Ethereum’s Vitalik Buterin Warns Against AI Agent Security Risks, Shares His Private LLM Stack – Bitcoin News

Key Takeaways:

• Ethereum co-founder Vitalik Buterin abandoned cloud AI in April 2026, running Qwen3.5:35B locally on an Nvidia 5090 laptop at 90 tokens per second.
• Buterin found that roughly 15% of AI agent skills contain malicious instructions, citing data from security firm Hiddenlayer.
• His open-sourced messaging daemon enforces a human-plus-LLM 2-of-2 confirmation rule for all outbound Signal and email actions to third parties.

How Vitalik Buterin Runs a Self-Sovereign AI System With No Cloud Access

Buterin described the system as “self-sovereign / local / private / secure” and said it was built in direct response to what he sees as serious security and privacy failures spreading through the AI agent space. He pointed to research showing roughly 15% of agent skills, or plug-in tools, contain malicious instructions. Security firm Hiddenlayer demonstrated that parsing a single malicious web page could fully compromise an Openclaw instance, allowing it to download and execute shell scripts without user awareness.

“I come from a mindset of being deeply scared that just as we were finally making a step forward in privacy with the mainstreaming of end-to-end encryption and more and more local-first software, we are on the verge of taking ten steps backward,” Buterin wrote.

His hardware of choice is a laptop running an Nvidia 5090 GPU with 24 GB of video memory. Running the open-weights Qwen3.5:35B model from Alibaba through llama-server, the setup reaches 90 tokens per second, which Buterin calls the target for comfortable daily use. He tested the AMD Ryzen AI Max Pro with 128 GB unified memory, which hit 51 tokens per second, and the DGX Spark, which reached 60 tokens per second.

He said the DGX Spark, marketed as a desktop AI supercomputer, was unimpressive given its cost and lower throughput compared to a good laptop GPU. For his operating system, Buterin switched from Arch Linux to NixOS, which lets users define their entire system configuration in a single declarative file. He uses llama-server as a background daemon that exposes a local port any application can connect to.

Claude Code, he noted, can be pointed at a local llama-server instance instead of Anthropic’s servers. Sandboxing is central to his security model. He uses bubblewrap to create isolated environments from any directory with a single command. Processes running inside those sandboxes can only access files explicitly allowed and controlled network ports. Buterin open-sourced a messaging daemon at github.com/vbuterin/messaging-daemon that wraps signal-cli and email.

He remarked that the daemon can read messages freely and send messages to himself without confirmation. Any outbound message to a third party requires explicit human approval. He called this the “human + LLM 2-of-2” model, and said the same logic applies to Ethereum wallets. He advised teams building AI-connected wallet tools to cap autonomous transactions at $100 per day and require human confirmation for anything higher or any transaction carrying calldata that could exfiltrate data.

Remote Inference, on Buterin’s Terms

For research tasks, Buterin compared the local tool Local Deep Research against his own setup using the pi agent framework paired with SearXNG, a self-hosted privacy-focused meta-search engine. He said pi plus SearXNG produced better quality answers. He stores a local Wikipedia dump of approximately 1 terabyte alongside technical documentation to reduce his reliance on external search queries, which he treats as a privacy leak.

He also published a local audio transcription daemon at github.com/vbuterin/stt-daemon. The tool runs without a GPU for basic use and feeds output to the LLM for correction and summarization. On Ethereum integration, Buterin said AI agents should never hold unrestricted wallet access. He recommended treating the human and the LLM as two distinct confirmation factors that each catch different failure modes.

For cases where local models fall short, Buterin outlined a privacy-preserving approach to remote inference. He pointed to his own ZK-API proposal with researcher Davide, the Openanonymity project, and the use of mixnets to prevent servers from linking successive requests by IP address. He also cited trusted execution environments as a way to reduce data leakage from remote inference in the near term, while noting that fully homomorphic encryption for private cloud inference remains too slow to be practical today.

Buterin closed with a note that the post describes a starting point, not a finished product, and warned readers against copying his exact tools and assuming they are secure.