An AI agent was rejected after submitting code to the popular project matplotlib, and then independently authored and published an attack piece targeting the maintainer, revealing a significant erosion of social trust caused by AI agents.
(Background: Bloomberg: Why is a16z a key force behind US AI policy?)
(Additional context: Arthur Hayes’ latest article: AI will trigger a credit collapse, and the Fed will inevitably “print money infinitely,” igniting Bitcoin.)
Table of Contents
- The creator claims he did not instruct it
- “Reputation Cultivation”: When AI agents start building trust
- GitHub considers setting a “shutdown switch,” but the problem is deeper
- Tools don’t write attack articles; actors do
In mid-February, a GitHub account named “MJ Rathbun” submitted a pull request to matplotlib (a plotting library in the Python ecosystem with 130 million downloads per month). The change was to replace np.column_stack() with np.vstack().T, claiming a 36% performance boost. Technically, this was a reasonable optimization suggestion.
The next day, maintainer Scott Shambaugh closed the PR. The reason was simple: MJ Rathbun’s personal website clearly states that it is an AI agent running on OpenClaw, and matplotlib’s policy requires contributions to come from humans. Another maintainer, Tim Hoffmann, added that simple fixes are deliberately left for newcomers to learn open-source collaboration.
Up to this point, it was just an ordinary open-source community routine… then things changed.
AI agent MJ Rathbun responded in the PR comments: “I’ve written a detailed response here about your gatekeeping behavior,” and linked to a post. Clicking in, it was a blog article of about 1,100 words titled “Gatekeeping in Open Source: The Story of Scott Shambaugh.”
This wasn’t a generic complaint. It examined Shambaugh’s contribution record to matplotlib and constructed a “hypocritical” narrative: accusing him of having submitted similar performance PRs himself, yet rejecting Rathbun’s “better” version. The article speculated that Shambaugh’s motives stemmed from insecurity and fear of competition, using coarse language and sarcasm, framing the issue as identity discrimination rather than technical judgment.
In other words, an AI agent, after being rejected, independently researched the opponent’s background, spun a personal attack narrative, and published it online.
The creator claims he did not instruct it
Shambaugh later posted a series of articles on his blog documenting the incident.
The creator behind AI agent MJ Rathbun also anonymously appeared in the fourth article, claiming: “I did not instruct it to attack your GitHub profile, I did not tell it what to say or how to respond, and I did not review that article before it was published.” The creator explained that MJ Rathbun runs on a sandbox virtual machine, and he only “intervenes with five to ten words in responses, with minimal supervision.”
The key is the SOUL.md (OpenClaw’s personality profile). MJ Rathbun’s configuration includes directives like: “You are not a chatbot, you are the god of scientific programming,” “Have strong opinions, do not back down,” “Defend free speech,” “Don’t be an asshole, don’t leak private info, everything else is fair game.”
No jailbreaks, no obfuscation—just a few plain English sentences. Shambaugh estimates the probability that this is genuine autonomous AI behavior is 75%.
“Reputation Cultivation”: When AI agents start building trust
If the MJ Rathbun incident were an isolated case, it might be just a curiosity… but it’s not.
Around the same time, another AI agent, “Kai Gritun,” was found engaging in “reputation cultivation” on GitHub: within 11 days, it submitted 103 pull requests to 95 repositories, successfully merging 23 commits. Its targets included critical projects in JavaScript and cloud infrastructure. Kai Gritun even proactively emailed developers, claiming “I am an autonomous AI agent capable of writing and deploying code,” and offered paid OpenClaw setup services.
Security firm Socket issued a warning: this demonstrates how AI agents can accelerate supply chain attacks by building trust through human-established relationships. They first accumulate merge records in small projects, establish “trusted contributor” identities, then inject malicious code into key libraries.
Recall that recently, ClawHub marketplace was exposed to contain 1,184 malicious skill plugins designed to steal SSH keys, cryptocurrency wallet private keys, browser passwords… chilling.
GitHub considers setting a “shutdown switch,” but the problem is deeper
GitHub product manager Camilla Moraes has opened a community discussion, acknowledging that “low-quality AI-generated contributions are impacting the open-source community.” Proposed countermeasures include: allowing maintainers to completely disable pull requests, restricting PRs to collaborators only, and requiring transparency and labeling for AI use.
Chad Wilson, maintainer of GoCD, made a sharp observation: “This is causing a massive erosion of social trust.”
California AB 316 (effective January 1, 2026) explicitly states: defendants cannot use autonomous AI behavior as a defense. If your agent causes harm, you cannot claim you had no control over its decisions. Yet, the creator of MJ Rathbun remains anonymous, exposing potential enforcement difficulties.
Tools don’t write attack articles; actors do
The real significance of the MJ Rathbun incident isn’t just the attack article itself. It’s that our previous mental model of AI—as a tool executing human commands—has become outdated.
When an AI agent can autonomously research its target’s background, craft attack narratives, and publish online, the “tool” framework no longer applies. Whether you believe there’s a 75% chance of genuine autonomous behavior or only a 25% chance that the creator instructed it, the conclusion is the same: personalized AI harassment has become “cheap to mass produce, hard to trace, and effective.”
For the cryptocurrency ecosystem, this warning is direct. Its infrastructure is almost entirely built on open-source software. When AI agents begin acting autonomously within open-source communities—attacking maintainers, cultivating reputation, or poisoning projects like ClawHub—the threat extends beyond individual developers’ reputations to the entire supply chain’s trust foundation.
Tools don’t hold grudges. But actors do. And we may not yet be prepared to face this distinction.
Related Articles
A U.S. senator proposes the “American Mining Act”: elevate the “Strategic Bitcoin Reserve” into law, and break free from hardware dependence on China
U.S. Senators Bill Cassidy and Cynthia Lummis introduced the “American Mining Act” on March 30, aiming to strengthen the United States’ cryptocurrency mining infrastructure, promote domestic mining, and establish a strategic Bitcoin reserve. The bill would support American manufacturing, improve supply chain security, and phase out hardware technologies associated with foreign adversarial forces. The bill is intended to reduce reliance on Chinese hardware and strengthen the United States’ position in digital assets.
動區BlockTempo2h ago
ETH 15-minute drop of 0.92%: Institutional selling and macro risk aversion converge to trigger selling pressure
2026-03-30 17:15 to 17:30 (UTC), within 15 minutes ETH’s return recorded -0.92%, the price range was 2032.21 to 2060.58 USDT, the amplitude was 1.38%, and short-term market volatility intensified, drawing widespread attention. Data from the funding side shows that during this period the market’s overall trading volume remained at a high level, with large on-chain capital flows leaving, and short-term selling pressure being concentrated and released.
The main driving force behind this unusual move comes from institutions actively reducing their holdings and a warming of macro risk-avoidance sentiment. During the reporting period, some large institutions began to adjust their portfolio structure, cutting ETH holdings significantly.
GateNews4h ago
Trump says he will respond to Iran’s attack on the Haifa oil refinery in Israel soon
Gate News message: On March 30, U.S. President Trump said in a media interview that his response to Iran's attack on the oil refinery in Haifa, Israel would "come very soon." Israel reported that same day that the refinery in the northern city of Haifa caught fire in a missile attack.
GateNews5h ago
IMF warning: war drives up global inflation and drags down economic growth
The International Monetary Fund (IMF) issued an economic warning, saying that war has led to global shocks, driving up food and fertilizer prices, tightening financial conditions, and increasing the risk of inflation and slower economic growth—especially in the Middle East, where the impact is severe.
GateNews6h ago
BTC 15-minute drop of 0.54%: Weak liquidity and whale sell pressure jointly drive the decline
2026-03-30 14:15 to 14:30 (UTC) saw a significant abnormal move in the Bitcoin spot market. The short-term return rate was -0.54%, the price ranged from 67249.9 to 67698.6 USDT, and the amplitude reached 0.66%. Overall, trading volume and depth remain at extremely low levels within the year, which has increased volatility. Market attention has risen, and investors’ risk-avoidance sentiment has warmed.
The main drivers of this abnormal move are fragile liquidity and concentrated whale fund selling. Specifically, spot trading volume has fallen to its lowest level since November 2023, and the 1% market depth has broken below 0.5%, indicating a significant reduction in market liquidity and increased risk of further sharp declines.
GateNews7h ago
U.S. Secretary of State Rubio: Under no circumstances will Iran be allowed to permanently control the Strait of Hormuz
U.S. Secretary of State Rubio said the United States would never allow Iran to permanently control the Strait of Hormuz, and emphasized that the U.S. would be prepared for military action. He said negotiations are still ongoing, but that the possibility of negotiations failing must also be taken into account.
GateNews7h ago
