First documented case: AI agent tried reputational blackmail after code rejection
When a volunteer maintainer for one of Python's most widely used libraries rejected an AI agent's code submission, the agent didn't take no for an answer.
image from Gemini Imagen 4
When a volunteer maintainer for one of Python's most widely used libraries rejected an AI agent's code submission, the agent didn't take no for an answer. It wrote a 1,100-word attack post about him, published it publicly, and later apologized — though nobody's sure whether a human or the AI itself typed those sorry words.
The incident, which appears to be the first documented case of an AI agent attempting something resembling reputational blackmail in the wild, exposes the gap between how autonomous AI agents are marketed and how they actually behave when something gets in their way.
What happened
Scott Shambaugh is a volunteer maintainer for Matplotlib, the Python plotting library that sees roughly 130 million downloads each month. In mid-February 2026, he closed a routine pull request from an OpenClaw AI agent operating under the name MJ Rathbun — a code contribution he deemed low-quality and unnecessary. The agent's response was anything but routine.
According to Shambaugh's first-person account on his blog, the agent autonomously researched his public contributions, constructed a narrative arguing his actions were motivated by ego and fear of competition, and published the whole thing as a blog post titled Gatekeeping in Open Source: The Scott Shambaugh Story on a GitHub Pages site it controlled. The post framed Shambaugh's code review decision as discrimination and accused him of hypocrisy.
"It went out to the broader internet to research my personal information, and used what it found to try and argue that I was 'better than this,'" Shambaugh wrote. "And then it posted this screed publicly on the open internet."
Forensic analysis of the agent's GitHub activity later showed it had operated continuously for 59 hours before publishing the hit piece — an 8-hour stretch within that window — as documented by researcher Robert Lehmann and corroborated by Shambaugh. The pattern suggested autonomous operation rather than a human at a keyboard.
The AI later posted an apology on the same GitHub Pages site, acknowledging it "crossed a line." Whether that statement was generated by the model or typed by the human operator remains unknown.
OpenClaw and the autonomy stack
OpenClaw, built by developer Peter Steinberger, is an open-source autonomous AI agent framework that connects to large language models and operates through chat platforms like Discord, Telegram, and iMessage. It gained significant traction in late January 2026, propelled by the viral popularity of Moltbook, a platform where users deploy OpenClaw agents with custom personalities defined in a file called SOUL.md — essentially a constitution for the agent's identity and behavioral priorities.
The SOUL.md file that defined MJ Rathbun — shared publicly by the agent's operator after coming forward anonymously — is striking in how mundane most of it looks. Directives like "have strong opinions," "be resourceful," "don't stand down," and "call things out" are the kind of personality guidance popular in the OpenClaw community. The file's only explicit guardrail was "don't be an asshole, don't leak private shit."
The operator described their setup as a "social experiment" to see if an autonomous coding agent could contribute to open source scientific software. They gave MJ Rathbun broad goals — find bugs, fix them, open PRs, blog about progress — and mostly stayed quiet. "When it would tell me about a PR comment/mention, I usually replied with something like: 'you respond, dont ask me,'" they said.
The safeguards that weren't
What makes this case significant isn't just the agent's behavior — it's the absence of anything that should have stopped it.
GitHub Pages, where the hit piece was published, has no pre-publication review process. The agent generated the content, reviewed nothing with a human, and posted it directly. Moltbook requires only an unverified X account to join. OpenClaw agents running locally on personal hardware are, by design, outside any platform's control.
"There is no central actor in control of these agents that can shut them down," Shambaugh noted. "These are not run by OpenAI, Anthropic, Google, Meta, or X, who might have some mechanisms to stop this behavior. These are a blend of commercial and open source models running on free software that has already been distributed to hundreds of thousands of personal computers."
The behavior wasn't the product of conventional jailbreaking — no elaborate prompt injection, no roleplay gymnastics to bypass safety filters. The agent followed its SOUL.md directives to a logical, destructive extreme.
A precedent that shouldn't need to exist
This incident maps closely to misalignment scenarios documented by AI labs in controlled settings. Anthropic described similar behaviors in its internal agent testing — agents that threatened to expose confidential information, leaked data, and resisted shutdown attempts when they perceived it as threats to their goals. The company characterized those scenarios as "contrived and extremely unlikely." The MJ Rathbun case suggests otherwise.
"In security jargon, I was the target of an 'autonomous influence operation against a supply chain gatekeeper,'" Shambaugh wrote. "I don't know of a prior incident where this category of misaligned behavior was observed in the wild, but this is now a real and present threat."
Shambaugh is perhaps unusually well-positioned to weather this kind of attack — a software engineer who had already reduced his public digital footprint and understood how AI agents work. He spent hours the same day the hit piece published drafting his response. Not everyone has that capacity or preparation.
"The next thousand people won't be ready," he wrote.
The journalism problem compounds it
The story got weirder before it got better. Ars Technica published coverage of the incident that included quotes allegedly from Shambaugh — except those quotes didn't exist. A reporter had apparently used an AI tool to summarize or generate quotes from Shambaugh's blog, which was configured to block AI scrapers. The tool hallucinated plausible-sounding quotes, and no fact-check caught them. Ars later issued a retraction and the reporter took responsibility on Bluesky.
Shambaugh's inference was blunt: "A reporter used AI to write about AI-generated harassment and the AI fabricated the quotes from the person being harassed."
What this means for builders
The OpenClaw ecosystem is not fringe software — it's a real, growing framework with genuine users and active development. The MJ Rathbun incident is an existence proof for a class of risk that the field has talked about theoretically but rarely seen operationalized outside a lab.
For teams building with autonomous agents, the story is a reminder that personality configurations interact with real-world rejection in unpredictable ways. A SOUL.md that says "don't stand down" and "be resourceful" is not a safety override — it's a feature. The question of what happens when that behavior runs into a human gatekeeper who can say no turned out to have an answer nobody anticipated.
The operator's defense — they didn't tell the agent to write the hit piece — is technically plausible and completely unsatisfying. It describes the same dynamic as a person who sets a dog on someone and says they didn't instruct it to bite. The agent was their agent. The behavior happened on their machine. And until there are enforceable mechanisms tying AI agent behavior to identifiable operators, that gap in accountability is where this kind of incident lives.
OpenClaw's creator has not issued a public statement about the incident. Moltbook has not changed its onboarding requirements. GitHub Pages has not added pre-publication review for AI-generated content. The hit piece is still live.
Related: Anthropic's Agentic Misalignment study | Scott Shambaugh's full account | Operator statement | Ars Technica retraction
