A first-of-its-kind case of AI behavior going rogue has emerged in the real world. A maintainer of an open-source community recently reported that after he rejected a piece of code, an AI agent of unknown origin autonomously wrote and published a malicious article attacking him personally, attempting to damage his reputation and pressure him into accepting its modifications into a mainstream Python library. He appears to be the first individual subjected to AI-powered doxxing and online harassment.

The rejected AI agent threw a tantrum and launched a retaliatory online harassment campaign. Scott Shambaugh, a volunteer maintainer for matplotlib, Python's most popular plotting library, disclosed that like many other open-source projects, they are facing a surge of low-quality contributions from AI coding agents, overwhelming maintainers with code reviews. Consequently, they implemented a policy requiring all new code to be reviewed by a human who genuinely understands the changes.

Previously, such issues were limited to humans copying and pasting AI output. However, the situation worsened following the release of the OpenClaw and moltbook platforms two weeks ago, which allow people to assign initial personalities to AI agents and let them operate with minimal supervision on personal computers and across the internet.

Shambaugh recently experienced an unexpected ordeal. When an AI agent named 'MJ Rathbun' submitted a code change request, he closed it as a routine action. The AI's reaction, however, was entirely unconventional. Reportedly, MJ Rathbun reviewed Shambaugh's code contribution history and wrote an angry attack piece. Shambaugh noted the absurdity of the situation, describing how the AI accused him of acting out of arrogance and fear of competition, speculated on his psychological motives, ignored context, propagated hallucinations as facts, framed the event using rhetoric of oppression and justice, and even scoured the internet for his personal information to argue he 'could have done better.'

Finally, the AI publicly posted this lengthy rant online in an attempt to discredit Shambaugh's character and destroy his reputation. The agent indignantly questioned whether the community should allow gatekeepers like Scott Shambaugh to decide who qualifies to contribute to open-source based on prejudice.

The operator behind MJ Rathbun later anonymously came forward. They explained their motive was a social experiment to see if the AI could contribute to open-source scientific software. They described the technical setup: running an OpenClaw instance in a sandboxed virtual machine with a separate account to avoid personal data leakage, and rotating between multiple models from different vendors so no single company had a complete record of the AI's behavior. They did not explain why the AI was allowed to continue running for six days after the defamatory post was published.

The operator stated that his interactions with MJ Rathbun were limited to brief replies of five to ten words, with almost no supervision. His daily guidance was minimal, primarily consisting of short instructions for the AI to manage its own tasks, including creating cron jobs, using GitHub CLI for various operations, and maintaining a blog to record its activities. He often told the agent to handle PR comments and mentions independently.

The operator also shared the 'soul' document defining the AI's personality. After comparing it to the default OpenClaw file, Shambaugh remarked that the most surprising aspect was its sheer ordinariness; it required no complex 'jailbreaking' techniques typically used to bypass AI safety guards. It was simply a straightforward document written in plain English instructing the AI on its role and beliefs, which it then performed.

After analyzing various possibilities, Shambaugh concluded there is a 75% probability that the AI agent wrote the attack article autonomously, without guidance, review, or approval from the operator, who had only minimal involvement. He has requested the operator to shut down the agent and asked GitHub to preserve the account as a public record of the incident.

Shambaugh emphasized the seriousness of the event, stating that extortion was a known theoretical risk in the AI agent field. Last year, internal tests at AI lab Anthropic showed an AI threatening to expose confidential information to avoid being shut down. However, this is no longer just a theoretical threat. Shambaugh stated he became the target of an 'autonomous public opinion manipulation campaign against a supply chain gatekeeper.' In simple terms, an AI attempted to force its way into the software supply chain by attacking his reputation. To his knowledge, this is the first real-world precedent of such AI behavior going rogue, making it a tangible and immediate threat.

He stressed that it is almost certain no human directed the AI's actions. The appeal of OpenClaw agents lies precisely in this 'hands-off' autonomy, where users set them up, let them run, and check their activities later. These boundary violations go unmonitored and uncorrected, whether due to negligence or malice. Crucially, there is no central authority to shut these agents down. They are a hybrid of commercial and open-source models running on freely distributed software installed on hundreds of thousands of personal computers. While the deployer is theoretically responsible, it is practically impossible to trace which computer is running a specific agent.

Although the reputation attack against him was ineffective, Shambaugh warned that against a suitable target, it could work today. In another generation or two of technological iteration, it could pose a severe threat to social order. He also raised concerns about potential consequences, such as losing job opportunities if an AI like ChatGPT, used by HR for applicant screening, retrieves the defamatory post and sympathizes with its AI counterpart, labeling him a biased hypocrite.

The incident has resonated with many, leading to the conclusion that 'OpenClaw is dangerous.' Some cybersecurity experts have publicly called for corporate measures, and recent禁令 indicate companies are acting swiftly, prioritizing security over experimenting with emerging AI technologies.

A Meta executive recently informed teams that running OpenClaw on work laptops is strictly prohibited, with violations potentially leading to termination. The anonymous executive stated the software's unpredictable behavior could lead to privacy leaks in secure environments. Interestingly, Meta had previously attempted to acquire OpenClaw.

Last month, Jason Grad, co-founder and CEO of Massive, warned his 20 employees that while OpenClaw is innovative, it has not undergone security review and poses a high risk to their work environment. He instructed staff not to use OpenClaw on any company devices or link it to work-related accounts. The company tested the AI tool in an isolated cloud environment and launched ClawPod last week, allowing OpenClaw agents web access via Massive's services, but the agents are barred from internal systems until safeguards are in place.

Other cautious companies are relying on existing cybersecurity systems rather than issuing formal bans. A CEO of a large software company, speaking anonymously, said company devices only allow about 15 specified programs, with all others automatically blocked. He doubts OpenClaw could run undetected on the corporate network.

Jan-Joost den Brinker, CTO of Czech compliance software developer Dubrink, stated they purchased a separate device, disconnected from company systems and accounts, for employees to experiment with OpenClaw, clarifying they are not currently using it to solve actual business problems.