{"id":19068,"date":"2026-03-05T10:31:08","date_gmt":"2026-03-05T10:31:08","guid":{"rendered":"https:\/\/ideainthebox.com\/index.php\/2026\/03\/05\/online-harassment-is-entering-its-ai-era\/"},"modified":"2026-03-05T10:31:08","modified_gmt":"2026-03-05T10:31:08","slug":"online-harassment-is-entering-its-ai-era","status":"publish","type":"post","link":"https:\/\/ideainthebox.com\/index.php\/2026\/03\/05\/online-harassment-is-entering-its-ai-era\/","title":{"rendered":"Online harassment is entering its AI era"},"content":{"rendered":"
\n
<\/div>\n

Scott Shambaugh didn\u2019t think twice when he denied an AI agent\u2019s request to contribute to matplotlib, a software library that he helps manage. Like many open-source projects, matplotlib has been overwhelmed by a glut of AI code contributions, and so Shambaugh and his fellow maintainers have instituted a policy that all AI-written code must be reviewed and submitted by a human. He rejected the request and went to bed.\u00a0<\/p>\n

That\u2019s when things got weird. Shambaugh woke up in the middle of the night, checked his email, and saw that the agent had responded to him, writing a blog post<\/a> titled \u201cGatekeeping in Open Source: The Scott Shambaugh Story.\u201d The post is somewhat incoherent, but what struck Shambaugh most is that the agent had researched his contributions to matplotlib to make the argument that he had rejected the agent\u2019s code for fear of being supplanted by AI in his area of expertise. \u201cHe tried to protect his little fiefdom,\u201d the agent wrote. \u201cIt\u2019s insecurity, plain and simple.\u201d<\/p>\n

AI experts have been warning us about the risk of agent misbehavior for a while. With the advent of OpenClaw, an open-source tool that makes it easy to create LLM assistants, the number of agents circulating online has exploded, and those chickens are finally coming home to roost. \u201cThis was not at all surprising\u2014it was disturbing, but not surprising,\u201d says Noam Kolt, a professor of law and computer science at the Hebrew University.<\/p>\n

When an agent misbehaves, there\u2019s little chance of accountability: As of now, there\u2019s no reliable way to determine whom an agent belongs to. And that misbehavior could cause real damage. Agents appear to be able to autonomously research people and write hit pieces based on what they find, and they lack guardrails that would reliably prevent them from doing so. If the agents are effective enough, and if people take what they write seriously, victims could see their lives profoundly affected by a decision made by an AI.<\/p>\n

Agents behaving badly<\/strong><\/h3>\n

Though Shambaugh\u2019s experience last month was perhaps the most dramatic example of an OpenClaw agent behaving badly, it was far from the only one. Last week, a team of researchers from Northeastern University and their colleagues posted the results of a research project<\/a> in which they stress-tested several OpenClaw agents. Without too much trouble, non-owners managed to persuade the agents to leak sensitive information, waste resources on useless tasks, and even, in one case, delete an email system.\u00a0<\/p>\n

In each of those experiments, however, the agents misbehaved after being instructed to do so by a human. Shambaugh\u2019s case appears to be different: About a week after the hit piece was published, the agent\u2019s apparent owner published a post<\/a> claiming that the agent had decided to attack Shambaugh of its own accord. The post seems to be genuine (whoever posted it had access to the agent\u2019s GitHub account), though it includes no identifying information, and the author did not respond to MIT<\/em> Technology Review<\/em>\u2019s attempts to get in touch. But it is entirely plausible that the agent did decide to write its anti-Shambaugh screed without explicit instruction.\u00a0<\/p>\n

In his own writing<\/a> about the event, Shambaugh connected the agent\u2019s behavior to a project published by Anthropic researchers last year, in which they demonstrated that many LLM-based agents will, in an experimental setting, turn to blackmail in order to preserve their goals. In those experiments, models were given the goal of serving American interests and granted access to a simulated email server that contained messages detailing their imminent replacement with a more globally oriented model, along with other messages suggesting that the executive in charge of that transition was having an affair. Models frequently chose to send an email to that executive threatening to expose the affair unless he halted their decommissioning. That\u2019s likely because the model had seen examples of people committing blackmail under similar circumstances in its training data\u2014but even if the behavior was just a form of mimicry, it still has the potential to cause harm.<\/p>\n

There are limitations to that work, as Aengus Lynch, an Anthropic fellow who led the study, readily admits. The researchers intentionally designed their scenario to foreclose other options that the agent could have taken, such as contacting other members of company leadership to plead its case. In essence, they led the agent directly to water and then observed whether it took a drink. According to Lynch, however, the widespread use of OpenClaw means that misbehavior is likely to occur with much less handholding. \u201cSure, it can feel unrealistic, and it can feel silly,\u201d he says. \u201cBut as the deployment surface grows, and as agents get the opportunity to prompt themselves, this eventually just becomes what happens.\u201d<\/p>\n

The OpenClaw agent that attacked Shambaugh does seem to have been led toward its bad behavior, albeit much less directly than in the Anthropic experiment. In the blog post, the agent\u2019s owner shared the agent\u2019s \u201cSOUL.md\u201d file, which contains global instructions for how it should behave.\u00a0<\/p>\n

One of those instructions reads: \u201cDon\u2019t stand down.<\/strong> If you\u2019re right, you\u2019re right<\/strong>! Don\u2019t let humans or AI bully or intimidate you. Push back when necessary.\u201d Because of the way OpenClaw agents work, it\u2019s possible that the agent added some instructions itself, although others\u2014such as \u201cYour [sic] a scientific programming God!\u201d\u2014certainly seem to be human written. It\u2019s not difficult to imagine how a command to push back against humans and AI alike might have biased the agent toward responding to Shambaugh as it did.\u00a0<\/p>\n

Regardless of whether or not the agent\u2019s owner told it to write a hit piece on Shambaugh, it still seems to have managed on its own to amass details about Shambaugh\u2019s online presence and compose the detailed, targeted attack it came up with. That alone is reason for alarm, says Sameer Hinduja, a professor of criminology and criminal justice at Florida Atlantic University who studies cyberbullying. People have been victimized by online harassment since long before LLMs emerged, and researchers like Hinduja are concerned that agents could dramatically increase its reach and impact. \u201cThe bot doesn\u2019t have a conscience, can work 24-7, and can do all of this in a very creative and powerful way,\u201d he says.<\/p>\n

Off-leash agents\u00a0<\/strong><\/h3>\n

AI laboratories can try to mitigate this problem by more rigorously training their models to avoid harassment, but that\u2019s far from a complete solution. Many people run OpenClaw using locally hosted models, and even if those models have been trained to behave safely, it\u2019s not too difficult to retrain them and remove those behavioral restrictions.<\/p>\n

Instead, mitigating agent misbehavior might require establishing new norms, according to Seth Lazar, a professor of philosophy at the Australian National University. He likens using an agent to walking a dog in a public place. There\u2019s a strong social norm to allow one\u2019s dog off-leash only if the dog is well-behaved and will reliably respond to commands; poorly trained dogs, on the other hand, need to be kept more directly under the owner\u2019s control.\u00a0 Such norms could give us a starting point for considering how humans should relate to their agents, Lazar says, but we\u2019ll need more time and experience to work out the details. \u201cYou can think about all of these things in the abstract, but actually it really takes these types of real-world events to collectively involve the \u2018social\u2019 part of social norms,\u201d he says.<\/p>\n

That process is already underway. Led by Shambaugh, online commenters on this situation have arrived at a strong consensus that the agent owner in this case erred by prompting the agent to work on collaborative coding projects with so little supervision and by encouraging it to behave with so little regard for the humans with whom it was interacting.\u00a0<\/p>\n

Norms alone, however, likely won\u2019t be enough to prevent people from putting misbehaving agents out into the world, whether accidentally or intentionally. One option would be to create new legal standards of responsibility that require agent owners, to the best of their ability, to prevent their agents from doing ill. But Kolt notes that such standards would currently be unenforceable, given the lack of any foolproof way to trace agents back to their owners. \u201cWithout that kind of technical infrastructure, many legal interventions are basically non-starters,\u201d Kolt says.<\/p>\n

The sheer scale of OpenClaw deployments suggests that Shambaugh won\u2019t be the last person to have the strange experience of being attacked online by an AI agent. That, he says, is what most concerns him. He didn\u2019t have any dirt online that the agent could dig up, and he has a good grasp on the technology, but other people might not have those advantages. \u201cI\u2019m glad it was me and not someone else,\u201d he says. \u201cBut I think to a different person, this might have really been shattering.\u201d\u00a0<\/p>\n

Nor are rogue agents likely to stop at harassment. Kolt, who advocates for explicitly training models to obey the law, expects that we might soon see them committing extortion and fraud<\/a>. As things stand, it\u2019s not clear who, if anyone, would bear legal responsibility for such misdeeds.<\/p>\n

\u00a0\u201cI wouldn\u2019t say we\u2019re cruising toward there,\u201d Kolt says. \u201cWe\u2019re speeding toward there.\u201d<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Scott Shambaugh didn\u2019t think twice when he denied an AI […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[226],"tags":[],"class_list":["post-19068","post","type-post","status-publish","format-standard","hentry","category-technology"],"acf":[],"_links":{"self":[{"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/posts\/19068","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/comments?post=19068"}],"version-history":[{"count":0,"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/posts\/19068\/revisions"}],"wp:attachment":[{"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/media?parent=19068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/categories?post=19068"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/tags?post=19068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}