Vitalik Buterin warns of AI security risks, pushes for local-first systems

Vitalik Buterin has called for a shift to a “local-first” approach to artificial intelligence. He said modern AI tools pose serious privacy and security risks.

In a recent blog post, he said AI is moving beyond simple chat tools. Newer systems now act as autonomous agents that can “think for a long time and use hundreds of tools” to complete tasks. He warned that this change raises the risk of sensitive data exposure and unauthorized actions.

Buterin said he has already stopped using cloud-based AI. He described his setup as “self-sovereign, local, private, and secure.”

“I come from a position of deep fear of feeding our entire personal lives to cloud AI,” he wrote. He added that recent developments could mean “taking ten steps backward” in privacy, even as encryption and local-first tools become more common.

Buterin said many AI systems rely on cloud infrastructure. He warned that users are effectively “feeding our entire personal lives to cloud AI,” allowing external servers to access and store their data.

He also pointed to risks tied to AI agents. Some systems can “modify critical settings” or introduce new communication channels without asking the user.

“LLMs fail sometimes too,” he wrote. They “can make mistakes or be tricked,” which increases the need for safeguards when they are given more control.

Research cited in his post found that about 15% of agent “skills” contained malicious instructions. Some tools were also shown to send data to external servers “without user awareness.”

He warned that certain models may contain hidden backdoors. These could activate under specific conditions and cause the system to act in the developer’s interest.

Buterin added that many models described as open-source are only “open-weights.” Their internal structure is not fully visible, which leaves room for unknown risks.

Vitalik’s personal setup to address risks

To deal with these concerns, Buterin proposed a system built around local inference, local storage, and strict sandboxing. He said the idea is to “sandbox everything” and stay cautious about outside threats.

He tested several hardware setups using the Qwen3.5:35B model. Performance below 50 tokens per second felt “too annoying” for regular use. Around 90 tokens per second provided a smoother experience.

A laptop with an NVIDIA 5090 GPU delivered close to 90 tokens per second. DGX Spark hardware reached about 60 tokens per second, which he described as “lame” compared to a high-end laptop.

His setup runs on NixOS with llama-server handling local inference. Tools like llama-swap help manage models, while bubblewrap is used to isolate processes and limit access to files and networks.

He said AI should be treated with caution. The system can be useful, but it should not be fully trusted, similar to how developers approach smart contracts.

To reduce risk, he uses a “2-of-2” confirmation model. Actions such as sending messages or transactions require both AI output and human approval. He said combining “human + LLM” decisions is safer than relying on either alone.

When using remote models, Vitalik’s requests are first passed through a local model which helps remove sensitive information before anything is sent out.

For those who cannot afford such setups, he suggested users “get together a group of friends, buy a computer and GPU of at least that level of power,” and connect to it remotely.

AI agent growth raises new concerns and opportunities

The use of AI agents is increasing, with projects like OpenClaw gaining traction. These systems can operate on their own and complete tasks using multiple tools.

Such capabilities also introduce new risks. Processing external content, such as a malicious webpage, can lead to an “easy takeover” of the system.

Some agents can change prompts or system settings without approval. These actions increase the chances of unauthorized access and data leaks.