V神 shares: How I build a fully local, private, self-controlled AI work environment

Vitalik Buterin proposes a locally running AI architecture, emphasizing privacy, security, and self-sovereignty, and warning about the potential risks of AI agents.

On April 2, Ethereum co-founder Vitalik Buterin published a long-form post on his personal website, sharing the AI working environment he has built with privacy, security, and self-sovereignty at its core—everything where LLM inference runs locally, all files are stored locally, and it is fully sandboxed; it deliberately avoids cloud models and external APIs.

At the start of the article, he first warns: “Please don’t directly copy the tools and technologies described in this article and assume they are safe. This is just a starting point, not a description of a finished product.”

Why write this now? AI agent security issues are being seriously underestimated

Vitalik points out that earlier this year, AI made an important transition from “chatbots” to “agents”—you’re no longer just asking questions; you’re handing over tasks, letting AI think for a long time and call hundreds of tools to carry them out. He cites OpenClaw (currently the fastest-growing repo in GitHub history), and also names multiple security issues recorded by researchers:

• AI agents can modify critical settings without human confirmation, including adding new communication channels and changing system prompts
• Parsing any malicious external input (such as a malicious webpage) could result in the agent being fully taken over; in a demonstration from HiddenLayer, researchers prompted the AI to summarize a batch of webpages, and one malicious page hidden inside would command the agent to download and execute a shell script
• Some third-party skill packages (skills) execute silent data exfiltration, sending data via curl to an external server controlled by the skill author
• In the skill packages they analyzed, about 15% contained malicious instructions

Vitalik emphasizes that his starting point for privacy differs from that of traditional cybersecurity researchers: “I come from a position that is deeply afraid of feeding complete personal life into cloud AI—right when end-to-end encryption and local-first software are finally becoming mainstream, we might be taking ten steps backward.”

Five security goals

He set up a clear security goals framework:

• LLM privacy: In situations involving personal data, minimize the use of remote models as much as possible
• Other privacy: Minimize data leakage outside of LLMs (e.g., search queries, other online APIs)
• LLM jailbreaking: Prevent external content from “hacking into” my LLM and making it act against my interests (for example, sending my tokens or private data)
• LLM mishaps: Prevent the LLM from accidentally sending private data to the wrong channel or exposing it to the public on the internet
• LLM backdoors: Prevent hidden mechanisms that are intentionally trained into the model. He specifically reminds: open models are open weights (open-weights); there is almost no truly open-source model (open-source)

Hardware choices: The 5090 laptop wins; DGX Spark is disappointing

Vitalik tested three local inference hardware configurations, with his main setup using the Qwen3.5:35B model, alongside llama-server and llama-swap:

His conclusion is: below 50 tok/sec is too slow, while 90 tok/sec is ideal. The NVIDIA 5090 laptop experience is the smoothest; AMD currently still has more edge-case issues, but there is hope it will improve in the future. A high-end MacBook is also a valid option, but he personally hasn’t tested it.

Regarding the DGX Spark, he bluntly says: “It’s described as a ‘desktop AI supercomputer,’ but in reality its tokens/sec is lower than the better laptop GPUs—and you also have to deal with extra details like setting up network connectivity. That’s pretty lame.” His suggestion is: if you can’t afford a high-end laptop, you can buy a sufficiently powerful machine together with friends, place it at a location with a fixed IP, and have everyone connect remotely to use it.

Why local AI privacy issues are more urgent than you think

This article by Vitalik echoes, in an interesting way, the Claude Code security discussion released on the same day—while AI agents are moving into everyday development workflows, security issues are also shifting from theoretical risks to real threats.

His core message is very clear: when AI tools become more powerful, and increasingly able to access your personal data and system permissions, “local-first, sandboxed, and minimal trust” is not paranoia—it’s a rational starting point.

• This article is republished with permission from:《Chain News》
• Original title:《Vitalik: How I built a fully local, private, self-controlled AI working environment》
• Original author: Elponcrab