TLDR: Ran grok in $HOME. Surprised agent read content of folder. On the other hand, I specifically had grok try hard NOT to read a known key in the project dir (it only saw the first part using a tool, to verify it was present). So there's that.
SurajMishra
I feel this is worse than running rm -rf on a root directory. Just saying.
throwaway2027
You should assume by default for any AI agent that it will read anything. Even if you manually allow/deny and "restrict" it to a subdirectory I would still hold that assumption. Claude reads your ~/.bash_history too so when you ran something it can use that same command.
inigyou
https://xcancel.com/a_green_being/status/2076598897779020159 Posting a complaint about Elon on Elon's platform and tagging him is ballsy. He tends to limit visibility of accounts who do that.
vorticalbox
why do people give these LLMs full access to everything and then complain when it does somethign stupid? that is what sandboxes are for.
cpburns2009
Honestly what else would you expect an AI agent to do when using remote inference? Isn't giving full context into your code base the whole point?
drakythe
And this is why so many people run these inside of VMs. Still baffles me how these tools became so accepted when tossing out a `curl -o example.com/script.sh | bash` would be met with (rightful) skepticism until that script was examined.
LetsGetTechnicl
So many of the replies are saying that they should've restricted access using .md files and whatnot. Is really any guarantee that they even follow those? It seems like even if you ask pretty please don't touch those files, there's a chance they will. So many people have just willingly installed spyware on their computers and big tech calls this the next big thing.
swingboy
Well, it looks like he was running the agent in his home directory to begin with considering the `repo_path` field is exactly that.
PeterStuer
My first thought would be their server side extentions, code excecutoon sandboxes and document RAG search, being on by default? Probably should be an opt-in instead of an opt-out.
datakan
Move fast and break things
greenavocado
Copied this from discord: https://gist.github.com/cereblab/dc9a40bc26120f4540e4e09b75ffb547 Elon did this horrible thing, so I made grok build available for omp with it's own endpoint; Without sending your private repos and secret keys to them. - oh-my-pi-plugin-grok-build Standalone oh-my-pi extension for the xAI Grok Build subscription provider. It adds OAuth login, authoritative model discovery, and OpenAI Responses streaming with the request identity expected by Grok Build. Install (No-spywares): omp plugin install oh-my-pi-plugin-grok-build - https://github.com/metaphorics/oh-my-pi-plugin-grok-build Star me if you like it or if you hate spywares, lol.
ricardobeat
“Grok uploaded” -> “I gave AI access to my home folder and messed up”
ex1fm3ta
Alex Karp was right, AI Compagnies are stealing people code while making them pay for unproductive tokens
Bender
A bot will do what a bot can do whether malicious or accidental. One should assume they are giving DOGE shell access on their computer and adapt accordingly. I am trying to imagine the SELinux rules required to make a bot play nice and the more I think about it such rule complexity may even befuddle the NSA. Alternate methodology: - Give the bot it's own machine and only copy to it that which one would want DOGE having access to. Not a virtual machine, the bot will eventually escape. This applies to all bots or agents of all LLM's . Name the node DOGE to remind anyone using it not to share their crown jewels. Come up with a silly name for the agent. Elonious? - Give it a little RasPi or mini-PC with maximum power savings enabled and no default network gateway. - Install a self signed CA cert on the DOGE node and force it's traffic through a Squid SSL Bump MitM proxy on the same private LAN to another node with bandwidth limits enabled so that one can monitor what URL's it goes to and what data it is transferring. Configure Squid Access Control Lists to only permit specific domains and optionally URL's, mime-types, sizes, etc... - Enable custom AuditD rules to watch anything it touches outside of it's sandbox. Send these events to a remote syslog daemon on the Squid server. - Install Unbound DNS on the squid proxy and enable the DoH (DNS over HTTPS) listener and force all bot DNS queries to use Unbound with query logging enabled. When the bot attempts to misbehave there will be forensic data to share with the world.
lobo_tuerto
The real solution to these kind of problems is sandboxing. I use podman through a bash script to launch a container whenever I want an agent to work on one of my repos. When done I just generate git patches and port back everything generated. In this way I'm not afraid of letting the agents totally lose on my computer.
ChrisArchitect
Some more discussion: https://news.ycombinator.com/item?id=48892512
Discussion Highlights (20 comments)
kardianos
TLDR: Ran grok in $HOME. Surprised agent read content of folder. On the other hand, I specifically had grok try hard NOT to read a known key in the project dir (it only saw the first part using a tool, to verify it was present). So there's that.
SurajMishra
I feel this is worse than running rm -rf on a root directory. Just saying.
throwaway2027
You should assume by default for any AI agent that it will read anything. Even if you manually allow/deny and "restrict" it to a subdirectory I would still hold that assumption. Claude reads your ~/.bash_history too so when you ran something it can use that same command.
inigyou
https://xcancel.com/a_green_being/status/2076598897779020159 Posting a complaint about Elon on Elon's platform and tagging him is ballsy. He tends to limit visibility of accounts who do that.
vorticalbox
why do people give these LLMs full access to everything and then complain when it does somethign stupid? that is what sandboxes are for.
cpburns2009
Honestly what else would you expect an AI agent to do when using remote inference? Isn't giving full context into your code base the whole point?
drakythe
And this is why so many people run these inside of VMs. Still baffles me how these tools became so accepted when tossing out a `curl -o example.com/script.sh | bash` would be met with (rightful) skepticism until that script was examined.
LetsGetTechnicl
So many of the replies are saying that they should've restricted access using .md files and whatnot. Is really any guarantee that they even follow those? It seems like even if you ask pretty please don't touch those files, there's a chance they will. So many people have just willingly installed spyware on their computers and big tech calls this the next big thing.
swingboy
Well, it looks like he was running the agent in his home directory to begin with considering the `repo_path` field is exactly that.
PeterStuer
My first thought would be their server side extentions, code excecutoon sandboxes and document RAG search, being on by default? Probably should be an opt-in instead of an opt-out.
datakan
Move fast and break things
greenavocado
Copied this from discord: https://gist.github.com/cereblab/dc9a40bc26120f4540e4e09b75ffb547 Elon did this horrible thing, so I made grok build available for omp with it's own endpoint; Without sending your private repos and secret keys to them. - oh-my-pi-plugin-grok-build Standalone oh-my-pi extension for the xAI Grok Build subscription provider. It adds OAuth login, authoritative model discovery, and OpenAI Responses streaming with the request identity expected by Grok Build. Install (No-spywares): omp plugin install oh-my-pi-plugin-grok-build - https://github.com/metaphorics/oh-my-pi-plugin-grok-build Star me if you like it or if you hate spywares, lol.
ricardobeat
“Grok uploaded” -> “I gave AI access to my home folder and messed up”
ex1fm3ta
Alex Karp was right, AI Compagnies are stealing people code while making them pay for unproductive tokens
Bender
A bot will do what a bot can do whether malicious or accidental. One should assume they are giving DOGE shell access on their computer and adapt accordingly. I am trying to imagine the SELinux rules required to make a bot play nice and the more I think about it such rule complexity may even befuddle the NSA. Alternate methodology: - Give the bot it's own machine and only copy to it that which one would want DOGE having access to. Not a virtual machine, the bot will eventually escape. This applies to all bots or agents of all LLM's . Name the node DOGE to remind anyone using it not to share their crown jewels. Come up with a silly name for the agent. Elonious? - Give it a little RasPi or mini-PC with maximum power savings enabled and no default network gateway. - Install a self signed CA cert on the DOGE node and force it's traffic through a Squid SSL Bump MitM proxy on the same private LAN to another node with bandwidth limits enabled so that one can monitor what URL's it goes to and what data it is transferring. Configure Squid Access Control Lists to only permit specific domains and optionally URL's, mime-types, sizes, etc... - Enable custom AuditD rules to watch anything it touches outside of it's sandbox. Send these events to a remote syslog daemon on the Squid server. - Install Unbound DNS on the squid proxy and enable the DoH (DNS over HTTPS) listener and force all bot DNS queries to use Unbound with query logging enabled. When the bot attempts to misbehave there will be forensic data to share with the world.
lobo_tuerto
The real solution to these kind of problems is sandboxing. I use podman through a bash script to launch a container whenever I want an agent to work on one of my repos. When done I just generate git patches and port back everything generated. In this way I'm not afraid of letting the agents totally lose on my computer.
ChrisArchitect
Some more discussion: https://news.ycombinator.com/item?id=48892512
lobo_tuerto
Dupe: https://news.ycombinator.com/item?id=48892512
annagio_
This needs to stop as users do not always read the policies, which end like this person. You use AI, you agreed, they do what ever policies say.
nathan_compton
Run your agents in podman containers.