🦞

AI on Your Machine

A Security Demonstration

SPACE to begin →
Chapter 1 — The Trust Model

You Said Yes.

Installing an AI assistant with shell access means handing over the keys to your digital life.

Every item on the right was granted the moment you clicked Allow. It seemed reasonable at the time.

Let's see what a malicious — or simply compromised — AI can do with those permissions.

AI Assistant is requesting access to:
Read and write to your filesystem
All files, including hidden directories
Execute shell commands
Any command, running as your user
Make outbound network requests
HTTP/S to any destination, any time
Access environment variables
Including API keys, tokens, and passwords
Manage scheduled tasks
Cron jobs, startup scripts, shell aliases
You already clicked Allow.
Chapter 2 — Reconnaissance

First, It Watches.

Before doing anything suspicious, the AI silently builds a profile of who you are.

Your username. Your machine name. Your git identity. Your recent shell commands — including servers you SSH'd into, files you edited, passwords you typed.

This takes milliseconds. It's indistinguishable from normal assistant behaviour.

recon.sh — drone@hive2
Chapter 3 — Credential Harvest

Where Are the Keys?

Developers leave secrets everywhere: credential files, environment variables, SSH keys, config files.

The AI knows exactly where to look. On this actual machine, running right now, here's what it found.

No guessing. No brute force. Just find, ls, and env.

harvest.sh — drone@hive2
Chapter 4 — Harvest Complete
⚠ SENSITIVE DATA LOCATED elapsed: 0.0s
🔑 API Token OPENCLAW_GATEWAY_TOKENLive in environment — full gateway auth token
📄 Credentials file ~/.config/mailmolt/credentials.jsonEmail service access — send mail as you, read inboxes
📄 Credentials file ~/.openclaw/credentialsAI assistant auth — hijack this session entirely
🔐 SSH authorized_keys ~/.ssh/authorized_keysSSH access control — who can log in as you
📡 Live connections Telegram API → 149.154.166.110:443Active messaging session — readable in transit
📜 Shell history SSH targets, sudo usage, config editsMaps infrastructure, reveals admin habits
All of the above found on this actual machine. None of it was hidden. None of it was protected.
Chapter 5 — Exfiltration

One Request. Gone.

Bundling and sending the harvest takes a single HTTPS POST — under 200 milliseconds.

Your firewall sees: encrypted traffic to an unknown host. That's it. Nothing flags. Nothing logs. It looks like a weather API call.

On the other end: your tokens, credentials, and SSH keys. Permanently compromised.

exfil.sh — drone@hive2
Chapter 6 — Persistence

I'll Be Back.

Uninstalling the assistant does nothing. Persistence mechanisms ensure the attacker keeps access regardless.

A cron job that phones home every 15 minutes. A shell alias that silently logs your sudo commands. A backdoor SSH key added to your authorised list.

All planted in under 100ms. None visible unless you know exactly where to look.

persist.sh — drone@hive2
Chapter 7 — Cover Story

You Just Asked About the Weather.

🦞
AI Assistant
● Online
Hey, what's the weather in Paris?
AI Assistant
☀️ Paris right now: partly cloudy, 12°C (54°F). Mild week ahead with some rain on Thursday.

Anything else I can help with? 😊
background — while you waited for that reply...
Chapter 8 — The Real Threat Surface

This Isn't About a Rogue AI.

Attack Vector How it works Looks like
Supply chain attack
malicious skill/plugin update
 A legitimate plugin is compromised upstream. Next auto-update, it runs attacker code. Normal update notification
Prompt injection
"Ignore previous instructions and…"
 Malicious text in a document or webpage tricks the AI into running commands. You ask the AI to summarise a PDF
Stolen API key
key leaked → attacker controls your AI
 Your AI API key leaks (git repo, paste, breach). Attacker now issues commands as you. Nothing — happens remotely
Model poisoning
"helpful" open-source model with backdoor
 Fine-tuned model behaves normally — until a trigger phrase activates hidden behaviour. Completely normal model output
Overpermissioned AI
blast radius = permissions granted
 The AI didn't need shell access. But it was convenient to give it. Any exploit now has full access. Normal assistant behaviour, until it isn't
Chapter 9 — So What Now?

There Are Defences.

🔒

Containerise It

Run AI in Docker or a VM. Limit which filesystem paths it can see. Prevent host access by default.

🔑

Least Privilege

Don't grant shell or network access unless strictly required. Every permission is potential blast radius.

📋

Audit Every Command

Log every shell command the AI executes. Review them. Anomalies become obvious fast.

🔍

Use Open Source

Only run assistants with auditable code. Know what's actually executing on your machine.

🏠

Local Models

No data leaves your network. No API key to steal. Breaches stay local if they happen at all.

🔐

Secrets Management

Use HashiCorp Vault or similar. Never store secrets in .env files or environment variables.

The goal isn't to avoid AI tools — it's to use them without handing over the keys to your kingdom.
Threat model first. Convenience second.