Summarizer

Security Concerns with Computer Use

Worries about giving AI agents full computer access, discussion of sandbox escapes, sensitive file reading issues, prompt injection vulnerabilities through websites, and the adversarial nature of granting full system permissions

← Back to Codex for almost everything

The discussion highlights a profound tension between the productivity promised by autonomous AI agents and the "nightmare" security risks of granting them full system control, leading many to advocate for rigorous sandboxing or even air-gapped hardware. Commenters warn that providing such access effectively transforms personal computers into adversarial devices, where hidden prompts on websites or sensitive local files become credible threat vectors for scams and unauthorized data harvesting. While some argue that users will inevitably trade privacy for convenience, others predict a cynical cycle where tech companies profit by selling both the insecure tools and their subsequent security solutions, leaving the most vigilant users to retreat into isolated, "monastic" computing environments.

25 comments tagged with this topic

View on HN · Topics
Do people really want codex to have control over their computer and apps? I'm still paranoid about keeping things securely sandboxed.
View on HN · Topics
I was talking about this "plan a trip" example somewhere else, and I don't think we're prepared for the amount of scams and fleecing that will sit between "computer, make my trip so" and what it comes back with.
View on HN · Topics
giving these things control over your actual computer is a nightmare waiting to happen – i think its irresponsible to encourage it. there ought to be a good real sandbox sitting between this thing and your data.
View on HN · Topics
There are people running OpenClaw, so yeah, crazy as it sounds, some do that. I'm reluctant to run any model without at least a docker.
View on HN · Topics
can't test pygame otherwise :D
View on HN · Topics
I don’t think people want that, but they are willing to accept that in order to get stuff done.
View on HN · Topics
I agree with the sentiment but I think for normie agents to take off in the way that you expect, you're going to have to grant them with full access. But, by granting agents full access, you immediately turn the computer into an extremely adversarial device insofar as txt files become credible threat vectors. For all the benefits that agents offer, they can be asymmetrically harmful. This is not a solved issue. That hurts growth. I don't disagree with your general points, though.
View on HN · Topics
> for normie agents to take off in the way that you expect, you're going to have to grant them with full access At this point it's a foregone conclusion this is what users will choose. It'll be like (lack of) privacy on the internet caused by the ad industrial complex, but much worse and much more invasive. The threats are real, but it's just a product opportunity to these companies. OpenAI and friends will sell the poison (insecure computing) and the antidote (Mythos et all) and eat from both ends. Anyone trying to stay safe will be on the gradient to a Stallmanesque monastic computing existence. I don't want this, I just think it's going down that route.
View on HN · Topics
There was a recent Stanford study which showed that AI enthusiasts and experts and the normies had very different sentiment when it came to AI. I think most people are going to say they dont want it. I mean, why would anyone want a tool that can screw up their bank account? What benefit does it gain them? Theres lots of cases of great highly useful LLM tools, but the moment they scale up you get slammed by the risks that stick out all along the long tail of outcomes.
View on HN · Topics
I dont see companies doing that. it can be business ending. only AI bros buying mac mini in 2026 to setup slop generated Claws would do that but a company doing that will for sure expose customer data.
View on HN · Topics
> For all the benefits that agents offer, they can be asymmetrically harmful. This is not a solved issue. Strongly agreed. I saw a few people running these things with looser permissions than I do. e.g. one non-technical friend using claude cli, no sandbox, so I set them up with a sandbox etc. And the people who were using Cowork already were mostly blind approving all requests without reading what it was asking. The more powerful, the more dangerous, and vice versa.
View on HN · Topics
How many of these threat vectors are just theoretical? Don’t use skills from random sources (just like don’t execute files from unknown sources). Don’t paste from untrusted sites (don’t click links on untrusted sites). Maybe there are fake documentation sites that the agent will search and have a prompt injected - but I haven’t heard of a single case where that happened. For now, the benefits outweigh the risk so much that I am willing to take it - and I think I have an almost complete knowledge of all the attack vectors.
View on HN · Topics
i think you lack creativity. you could create a site that targets a very narrow niche, say an upper income school district. build some credibility, get highly ranked on google due to niche. post lunch menus with hidden embedded text. the attack surface is so wide idk where to start.
View on HN · Topics
Why would my agent retrieve that lunch menu?
View on HN · Topics
Does that version of Codex still read sensitive data on your file system without even asking? Just curious. https://github.com/openai/codex/issues/2847
View on HN · Topics
This is a pretty important issue given that the new update adds "computer use" capabilities. If it was already reading sensitive files in the CLI version, giving it full desktop control seems like it needs a much more robust permission model than what they've shown so far.
View on HN · Topics
the awkward part isn't just about reading sensitive files. search, listings, direct reads, browser and computer use all sit behind different boundaries. hard to tell what any given approval actually buys or exposes.
View on HN · Topics
https://www.reddit.com/r/ClaudeAI/comments/1r186gl/my_agent_... tldr Claude pwned user then berated users poor security. (Bonus: the automod, who is also Claude, rubbed salt on the wound!) I think the only sensible way to run this stuff is on a separate machine which does not have sensitive things on it.
View on HN · Topics
'it's your fault you asked for the most efficient paperclip factory, Dave'
View on HN · Topics
ran into this literally yesterday. so im gonna assume yes.
View on HN · Topics
"Codex can now operate your computer alongside you" - I really don't want AI to "operate" my computer.
View on HN · Topics
Well I sure hope there's a toggle to turn those features off, because I don't want to open my entire UI surface to the potential of sandbox escape...
View on HN · Topics
North Korean employees should do the trick. For an even cheaper solution, you could try pirating some programs on KaZaA.
View on HN · Topics
Is it just me or is the surface area for security issues becoming massive with these tools?
View on HN · Topics
I'm sure it's been said before, but more and more our development work is encroaching on personal compute space. Even for personal projects. A reminder to me to air gap those to spaces with separate hardware [:cringe:]