Key points to remember:
- Ethereum co-founder Vitalik Buterin abandoned cloud AI in April 2026, running Qwen3.5:35B locally on an Nvidia 5090 laptop at 90 tokens per second.
- Buterin found that about 15% of AI agent skills contain malicious instructions, citing data from security firm Hiddenlayer.
- Its open source email daemon applies a human confirmation plus LLM 2 of 2 rule for all outgoing signal and email actions to third parties.
How Vitalik Buterin manages an autonomous AI system without access to the cloud
Buterin describe the system as “self-sovereign/local/private/secure” and said it was built in direct response to what it sees as serious security and privacy vulnerabilities spreading across the world. I have an agent space. He pointed to research showing that about 15% of agent skills, or plug-in tools, contain malicious instructions. Hiddenlayer Security Company demonstrated that scanning a single malicious web page could completely compromise a Open claw example, allowing it to download and execute shell scripts without the user’s knowledge.
“I come from a mindset where I am deeply afraid that just as we finally take a step forward in privacy with the integration of end-to-end encryption and more and more local software, we are about to take ten steps backwards,” Buterin wrote.
His hardware of choice is a laptop running a Nvidia 5090 GPU with 24 GB of video memory. Running Alibaba’s open-weight Qwen3.5:35B model through the Llama server, the setup achieves 90 tokens per second, which Buterin calls the goal for comfortable daily use. He tested the AMD Ryzen AI Max Pro with 128 GB of unified memory, which reached 51 tokens per second, and the DGX Spark, which reached 60 tokens per second.
He said the DGX Spark, marketed as a desktop AI supercomputer, was unimpressive given its cost and lower throughput than a good laptop GPU. For its operating system, Buterin has moved from Arch Linux to NixOS, which allows users to define their entire system configuration in a single declarative file. It uses Llama-server as a background daemon that exposes a local port that any application can connect to.
Claude Codehe noted, can be pointed to a local llama server instance instead of Anthropic’s servers. Sandboxing is at the heart of its security model. It uses bubblewrap to create isolated environments from any directory with a single command. Processes running in these sandboxes can only access files explicitly allowed and controlled by network ports. Buterin has open-sourced a messaging daemon at github.com/vbuterin/messaging-daemon that wraps signal-cli and email.
He pointed out that the demon can freely read messages and send messages to itself without confirmation. Any outgoing message intended for a third party requires explicit human approval. He called this the “human + LLM 2 of 2” model and said the same logic applies to Ethereum wallets. He advised teams building AI-connected wallet tools to limit autonomous transactions to $100 per day and to require human confirmation for any amounts above that or for any transactions carrying call data that could exfiltrate data.
Remote inference, according to Buterin’s conditions
For search tasks, Buterin compared the local tool Local Deep Research to his own setup using the pi agent framework combined with SearXNG, a self-hosted, privacy-focused meta-search engine. He said pi plus SearXNG produced higher quality responses. It stores a local Wikipedia dump of around 1 terabyte alongside technical documentation to reduce its reliance on external search queries, which it treats as a privacy leak.
He also released a local audio transcription daemon at github.com/vbuterin/stt-daemon. The tool runs without a GPU for basic use and passes the output to the LLM for correction and summary. Regarding Ethereum integration, Buterin said AI agents should never hold unrestricted securities wallet access. He recommended treating the human and the LLM as two separate confirmatory factors that each detect different failure modes.
For cases where local models fail, Buterin described a privacy-preserving approach to remote inference. He highlighted his own ZK-API proposal with researcher Davide, the Project to open anonymityand the use of mixnets to prevent servers from linking successive requests by IP address. He also cited trusted execution environments as a way to reduce data leaks from remote inference in the near term, while noting that fully homomorphic encryption for private cloud inference remains too slow to be practical today.
Buterin ended by noting that the post describes a starting point, not a finished product, and cautioned readers against exactly copying his tools and assuming they are secure.
