" worked good after months of hard work and day long meetings.

then the heads changed and we were back to square one.

but for a moment it was glorious of what was possible.

>IMO the security pitchforking on OpenClaw is just so overdone.

Isn't the whole selling point of OpenClaw that you give it valuable (personal) data to work on, which would typically also be processed by 3rd party LLMs?

The security and privacy implications are massive. The only way to use it "safely" is by not giving it much of value.

> every time you try something innovative the "policy people" will climb out of their holes and put random roadblocks in your way

This is so relatable. I remember trying to set up an LLM gateway back in 2023. There were at least 3 different teams that blocked our rollout for months until they worked through their backlog. "We're blocking you, but you’ll have to chase and nag us for us to even consider unblocking you"

At the end of all that waiting, nothing changed. Each of those teams wrote a document saying they had a look and were presumably just happy to be involved somehow?

> People without consideration for the implications will inevitably get burned

They will also burn other people, which is a big problem you can’t simply ignore.

https://theshamblog.com/an-ai-agent-published-a-hit-piece-on...

But even if they only burned themselves, you’re talking as if that isn’t a problem. We shouldn’t be handing explosives to random people on the street because “they’ll only blow their own hands”.

This may be a good place to exchange some security ideas. I've configured my OpenClaw in a Proxmox VM, firewalled it off of my home network so that it can only talk to the open Internet, and don't store any credentials that aren't necessary. Pretty much only the needed API keys and Signal linked device credentials. The models that can run locally do run locally, for example Whisper for voice messages or embeddings models for semantic search.

Work expands to fill the allocated resources in literally everything. This same effect can be seen in software engineering complexity more generally, but also government regulators, etc. No department ever downsizes its own influence or budget.

It’s not to feel important, it’s to make others feel they’re important. This is the definition of corporate.

> I work at a FAANG and every time you try something innovative the "policy people" will climb out of their holes and put random roadblocks in your way

What a surprise that someone working in Big Tech would find "pesky" policies to get in their way. These companies have obviously done so much good for the world; imagine what they could do without any guardrails!

He also talks about picoclaw (a IoT solution) and nanoclaw (running on your phone in termux) and has a tiny code base.

What exactly are they self hosting here? Probably not the model, right? So just the harness?

That does sound like the worst of both worlds: You get the dependency and data protection issues of a cloud solution, but you also have to maintain a home server to keep the agent running on?

Great idea, happy to ~steal~ be inspired by.

I propose a few other common elements:

1. Another AI agent (actually bunch of folks in a 3rd-world country) to gatekeep/check select input/outputs for data leaks.

2. Using advanced network isolation techniques (read: bunch of iptables rules and security groups) to limit possible data exfiltration.

  This would actually be nice, as the agent for whatsapp would run in a separate entity with limited network access to only whatsapp's IP ranges...

  Possibly like IFTTT/Zapier/etc. like integration, where you drag/drop objectives/tasks in a *declarative* format and the agent(s) figure out the rest...

There are lots of results for "host openclaw", some from VPS SEO spam, some from dedicated CaaS, some from PaaS. Many of them may be profitable.

I already built an operator so we can deploy nanoclaw agents in kubernetes with basically a single yaml file. We're already running two of them in production (PR reviews and ticket triaging)

In a sense, self-hosting it ( and I would argue for a personal rewrite ) is the only way to limit some of the damage.

I think for me it is an agent that runs on some schedule, checks some sort of inbox (or not) and does things based on that. Optionally it has all of your credentials for email, PayPal, whatever so that it can do things on your behalf.

Basically cron-for-agents.

Before we had to go prompt an agent to do something right now but this allows them to be async, with more of a YOLO-outlook on permissions to use your creds, and a more permissive SI.

Not rocket science, but interesting.

There are a few qualitative product experiences that make claw agents unique.

One is that it relentlessly strives thoroughly to complete tasks without asking you to micromanage it.

The second is that it has personality.

The third is that it's artfully constructed so that it feels like it has infinite context.

The above may sound purely circumstantial and frivolous. But together it's the first agent that many people who usually avoid AI simply LOVE.

That's it basically. I do not think running the tool in a container really solves the fundamental danger these tools pose to your personal data.

A claw is an orchestrator for agents with its own memory, multiprocessing, job queue and access to instant messengers.

He's basically just a marketing guy now for the AI industry.

How does "claw" capture this? Other than being derived from a product with this name, the word "claw" doesn't seem to connect to persistence, scheduling, or inter-agent communication at all.

He didn't name it though, Peter Steinberger did. (Kinda.)

Why do we always have to come up with the stupidest names for things. Claw was a play on Claude, is all. Granted, I don’t have a better one at hand, but that it has to be Claw of all things…

Well now somebody will

Because the author of the blog is paid to post daily about nothing but AI and needs to link farm for clicks and engagement on a daily basis.

Most of the time, users (or the author himself) submit this blog as the source, when in fact it is just content that ultimately just links to the original source for the goal of engagement. Unfortunately, this actually breaks two guidelines: "promotional spam" and "original sourcing".

From [0]

"Please don't use HN primarily for promotion. It's ok to post your own stuff part of the time, but the primary use of the site should be for curiosity."

and

"Please submit the original source. If a post reports on something found on another site, submit the latter."

The moderators won't do anything because they are allowing it [1] only for this blog.

[0] https://news.ycombinator.com/newsguidelines.html

[1] https://news.ycombinator.com/item?id=46450908

Because Simon says.

I’m pretty sure people are using them for local inference. Token rates can be acceptable if you max out the specs. If it was just the harness, they’d use a $20 raspberry pi instead.

Some users are moving to local models, I think, because they want to avoid the agent's cost, or they think it'll be more secure (not). The mac mini has unified memory and can dynamically allocate memory to the GPU by stealing from the general RAM pool so you can run large local LLMs without buying a massive (and expensive) GPU.

A Mac allows it to send iMessage and access the Apple ecosystem.

It's just sending API calls to anthropic, $50 is overkill.

I think this is basically obvious to anyone using one of these but they're just they like the utility trade off like sure it may leak and exfiltrate everything somewhere but the utility of these tools is enough where they just deal with that risk.

could you share that study?

It's just agents as you might know them, but running constantly in a loop, with access to all your personal accounts.

What could go wrong.

https://yepanywhere.com/ But has no Cron system. Just relay / remote web UI that's mobile first. I might add Cron system to it, but I think special purpose tool is better / more focused (I am the author of this)

Openclaw!

You can sandbox anything yourself. Use a VM.

It has a web ui.

i am thinking 2 steps (48 hours in ai land) ahead and conclude we need a linkedin and fiverr for these claws.

The original reason was because people wanted to use iMessage as a transport for agent commands, sent to the agent’s own Apple account.

It’s easier to set up iMessage with real Apple machines, and the Mac mini is the cheapest Apple hardware with a terminal (For now, anyway. That might change in March)

If you don’t want an iMessage-based agent, you don’t need a Mac mini.

It absolutely can be a vm. Someone even got it running on a 2 dollar esp32. Its just making api calls

I don't know but I'm guessing that it's because it makes it easy to give access to it to Mac desktop apps? Not sure what's the VM story with Mac but usually cloud VM stuff is linux so it may be inconvenient for some users to hook it up to their apps/tools.

No shade, I think it looks cool and will likely use it, but next time maybe disclose that you’re the founder?

Someone who uses status to appeal to the tech masses / tech influencer / AI hype man.

https://karpathy.ai/

PHD in neural networks under Fei-Fei Li, founder of OpenAI, director of AI at Tesla, etc. He knows what he's talking about.

Snake oil salesman.

Really smart AI guy ex Tesla, cum educator now cum vibe coder (he coined the term vibe coder)

The person that made the svmjs library I used for a blue monday.

A quick Google might’ve saved you from the embarrassment of not knowing who one of the most significant AI pioneers in history is, and in a thread about AI too.

Just commented in reply to someone else about this:

https://news.ycombinator.com/item?id=47099886

It works and is plug and play. And can also work as a Mac. But getting in short supply since Apple hadn't planned for this new demand.

Apple fans paying apple tax to have an isolated device accessing their profile.

From https://openclaw.ai/blog/introducing-openclaw:

The Naming Journey

We’ve been through some names.

Clawd was born in November 2025—a playful pun on “Claude” with a claw. It felt perfect until Anthropic’s legal team politely asked us to reconsider. Fair enough.

Moltbot came next, chosen in a chaotic 5am Discord brainstorm with the community. Molting represents growth - lobsters shed their shells to become something bigger. It was meaningful, but it never quite rolled off the tongue.

OpenClaw is where we land. And this time, we did our homework: trademark searches came back clear, domains have been purchased, migration code has been written. The name captures what this project has become:

    Open: Open source, open to everyone, community-driven
    Claw: Our lobster heritage, a nod to where we came from