To work it needs local access (like scan your emails), otherwise what’s the point of it… I suggest to read this blog post
https://www.macsparky.com/blog/2026/02/i-built-the-perfect-ai-robot-then-i-pulled-the-plug/
this post was submitted on 08 Feb 2026
16 points (75.0% liked)
Selfhosted
56369 readers
1415 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I thought I was being smart by running it on an isolated Mac mini with custom safeguards. I created secret passphrases, limited access, tried to lock it down. Then I woke up at 2 AM wondering if my secret passphrase was sitting in plain text in the robot’s logs. It was.
Yup. Forget running this.
Best security: avoid it
Simple put, no. In order to be save with a LLM that can execute stuff on its own it needs to be completely sandboxed.
A very nice talk about flaws in agentic AI can be found here: https://media.ccc.de/v/39c3-agentic-probllms-exploiting-ai-computer-use-and-coding-agents
It appears the image runs as a non root user at least... You can drop unnecessary capabilities https://oneuptime.com/blog/post/2026-01-16-docker-drop-capabilities/view
You can also add firewall redfrictions to container to only allow it to connect to services you want to limit injection attacks.
This would help, but still could be open to a lot of security problems I'd imagine.
I would use their LXC install, it's much more flexible. It does not need to be local but it does simplify things like email. I had to put a bit of effort into getting it to be able to connect to IMAP mailboxes to process, but it wasn't any more than just asking it to get the necessary libraries etc. But things like that are why using it as an LXC is a better choice. It might be able to do that as a docker, but there's potential problems with network connectivity and docker in docker issues.
You can also firewall that LXC off without having to mess up your own workstation, as well as snapshot it and back it up.
And the first thing I would do is have it keep token budgets when you build tasks, and report it's token use to you every hour or two. It takes some time to learn how to structure reminders and task processing to not create loops that eat up scads of tokens. Don't ask me how I know.
But holy hell, can it be useful.