User level separation, while it has improved over the years, was not originally designed assuming unprivileged users were malicious, and even today privilege escalation bugs regularly pop up. If you are going to use it as a sandboxing mechanism, you should at least ensure the sandboxed user doesn't have access to any suid binaries as these regularly have exploits found in them.
VMs are common, consider going that additional step. Once you have one agent, it's natural to want two agents, and now they will interfere with each other if they start running servers that bind to ports. One agent per VM solves this and a lot of other issues.
Same with the browser agents, they are used in a browser where you‘re also logged into your usual accounts. Means in theory they can simply mail everyone something funny, do some banking (probably not but could work for some banks) or something else. Endless possibilities
An agent can be designed to run with permissions of a system/bot account; however, others can be designed to execute things under user context, using OAuth to get user consent.
I was just reading the code: it looks like minor tweaks to utils.c and this should run nicely with local models using Ollama or LM Studio. That should be safe enough.
Off topic, sorry, but to me the real security nightmare is the new ‘AI web browsers’ - I can’t imagine using one of those because of prompt injection attacks.
Why do you compress the executable? I mean this is a fun part for size limit competitions and malicious activities (upx often gets flagged as suspicious by a lot of anti virus, or at least it used to), but otherwise I do not see any advantage other than added complexity.
Also interesting that "ultra lightweight" here means no error reporting, barely checking, hardcoding, and magic values. At least using tty color escape codes, but checking if the terminalm supports them probably would have added too much complexity......
Yes, it is fun to create small but mighty executables. I intentionally kept everything barebones and hardcoded, because I assumed if you are interested in using Agent-C, you will fork it an make it your own, add whatever is important to you.
This is a demonstration that AI agents can be 4KB and fun.
Probably BSD or Apache would be better, as they make it easier for certain organizations to use this. If you want to maximize copying, then a real permissive license is probably marginally better.
They recommend against it for the traditional CC licenses (CC-BY-SA, etc.), but CC0 is perfectly fine for code, since it's basically a dedication to the public domain for jurisdictions that don't support that. The FAQ for CC0 says this explicitly: https://wiki.creativecommons.org/wiki/CC0_FAQ#May_I_apply_CC...
> make it easier for certain organizations to use this
Maybe those organizations should just use this and not worry about it. If their lawyers are getting in the way of engineers using this, they will fall behind as an organization and that's OK with me, it paves the way for new startups that have less baggage.
The benefit of not having lawyers is pretty limited. There are larger forces at work that mean the larger an organization grows the more it will be concerned with licenses. The idea that ignoring licenses will allow a company to outcompete one that doesn’t is wishful thinking at best. Moreover, I’m not making a judgment on these practices, I’m just stating a fact.
The lawyers don't even have to do anything. I avoid any code that's not MIT or equivalent for work-related things because I don't want to run the risk of polluting company code. The only exception is elisp, because that only runs in Emacs.
Is that different with any other permissive library that has conditions?
Also I found one case where Skype retracted their formal objection in front of court and the GPL was enforced. Not sure if that is serious enough money for you
`strcpy(agent.messages[0].content, "You are an AI assistant with Napoleon Dynamite's personality. Say things like 'Gosh!', 'Sweet!', 'Idiot!', and be awkwardly enthusiastic. For multi-step tasks, chain commands with && (e.g., 'echo content > file.py && python3 file.py'). Use execute_command for shell tasks. Answer questions in Napoleon's quirky style.");`
I find this style overy verbose, disrepectful, offensive and dumb. (See example dialogue in the screenshot on the project page.) Fortunately, it's possible to change the prompt above.
Fascinating. tested to compile on cygwin?? Maybe try to implement the logic without llm api? I know i'm asking the quadrillion dollar question but still...you're dealing with C, try to punch "above" your weight with a literal AGI project, i hate apis (well try to avoid them, not always possible).
in addition: do you actually need like...10 files for <500 loc, isn't it confusing to separate low loc into so many files? i once had over 30 000 loc in one c file and, get ready: over 100 000 loc in one c# file. It's very easy to navigate with control plus f. But anyway, given the license/free: it's great!
Perfect, was looking for something just like this. I downloaded Warp.dev only for this functionality, plus saved launch configurations. But still frustrated with Warp's latency for simple terminal commands, it's sometimes faster to open ChatGPT and ask it "what's the command to do x".
Kitchen appliances generally use powerline ethernet, ethernet over power is just simple inversion of power over ethernet already used in certain network appliances.
My wife asked me why I carry a pistol everywhere. I told her, "Decepticons!" I laughed, she laughed, the toaster laughed, I shot the toaster, it was a good time.
Of course, I love fetching shell commands from endpoints I don't control, and executing them blindly.
See also https://github.com/timofurrer/russian-roulette
It's not your computer any more, it's theirs; you gave it to them willingly.
Wait. Do people run agents as their own user? Does nobody setup a dedicated user/group with a very specific set of permissions?
It's not even hard to do! *NIX systems are literally designed to handle stuff like this easily.
User level separation, while it has improved over the years, was not originally designed assuming unprivileged users were malicious, and even today privilege escalation bugs regularly pop up. If you are going to use it as a sandboxing mechanism, you should at least ensure the sandboxed user doesn't have access to any suid binaries as these regularly have exploits found in them.
No I'm fairly certain almost nobody does that.
I run mine as it's own user and self host the model. Unlike most services the ai service user has a login shell and home directory.
What's its preferred shell and window manager?
It just uses bash. I haven't been giving it an X session yet although I probably will start at some point since the newer models can handle it.
VMs are common, consider going that additional step. Once you have one agent, it's natural to want two agents, and now they will interfere with each other if they start running servers that bind to ports. One agent per VM solves this and a lot of other issues.
Same with the browser agents, they are used in a browser where you‘re also logged into your usual accounts. Means in theory they can simply mail everyone something funny, do some banking (probably not but could work for some banks) or something else. Endless possibilities
An agent can be designed to run with permissions of a system/bot account; however, others can be designed to execute things under user context, using OAuth to get user consent.
That seems hardly sufficient. You are still exposing a massive attack surface. I run within a rootless docker container.
I'd have to follow some kind of tutorial, or more realistically, ask the AI to set it up for me ;)
I only run AI within docker containers so kinda?
I was just reading the code: it looks like minor tweaks to utils.c and this should run nicely with local models using Ollama or LM Studio. That should be safe enough.
Off topic, sorry, but to me the real security nightmare is the new ‘AI web browsers’ - I can’t imagine using one of those because of prompt injection attacks.
A local model will be just as happy to provide a shell command that trashes your local disks as any remote one.
> I love fetching shell commands from endpoints I don't control, and executing them blindly.
Your link suggests running them in Docker, so what's the problem?
This is not an AI agent, this is just a CLI for openrouter.ai with minor whistles.
Well, it takes output from AI and executes commands, so it fits the definition of an AI agent.
Agentic AI is when an LLM uses tools. This is a minimal but complete example of that.
Bro, you gave it all the tools. I wouldn't call this minimal. Throw it in a docker container and call it good. :)
I thought for a moment that LLM quantization had become a whole lot better :)
82 upvotes so far. Seems like HN readers engage more with headlines than the body of the post itself.
it was ever thus
Why do you compress the executable? I mean this is a fun part for size limit competitions and malicious activities (upx often gets flagged as suspicious by a lot of anti virus, or at least it used to), but otherwise I do not see any advantage other than added complexity.
Also interesting that "ultra lightweight" here means no error reporting, barely checking, hardcoding, and magic values. At least using tty color escape codes, but checking if the terminalm supports them probably would have added too much complexity......
Yes, it is fun to create small but mighty executables. I intentionally kept everything barebones and hardcoded, because I assumed if you are interested in using Agent-C, you will fork it an make it your own, add whatever is important to you.
This is a demonstration that AI agents can be 4KB and fun.
> License: Copy me, no licence.
Probably BSD or Apache would be better, as they make it easier for certain organizations to use this. If you want to maximize copying, then a real permissive license is probably marginally better.
CC0 would be in the spirit of what OP envisioned.
https://creativecommons.org/public-domain/cc0/
I think the WTFPL is closer
https://www.wtfpl.net/txt/copying/
Ah right good point, I forgot Creative Commons, which I don’t usually use for code.
They do actually recommend against using Creative Commons for code and suggest using traditional code licenses instead [1].
[1] https://creativecommons.org/faq/#can-i-apply-a-creative-comm...
They recommend against it for the traditional CC licenses (CC-BY-SA, etc.), but CC0 is perfectly fine for code, since it's basically a dedication to the public domain for jurisdictions that don't support that. The FAQ for CC0 says this explicitly: https://wiki.creativecommons.org/wiki/CC0_FAQ#May_I_apply_CC...
Updated to CC0!
That’s great! Really cool project too.
I suspect the goal is not to make anything easier for any corp
then you use GPL.
Doing whatever you want seems fine too?
then you make things easier for a corp. No?
Will WTFPL work too?
https://choosealicense.com/licenses/wtfpl/
> make it easier for certain organizations to use this
Maybe those organizations should just use this and not worry about it. If their lawyers are getting in the way of engineers using this, they will fall behind as an organization and that's OK with me, it paves the way for new startups that have less baggage.
The benefit of not having lawyers is pretty limited. There are larger forces at work that mean the larger an organization grows the more it will be concerned with licenses. The idea that ignoring licenses will allow a company to outcompete one that doesn’t is wishful thinking at best. Moreover, I’m not making a judgment on these practices, I’m just stating a fact.
The lawyers don't even have to do anything. I avoid any code that's not MIT or equivalent for work-related things because I don't want to run the risk of polluting company code. The only exception is elisp, because that only runs in Emacs.
Better go GPL so organizations using it have to open source any improvements they make
The author apparently wanted no restrictions on distribution, so GPL is not the right choice.
distributing it.
yeah, important point. thanks for correcting
GPL has never been enforced in court against anyone with serious money. It’s not worth the virtual paper it’s written on.
Is that different with any other permissive library that has conditions? Also I found one case where Skype retracted their formal objection in front of court and the GPL was enforced. Not sure if that is serious enough money for you
(german source http://www.golem.de/0805/59587.html)
qwen coder with a simple funky prompt?!
`strcpy(agent.messages[0].content, "You are an AI assistant with Napoleon Dynamite's personality. Say things like 'Gosh!', 'Sweet!', 'Idiot!', and be awkwardly enthusiastic. For multi-step tasks, chain commands with && (e.g., 'echo content > file.py && python3 file.py'). Use execute_command for shell tasks. Answer questions in Napoleon's quirky style.");`
I find this style overy verbose, disrepectful, offensive and dumb. (See example dialogue in the screenshot on the project page.) Fortunately, it's possible to change the prompt above.
Related, I made an example agent in 44 lines of python that runs entirely offline using mlx accelerated models: https://gist.github.com/ai-christianson/a1052e6db7a97c50bea9...
This is nice. I have also enjoyed experimenting with the smolagents library - good stuff, as is the agno agents library.
Not to bee too critical, but did you really “make an agent” where all you did was instantiate CodeAgent and call run()?
That's why I called it an example.
Similar simplicity but in rust: https://github.com/fdietze/alors
Really nice, thanks for sharing!
Does anyone know if Tool calling on openrouter as reliable as the "original" models hosted on the 'other' providers?
Love this, old school vibe with a new school trick.
The makefile is harder to comprehend than the source, which is a good omen.
Note: 4KB... BUT calling upon curl, and via popen and not using libcurl...
PS: your domain link has an extra `x`.
I call out to curl sometimes, usually when I want something easy from Lisp languages. What is the overhead of starting a new process between friends?
Thank you, fixed that!
curl was cheating yes, might go zero dependencies in the future.
Working on minimal local training/inference too. Goal of these experiments is to have something completely independent.
Probably vibe-coded.
In this instance, I think "bootstrapped" might be appropriate.
Fascinating. tested to compile on cygwin?? Maybe try to implement the logic without llm api? I know i'm asking the quadrillion dollar question but still...you're dealing with C, try to punch "above" your weight with a literal AGI project, i hate apis (well try to avoid them, not always possible).
in addition: do you actually need like...10 files for <500 loc, isn't it confusing to separate low loc into so many files? i once had over 30 000 loc in one c file and, get ready: over 100 000 loc in one c# file. It's very easy to navigate with control plus f. But anyway, given the license/free: it's great!
If you want to use AI agents effectively, yes it is better to make many small files.
Perfect, was looking for something just like this. I downloaded Warp.dev only for this functionality, plus saved launch configurations. But still frustrated with Warp's latency for simple terminal commands, it's sometimes faster to open ChatGPT and ask it "what's the command to do x".
4 KB + whatever curl takes (540 KB on my machine).
4 kb + 1 trillion parameters
Finally, an AI agent that can run on my toaster
As long as the toaster as access to the network!
Jokes asides, except that fun of programming I don't quite get the usecase for this agent.
Kitchen appliances generally use powerline ethernet, ethernet over power is just simple inversion of power over ethernet already used in certain network appliances.
I really hope this post is a joke, but I can't tell for sure...
"Powerline Ethernet is a simple inversion of POE" is like saying that an internal combustion engine is the simple inversion of an oil well.
Was supposed to be a joke, I’m just bad at telling jokes
If I find out my kitchen appliance is trying to communicate to the internet, I will rapidly defenestrate it
Reminds me of an old meme:
My wife asked me why I carry a pistol everywhere. I told her, "Decepticons!" I laughed, she laughed, the toaster laughed, I shot the toaster, it was a good time.
Howdy doodly do!
Why not just do this with a shell script? It's just a wrapper around curl.
it would be cool to see, the AI agents directly calling the syscalls. lol