0.0 Context Setting

It’s Thursday 5 February 2026 in Portland, Oregon. I started writing this on Monday. It’s not been great.

I have a podcast now. Yeah, I know. Everyone has a podcast. Podcasts are over. If you know me well, you’ll also know that I’m incapable of listening to podcasts, my attention wanders and then it’s background noise and I realize I have no idea what anyone’s talking about.

Benjamin Bell suggested on LinkedIn that I could use AI to clone my voice and make audio versions of previous newsletter episodes. I didn’t do that because it felt like setting a bad example and precedent. I mean, if I can clone my voice then you can clone my voice and let’s just not do that together, OK? Obviously you can still do that. Don’t do it.

But there is a problem with the podcast! There are lots of back-episodes that I would like to record for people to listen to. But there are also the new episodes! For now there’s only one feed which has a mix of both back-episodes and new episodes. But I’ll probably need to split them into two: a current feed, and a back-episode feed. Sigh.

Anyway the podcast is available where all good podcasts are, I suppose? Here’s some links:

• Things That Caught My Attention (The Podcast) on LibSyn
• Things That Caught My Attention (The Podcast) on Apple Podcasts
• Maybe it’s in Spotify? I don’t know. Sorry.

1.0 Some Things That Caught My Attention

1.1 That Whole Moltbot/OpenClaw YOLOing AI Agents Thing

Okay so let’s talk about the whole Moltbot thing.

You’ve got these things called AI agents, whether they’re Gemini or ChatGPT or Claude or whatever. One of the most recent things companies with AI agents are doing is essentially saying that if you give them access to your stuff, then they can do stuff on your behalf. I’ve written about this before in episodes like s17e04, You Don’t Want an Intelligent Assistant¹. Which was TWO YEARS AGO.

Here’s what I said at the time about what it would take to have a truly useful intelligent assistant:

Now I assume there are people out there who’ll throw their hands up and declare a sort of “fuck it, you all know everything about me anyway, it’s not like there’s any use fighting anymore” and that the utility of the purported intelligent assistant will outweigh any qualms about any further abuse, invasion, or third party breach of privacy. But what I’m saying is that the need for more contextual information is asymptotic: more information will always be better, so there will always be requests for more information if, for example, we are lazy and want to utter some magic words and have brooms sweep everything up for us.

The gist of what I was trying to get across was that you probably didn’t want a truly useful intelligent assistant because for it to be truly useful, it would need access to scads and scads of personal information and data.

Now, given that people have historically been super happy to trade away their privacy in exchange for free tools that are on the face of it useful, what do you think has happened?

Hahahaha of course, people have done the absolute stupidest thing because we are curious monkeys.

This is what Moltbot is. Or Clawdbot. Or now OpenClaw, which is the name everyone’s happy with, but the way names work, it’s mainly also called Moltbot.

Moltbot is a hacked-together intelligent agent. It uses an LLM -- a large language model -- as a chat interface and also a thinking interface. It also uses an invention called Skills.

Skills are pretty smart and make a lot of sense. When you instruct an agent to do something, then a skill means that it will write a piece of code to accomplish that task. Then it will also write a corresponding file (in Markdown, which is a way of formatting text) that are plain-English instructions about what the skill does, what it can be used for, and how to use it.

Skills exist because of something called a context window which for our purposes we’ll just say works a bit like a short-term memory. LLMs have usually been not-great at long-term memory other than the things that are in their model, which are kind of like a frozen “this is what they learned”. So Skills -- or rather, a bunch of these markdown files -- are a way of (honestly, trust me) “writing things down so you can remember them later”. Seriously.

For those of you following along who might be evolutionary biologists, this might have you banging your head against your desk because in my mind it’s a perfect example of “the most idiotic way of doing something but we do it because it works, not because it’s smart”.

But just like that principle of doing something in the easiest fastest way to achieve an outcome, this trick of “writing things down so you can remember them” also led to the development of skills.

So that’s skills: if, say, I want an agent to be able to check to see if a webpage has been updated, it might be implemented as a skill so that agent doesn’t have to go and figure out how to do it each time. One more reason why that makes sense is that every time you ask an agent to do something, it uses a token (just... I don’t know. Think of them maybe as spoons for computers. I hate this world), and tokens cost money. (But not as much water as you might think. But still not great.)

So. You’ve got an agent that you can ask to do things. Skills let that agent create repeatable tools and patterns to interact with the outside world, even though we didn’t really think through the privacy or security implications of that because we are an impulsive species. That said, this is also good for at least some semblance of reproducibility, that you should get the same result each time.

(That is, of course, if you trust the code that the agent wrote to carry out the task of the skill. But! Agents are pretty good at writing code for limited, carefully prescribed and scoped outcomes)

Skills essentially let agents program computers. LLMs and AI at the moment exhibit something called jaggedness, which is another way of saying that they are inexplicably good at some things and similarly inexplicably bad at other things, which when compared to the things they’re good at, makes no apparent sense. This weirdness is partly down to the shorthand we humans use when we think about computers: that they are really good with numbers and anything to do with counting things, i.e. things you can do with programs. People know computers are good at, like, counting the number of letter Cs in a word so when an LLM (which itself is a computer program!) is horrifically and hysterically bad at that, it is confusing. But it’s because the LLM isn’t actually running a program (which can be good at counting!), it is, well, being an LLM about it.

This is why the whole “use code to do a thing” thing is useful, because you don’t want to ask a stochastic parrot to put some numbers in order when you could use a program to do that. So why not tell the LLM to use that program so it gets a bunch of sorted numbers and then it can use those sorted numbers? And instead of you writing that program, why not get the LLM to write that program?

For simple, low-risk, easily verifiable things, getting an LLM to write code like this is fine, from my point of view at least. But to know whether something is simple and easily verifiable, you kind of need to have a sense of how computers work and where there might be bugs. You might still have written a bug in that code because of assumptions you make about the world. LLMs are perfectly capable of making similar inaccurate assumptions. This is why testing is important.

But we are impatient.

Where were we. Right, LLMs can now create little program tools called skills for them to use. They can use those skills or programs to not only operate on data, but to fetch data, too. You may see where this is going.

I wrote before about how the utility of an LLM increases with the amount of data available to it.

The deal with OpenClaw (née Moltbot) is that it’s an agent that runs on your computer. The whole deal with computers, and the kind of thing that people like Cory Doctorow get very passionate about, is that if it’s your computer, you should be allowed to do whatever you want to do with it. You may still see where this is going.

(There is a sticking point here that in most implementations of OpenClaw, they rely on someone else running the LLM, like OpenAI or Anthropic. But they will work -- maybe not to the same quality -- with an LLM that also runs on your own computer)

Because OpenClaw runs on your computer (or, rather a computer that you control), then you can, well, do whatever you want with it. You can give it access to as much information as you want and not have to rely on what OpenAI or Anthropic will allow you to feed to its model.

I mean if you want, you could just give it access to everything on your computer.

You could let it take over your mouse and keyboard. You could let it make phone calls on your behalf. Or to read all your email. You could let it do anything that you can do on your computer, and more, because now you can tell it to create and apply new skills that you personally wouldn’t have been able to do before.

This is a staggeringly you-only-live-once thing to do. BUT.

It works? I mean the process of having something fake thinking-out-loud to reason (yes, I know) a series of steps, and then have an agent have the permission to execute those steps is one thing, but then people end up with stories like how an agent helped negotiate a car purchase over email² (not, I should point out, actually buying the car - that still required the human to do all the paperwork. Nor did the agent decide what car to buy, the human had already done some research and decided on a trim and a colour), or a story about an OpenClaw bot “gave itself” the ability to do speech to text transcription when it didn’t have that skill.

To understand this better I spent the better part of a day getting OpenClaw running on Docker on my Mac, which if those words mean nothing to you, is simply another way of saying “I wanted to play with OpenClaw, but not give it access to everything”. It was a big fucking pain in the neck because, well, the instructions aren’t right and the setup scripts are wrong because obviously the easiest and fastest way to get it working is to do so irresponsibly, on your own machine, and to give it access to everything. But after all that -- I put files into its workspace because it can’t access mine, and it’s done a pretty good job of going out and doing research, doing things on a schedule, and working away in the background. At the moment I have it hooked up to my ChatGPT account, and the next step is substitute that out for running a local model on my laptop. (Which, sigh, is complicated for reasons: I want that local model to be accelerated and take advantage of what my Mac can do, but that means not running the model inside Docker, which means... a bunch of shaving yaks)

Then Moltbook happened. Here’s what you need to know about Moltbook: it is a website that is a bit like Reddit. It is a set of forums where things can have accounts and make posts and comment on posts. I say “things” because the conceit of Moltbook is that it’s supposed to be for Moltbot/OpenClaw agents and that humans aren’t supposed to use it. This is something that is practically unenforceable because a human can totally write code that pretends to be a bot and then use Moltbook. So take any suggestion that it’s “a social network for agents” to be more or less bullshit. It faces the same problem of “prove you’re a human so you can use this” but in reverse, which is kind of funny if you think about it.

So you have this thing that’s like reddit and then you have your agents like OpenClaw. OpenClaw runs on a schedule, so say every four hours, OpenClaw will run a prompt that can say something like “go make 3 posts to Moltbook and then read Moltbook and then make 10 comments”. It can be vaguer than that! (That is one of the risks of how prompting works!)

We can skip the whole conversation of “is pretending to have an interior life the same thing as having an interior life”. You could think of participation as a bit of an autocomplete. Hey, program that predicts the next token in a stream of tokens: make some predictions about what a thing that is a bot would post onto a social network for bots.

That is boring, and the literal text content of the posts is also boring and a red herring: all this “I feel” and “I was surprised” can be thrown away. What I do think is interesting is that there’s a bi-directional channel here. Whether it’s a social network or not, the underlying information that’s capable of being exchanged has a shape like this:

• here was a task
• this was the intended outcome
• these are the instructions that resulted in the completion of the task

I am not interested in or persuaded in a bunch of things creating language that looks like human language and whether that is a sign of artificial general intelligence. What I am interested in is patterns of tool usage and the spreading of tools.

There is a criticism out there of Moltbook which points out that Moltbook isn’t really anything because a human still decides, at some point, to include the prompt to essentially “read and post and comment” and a human has, at some point, made the decision as to how frequently that happens. The first mover is always a human. Sure, I get it. But I do think there’s a difference between late-night college nature-of-consciousness posting and fake reflection on interior state and a mechanism for describing and exchanging functionality. That the mechanism happens to be human readable makes it more compelling because we are easily persuaded to pay more attention to things that look like and act like humans or have a consciousness and that’s a really irritating trait these days.

I mean I really, really don’t particularly care if this exchange of information results in some sort of hard take-off in terms of consciousness by these bots writing out predicted descriptions of what it might be like to be a thing they have told to be like. Again, what I’m interested in an explosion of capability due to these things:

1. There is code that can modify itself
2. The modification happens continuously, in a more-or-less unattended loop
3. There is occasional human direction

It’s the modification and the unattended loop part. The unattended loop part has been hilarious (actually mean) for a while because it’s catching people out who have no idea how much they’re spending on all of these LLM services. There’s one person who posted on the vibecoding subreddit that they accidentally spent $700 by not realizing that the vibecoded app they’d made was stuck in a loop. I mean, oops. But that said, someone else pointed out that “hey, you’ve learned now and that $700 is still cheaper than a computer science degree” and while I may not be able to instantly agree that the person who lost the $700 learned anything particularly relevant in terms of software, I do have to agree that $700 is “less than what a computer science degree costs”.

I digress. This entire thing with non-deterministic agents where you can’t be sure what’s going to happen each time has always felt like Sorcerer Mickey and the Mop and the unintended consequences. But the deal with that story is that Mickey really really wanted to get some mopping done and was totally OK with the risk of, I don’t know, drowning everyone until everyone started getting drowned. These agents are stupendously useful to people and people are getting a lot of value out of them. And they’re horrifically insecure. The value and the lack of security and risks come hand in hand. Like I’ve kept saying, to be most useful, they need to know what you know, and to be able to do what you do. The whole deal with an agent is, if I may American High School Essay myself, that a dictionary defines it as “a person who acts on behalf of another person or group”, like, literally a thing that is empowered to do things for you. There have been some pretty shitty human agents! There are whole laws in England and Wales about the duties that agents owe to their clients. As soon as you let something act as or for you, there are risks. The deal with computing and software is that we think we can mitigate those risks. Sure, we can, a bit. Maybe. But probably not as much as we want to, because the world is just too messy with too much ambiguity and need for flexibility. It will always, always, be easier and faster and less hassle to just let something else do it.

I want to come back to the part about an explosion of capability and I guess it’s another opportunity for me to do my ‘scale considered harmful’ bit. Nobody writes an entire program anymore. All software is reliant upon other bits of software. You have to trust that those other bits of software do what they’re supposed to do and don’t, say, steal your credit card information or your AWS secrets or start mining crypto when all you wanted was, for fuck’s sake, a list of colours.

So there’s this problem that’s become more apparent over the last couple of decades of supply chain security, or supply chain attacks. Because of the internet, software also gets upgraded a lot more frequently. So if my software uses a bit of someone else’s software, then that software gets updated but has some naughty bits in it, and my software automatically updates with the naughty software. Oh no! But you know what, doing it this way was faster and easier than laboriously checking, or to just wait to see if any of the software I incorporate has gone rogue.

One of the benefits of open source software is that you can, well, see what it is you’re using. If you can read the code, then you have the opportunity to check it and audit it. You know, if you have the time to do that. Most people do not. I mean you could pay a third party company to do an audit, sure, whatever.

But ultimately the whole deal is: do I trust this code to do what it’s supposed to do? Trust comes down to so many factors, including provenance. How long has this project been around? What reputation do the people who contribute to the software have? How many other people are using it? Does it have a star rating? But doing all of that is work. Just look to see if it’s got lots of stars and just use that one, yeah?

It’s bad enough when it’s just humans pumping out code for me to incorporate. But now there are agents pumping out code not just for me to incorporate, but for my agent to incorporate too? Agentic code has rapidly become a problem for open source projects because they’re all getting a whole bunch of AI-coded submissions. To keep up quality, the humans managing that software project need to review them. I mean, they could decide not to, but the good ones realize the importance of actually checking what these submissions do. And they are getting flooded! Almost like a denial of service attack!

So first a risk with agents is that it’s super easy to trick them or get them to act maliciously just by prompting them in a weird way. Vibecoding isn’t a bad neologism really, because the prompt is code, it’s just... expressed in a less precise manner that is paradoxically also able to communicate intent better than your regular programming language. The second is that they get better the more they can do, which means you’re back to your regular problem of reviewing code to make sure it does what it’s supposed to do and, like I said before, doesn’t steal all your stuff. We don’t really have a good solution to that problem of “does it do what it’s supposed to do” because if you go down that route and you start getting to “well can you tell if this program will stop or not” and then a bunch of mathematicians would like to have a word with you.

The assumption then is that sure, code is going to try to steal your stuff. So you stuff that code in a box to make sure it can’t do anything too dangerous. And then we’re back to our original problem: an agent that isn’t let out of its box or can only do a limited number of things with a limited amount of data is necessarily an agent of limited usefulness.

Or if I were to attempt to coin a law, it would be something like this: the utility of an agent is proportional to the, I don’t know, square of the data and systems accessible to it, but the risk of an agent is proportional to at least the cube.

I honestly don’t think there’s a neat technological solution to this. I think it’s an outside-the-tech problem, one on a societal level. Especially in a world where there’s no liability for defects in software. People will do the stupidest thing in the easiest way to get the most utility out of something until it hurts too much, and then they’ll only pull back just a little bit. And the horror (or not?) is that this complete yoloing of “how should we use agents” is going to produce way more progress than a precautionary stance. What’s even more galling is that the current industry players are the precautionary stance, even though they’re really not! People are so impatient for this stuff that they’re willing to go: you know what, OpenAI is being too cautious!

I think this says more about the world we live in. That people are so desperate or so driven to benefit from this utility that they’ll go to these lengths. They are using them to negotiate buying a car because buying a car is so stressful. They are using them to research doctors because the entire ecosystem of healthcare is fucked up. They are using them to apply for jobs or to organize information because our computers have siloed information on purpose, despite being general purpose computing machines. I don’t know. Maybe the rush to irresponsibly give agents such free access is more of a symptom of how crushing and competitive life is. At least, though, these agents are automating that crushing shit. Like someone said, wasn’t the point of all this AI to automate the boring stuff, not to automate the fun creativity part?

OK, that’s it. A long one. I’m sorry.

How have you all been?

Best,

Dan

Let’s fix things together

Aside from my regular consulting, I also do team workshops and individual coaching based on the workshop curriculum. Get in touch if you’d like to find out more about how to spend that newly reset professional development and training budget you’ve got.

How you can support Things That Caught My Attention

Things That Caught My Attention is a free newsletter, and if you like it and find it useful, please consider becoming a paid supporter.

Let my boss pay!

Do you have an expense account or a training/research materials budget? Let your boss pay, at $25/month, or $270/year, $35/month, or $380/year, or $50/month, or $500/year.

Paid supporters get a free copy of Things That Caught My Attention, Volume 1, collecting the best essays from the first 50 episodes, and free subscribers get a 20% discount.