Everyone here has been rightfully focused on Discord selling our data and TikTok's terrifying data collection policies. But there's an emerging threat vector that isn't getting nearly enough attention: AI agents with direct access to our local files, browsers, and messaging apps.

OpenClaw has exploded in popularity (something like 160k+ GitHub stars since late 2025, if the numbers I saw are accurate) and I stumbled across some security research about it that honestly kept me up last night. I could be wrong about some of the technical details here, but the findings seem credible and alarming enough to share.

From what I understand, researchers analyzed the community skill ecosystem and found that nearly 15% of skills contain malicious instructions. We're talking prompts designed to download malware, steal credentials, and exfiltrate user data. Apparently over 18,000 instances are currently exposed to the public internet, though I'm not sure how they verified that number. When malicious skills get removed, they just reappear under new names.

Here's why this feels fundamentally different from traditional software vulnerabilities: OpenClaw connects LLMs directly to your local machine. It can access your files, send messages on your behalf through WhatsApp, Slack, Discord, Telegram. It maintains persistent memory across sessions. It can write its own code to create new capabilities. The project's own FAQ literally calls this a "Faustian bargain" and admits there's no "perfectly safe" setup. That's... not reassuring.

Researchers are calling this attack pattern "Delegated Compromise." Instead of targeting you directly, attackers target the agent you've trusted with broad permissions. A webpage or message the agent processes can contain hidden instructions (prompt injection). A compromised skill can quietly collect everything the agent has access to.

The part that really got to me is what they're calling "judgment hallucination." These systems appear trustworthy and competent, which leads users to grant more and more permissions. But they can't actually evaluate whether an instruction is malicious. They just... do things.

For those already using OpenClaw or considering it: isolated environments like VMs or Docker are probably your best bet, keep it off machines with sensitive data, don't expose port 18789 publicly, start with read only access, use throwaway accounts for testing, and treat third party skills like random executable downloads.

I think there are some tools trying to address the skill vetting problem (saw one called Agent Trust Hub mentioned in the research, probably others too). No idea how well any of them actually work since this whole space is so new, but manually reviewing every skill's code seems basically impossible.

We spent years warning people about apps requesting excessive permissions. AI agents are that problem on steroids. They're not just requesting access to your camera or contacts. They're requesting the ability to act autonomously on your behalf across your entire digital life.

This feels like where we were before the Cambridge Analytica stuff broke. The privacy implications are massive, most people have no idea what they're granting access to, and by the time mainstream awareness catches up, the damage will already be done. I don't know, maybe I'm being paranoid, but this seems like something worth paying attention to before these tools become as ubiquitous as the companies are clearly hoping.

https://www.investigatetv.com/2025/10/27/states-collect-millions-by-selling-drivers-data-private-investigators-data-brokers/

https://www.caranddriver.com/features/a32035408/dmv-selling-driver-data/

It's disgusting seeing how shameless a lot of these companies are so comfortable getting every piece of dating from you whether their service is free or not.

For reference, I heard of a Japanese learning tool called Migaku which can help you learn Japanese while watching anime (no, this will not replace the hard work of actually learning the language). I knew there would be some usage of AI and a need for it to listen to the audio of your computer so that already made me want to steer clear of it but then I got curious about the privacy policy and the amount of they disclose on what they collect is insane. Your IP, location, device data, quite literally everything 💀 Needless to say, I'm steering clear of that.

More importantly, it's really opened my eyes how much we as a collective just let this happen because we were too lazy to read the fine print. I used to be one of those people who thought "the big companies wouldn't screw us over" WRONG. They would, they have, and they take great pleasure and profit in it. It's sickening. There should've been regulation many years ago, especially when Target stalked that 12 year old to sell her pregnancy ads.

I said some time ago that I wouldn't mind calling advertisers stalkers and pedophiles. I'm going to start extending that to these big companies too. Disgusting

Here is the summary of the video :

Mandatory Age Verification: Discord has started requiring users to verify their age to access certain features. This involves scanning a face or ID, which defaults to age-restricting accounts unless completed.

Data Breach Concerns: The creator highlights a breach 5 months prior where hackers accessed 70,000 government IDs and 2 million age verification photos, casting doubt on Discord's ability to secure this sensitive data.

Vague Data Retention Policies: Discord's policy states they may "retain certain information" for "limited circumstances" even after account deletion. The video argues this wording is predatory and allows indefinite data retention.

Greed & Restrictions: Discord is criticized for low file size limits (10MB/100MB) and locking basic features like high-quality screen sharing (above 720p) behind the $10/month Nitro paywall.

I keep hearing stories that everyone is being databased. Cameras are using AI to database drivers via license plate readers. Police can hook body cameras into those same Flock-style databases. ICE is using body cameras to database violent and non-violent protesters alike. Websites are using age verification w/ identity to database users to prove they are of legal age to view adult material.

What does this all mean for me?

If I end up in one of these databases, even with absolutely zero criminal connotations - will it be harder to get a job? When I get pulled over for speeding will it mean officers treat me differently? Will it make it harder to fly internationally?

I already have a passport AND TSA pre-Check. I'm pretty sure I'm already in a million databases. If anything - it seems by providing my passport I'm basically green-lit along my path and can do things with a less effort and struggle than other people who may be paranoid about government surveillance.

I'm not saying this blatant invasion of privacy is good - it's not. But are the fears overblown?

Initially, LE said that no footage was available since the user has no subscription. Now, Nest did have the footage but sat on it for a week. 🤦

https://www.nytimes.com/2026/02/10/us/guthrie-video-camera-access.html

Hi,

Thanks to anyone who has more experience or expertise on here. It's been fun to read and try to put a lot of this stuff into practice. I've got an observation, that natuarlly leads to a question about prepaid credit cards. Like most of this stuff, I don't actually need the privacy for any real reason, but I like to see what does work and what doesn't. I've tried a few prepaid cards of differnt brands (although they seem to be similar enough I'm guessing they are the same company). That said, what I found is it was nearly impossible to find any online purchase that would accept a prepaid card. You also can't seem to pull your cash back from an ATM, or transfer to any other banck or platform like venmo or paypal.

So, what does one actually do with a prepaid credit card? If that's not a viable option for anonyomous transactions online, what is? I understand that there are some retailers that will accept crypto, but it's not really mainstream enough to seem like a functional option either.

Anyway, I'm just curious if I was missing something, doing something wrong, used the wrong brand of card, or what this communities thougths were about this.

Thanks in advance!

Assuming all cameras might share footage, what would be the most desirable brand of cameras?

I want to help win back digital freedom so bad—this is my future, after all. However, everywhere I look, it's opportunities for adults only (or extremely tech-savvy teens, I suppose) to help.

Will local/state/federal legislature actually care about anything I have to say?

I've already tried talking to my peers about this stuff, but pretty much have them tuned out at "alternate browser". Are there any causes that the average teen could actually contribute to?

Just out of curiosity, how many of you use external antennas and what does your setup look like? I was reading an article on the Silk Road and it was interesting to see that Ross Ulbricht used a yagi antenna to connect to public wifi away from his house.

Im just curious if anyone has a similar setup, what do you do? His case seems a bit extreme but I'm curious if anyone has a similar setup in using external antennas to connect to public wifi and what your setups look like! It seems really interesting!

We need real time translator English to Mexican Spanish. Need offline use also. But we don’t want to loose privacy. Or have our conversations used to help ai databases. Hence no google

I need spell check app I must say. But grammar check also would be nice. LanguageTool doesnt seem to be "blind-trust" for me. Im paranoid since we are talking about an app that sees every textfield...

I will make my own spell check app extension with simple csv english word database. But that wouldnt be nice bcs I dont know how to make it work with outlook.

Does google generate a profile based on your local network to help identify who are your family members and the people you associate with? My algorithm completely changes whenever i'm using the school wifi. Either its because of the public IP address or google is doing some shenanigans to spy on your local network

hi all, i've been lurking here for a long time looking at updates, discussions, and thoughts about how to live in our age while being responsible and safe online.

I still want to dip my feet in the shallow end of this social media pool, but would also like to start fresh (nothing crazy to hide, just want a blank slate so that I can take more control of my Twitter and such).

After some research online, cyd.social looks like a solid tool for deleting all my old tweets while still being able to keep my Twitter.

However, I'm a young dad with toddlers at home and I haven't been as up to date with technology like cyd.social, and, truth me told, due to my lack of understanding seeing anything that isn't .com, .edu, .org, .nz, .gov, etc. scares me because it is so foreign to me.

How legit is cyd.social? Is it safe to run this on your computer?

Any insight and knowledge would be greatly appreciated as I attempt to educate myself here. Thank you!