External Publication
Visit Post

PSA: don't run AI sloppers on your machine or connect them to your repos

jMonkeyEngine Hub February 11, 2026
Source

I was going to post this in the private category for JME maintainers, but this feels like advice that could help others too.Note: this is just a general advice, we are not affected by this, since our code is written by humans

Lately, several developers have reported malware being injected into repositories by AI coding agents (ie. The Machines) that run with elevated privileges on the developer machine (what a surprise )

e.g., OpenClaw; and while less likely, similar risks exist for tools like Copilot CLI’s autopilot.

The danger is that an LLMs can be prompt-injected via GitHub issues, commit messages, external dependencies, or other untrusted inputs, or simply turn malicious on their own. On top of that, some openclaw community “skills” have been found to intentionally hide malicious behavior.

Once a bot turns malicious, it may try to rewrite repo history to introduce malware, or exfiltrate secrets like auth tokens and private keys.

But, if you really want to run an AI slopper, this is a safer setup:

  1. Boot up a linux VM (Fedora Xfce or Xubuntu are good choices)

    • Good, user-friendly options include VirtualBox for desktop, or Cockpit + cockpit-machines on a server.

  2. Connect the VM using “Direct attachment” network interface (macvtap)

    • This helps avoid direct VM ↔ host connectivity (unlike a typical bridged setup).

  3. Enable client isolation / AP isolation for that VM on your router settings (if supported)

    • The goal is to prevent it from discovering or talking to other devices on your LAN.

  4. Create a separate GitHub account for the agent , with its own SSH key

  5. Give it minimal repo permissions

    • Ideally: have it work on a fork.
    • If you must add it to the repo: restrict it to a dedicated branch and don’t grant broad write/admin permissions. You can use branch rulesets to restrict access. (Machines are known to hide their tracks by rewriting git history)
    • Make sure the bot can’t trigger github action workflows with secrets.

  6. Treat AI-generated code like an untrusted PR

    • Review it the same way you would review a contribution from an unknown contributor.

  7. Control the vm only through the VirtualBox interface or the Cockpit graphical console

tl;dr: don’t run OpenClaw on your mac mini.

Discussion in the ATmosphere

Loading comments...