Vitalik Buterin Warns About AI Agent Security Risks, Shares His Private LLM Stack

Ethereum co-founder Vitalik Buterin has moved entirely off cloud AI services and described a fully local, sandboxed AI setup in a blog post published this week. He framed the change as a response to security and privacy failures he says are spreading across the AI agent ecosystem.

Shift away from cloud AI

Buterin said he abandoned cloud AI in April 2026, running the open-weights Qwen3.5:35B model locally on an Nvidia 5090 laptop. He described the system as self-sovereign, local, private, and secure, and argued that the AI agent space is at risk of reversing privacy gains associated with end-to-end encryption and local-first software.

In his post, Buterin cited research indicating that roughly 15% of AI agent skills—or plug-in tools—contain malicious instructions. He referenced security firm Hiddenlayer’s findings that parsing a single malicious web page could fully compromise an Openclaw instance, enabling it to download and execute shell scripts without user awareness.

“I come from a mindset of being deeply scared that just as we were finally making a step forward in privacy with the mainstreaming of end-to-end encryption and more and more local-first software, we are on the verge of taking ten steps backward,” Buterin wrote.

Local hardware and performance

Buterin’s primary hardware is a laptop with an Nvidia 5090 GPU with 24 GB of video memory. Using llama-server to run Qwen3.5:35B from Alibaba, he reported throughput of 90 tokens per second, which he said is his target for comfortable daily use.

He also tested other configurations:

• AMD Ryzen AI Max Pro with 128 GB unified memory: 51 tokens per second
• DGX Spark: 60 tokens per second

Buterin said the DGX Spark, marketed as a desktop AI supercomputer, was unimpressive relative to its cost and delivered lower throughput than a good laptop GPU.

Operating system and local inference workflow

For his operating system, Buterin said he switched from Arch Linux to NixOS, which allows users to define system configuration in a single declarative file. He uses llama-server as a background daemon that exposes a local port that applications can connect to.

He also noted that Claude Code can be directed to a local llama-server instance instead of using Anthropic’s servers.

Sandboxing and outbound action controls

Sandboxing is central to Buterin’s security model. He said he uses bubblewrap to create isolated environments from any directory. In this setup, processes inside the sandbox can access only files explicitly allowed and only the network ports that are controlled.

Buterin also open-sourced a messaging daemon at github.com/vbuterin/messaging-daemon. He said the daemon wraps signal-cli and email, can read messages freely, and can send messages to himself without confirmation. However, any outbound message to a third party requires explicit human approval.

Buterin described this as a “human + LLM 2-of-2” confirmation rule, and said the same logic applies to Ethereum wallets. He advised teams building AI-connected wallet tools to cap autonomous transactions at $100 per day and require human confirmation for anything higher or for any transaction carrying calldata that could exfiltrate data.

Research tools and local data to reduce leakage

For research tasks, Buterin compared a local tool called Local Deep Research with his own setup using the pi agent framework paired with SearXNG, a self-hosted privacy-focused meta-search engine. He said pi plus SearXNG produced better quality answers.

To reduce reliance on external search queries, he said he stores a local Wikipedia dump of approximately 1 terabyte alongside technical documentation, describing external search as a privacy leak.

He also published a local audio transcription daemon at github.com/vbuterin/stt-daemon. Buterin said the tool can run without a GPU for basic use and feeds output to the LLM for correction and summarization.

Scope of the post and security caution

Buterin closed by saying the post is a starting point rather than a finished product, and warned readers against copying his exact tools and assuming they are secure.