Open source or not, there’s a strong argument that using someone’s API key to make unauthorized requests is a violation of the Computer Fraud and Abuse Act. Using their GitHub credentials to submit PRs without consent is also unauthorized use of access credentials.

The “thoughtless design vs. malice” framing by Anthropic is generous. Shipping formulas that target steveyegge/gastown issues is intentional. Someone wrote those formulas, pointed them at the maintainer’s repo, and included them in the default install. Someone thought it was acceptable I guess because it’s open source?