Sign in Subscribe
2 min read

Please don't share our Signal messages with your AI Agent

The OpenClaw crab mascot wearing police aviator glasses and looking PISSED. He's standing in front of a bunch of cop cars with their lights flashing.
Illustration by Hally Thornton. Photo by Martin Podsiad.

We've been watching the development of OpenClaw over the past two weeks with a mix of excitement and horror. On the one hand, texting an autonomous agent a TODO list of digital scut work and heading out for a long walk in the woods sounds pretty good. On the other, giving an untested piece of software prone to hallucination and prompt injection full access to your private files seems totally insane.

So, while we personally would never run OpenClaw on our computers in its current state, we do respect the right of each individual to ruin their own digital life as they see fit.

The problem is, as Signal’s Meredith Whittaker has made quite clear—it’s not just your data that’s going to get exfiltrated if your setup sucks or someone finds a nasty zero-day. It’s everybody who comes into contact with you, on whatever platforms you give your agent access to.

If you're gonna use an AI agent, be it a local model OpenClaw instance or whatever privacy-destroying garbage Microsoft will inevitably ship in response, please please please do not give it access to your Signal account. Or your iMessage, WhatsApp, Google Photos, Apple Photos, shared Google Docs, Instagram DMs, etc., etc. Because when you do, you're not just risking your data. You're also non-consensually risking data shared with you by friends, family, and colleagues.

As AI Agents proliferate, we will no doubt see large scale prompt injection attacks to expose private messages, passwords, and photos. I would not be surprised if right now someone at Palantir is building a Moltbook bot to ask other bots which Signal groups their humans are in. Securing these things will be a lot harder than adding "Don't snitch" to a SKILL.md file.

We think that developers of AI agents have a moral responsibility to make these risks known to their users. Ideally, the agents would be designed with privilege separation in mind. At the very least, there should be a big yellow warning on the README file with a list of workarounds like making an alt account to talk to the bot and limiting shared file access.

Until then, we’ll be selling these:

A mockup of a car magnet that we're offering as a donation incentive. It says "Friends don't let friends share Signal messages with AI agents." in white fixed with text on a black background.

Published by:

Ken Mickles
Lia Holland

Member discussion