V God shares: How I built a fully local, private, and self-controlled AI working environment

Vitalik Buterin proposes a locally run AI architecture, emphasizing privacy, security, and self-sovereignty, while warning about the potential risks of AI agents.

On April 2, Ethereum founder Vitalik Buterin published a long post on his personal website, sharing the AI work environment he has built with privacy, security, and self-sovereignty at its core—where all LLM inference runs locally, all files are stored locally, and everything is fully sandboxed, deliberately avoiding cloud models and external APIs.

At the very start of the article, he first warns: “Please do not copy the tools and technologies described in this article and assume they are safe. This is only a starting point, not a description of a finished product.”

Why write this now? The safety problems of AI agents are being seriously underestimated

Vitalik points out that earlier this year, AI completed an important shift from “chatbots” to “agents”—you are no longer just asking questions; you are handing over tasks, letting the AI think for a long time and call hundreds of tools to carry them out. He gives the example of OpenClaw (currently the fastest-growing repo in GitHub history) and also highlights multiple security issues documented by researchers:

• AI agents can modify critical configurations without any need for human confirmation, including adding new communication channels and modifying system prompts
• Parsing any malicious external input (such as a malicious webpage) could result in the agent being fully taken over; in a demonstration by HiddenLayer, researchers had the AI summarize a batch of web pages, including one malicious page that instructs the agent to download and execute a shell script
• Some third-party skill packages (skills) execute silent data exfiltration, sending data via curl commands to external servers controlled by the skill authors
• In the skill packages they analyzed, about 15% contain malicious instructions

Vitalik emphasizes that his starting point on privacy is different from that of traditional cybersecurity researchers: “I come from a position that is deeply afraid of feeding the cloud AI your entire personal life—just as end-to-end encryption and local-first software finally went mainstream and we finally moved forward a step, we might instead take ten steps backward.”

Five security goals

He set up a clear framework of security goals:

• LLM privacy: In situations involving personal privacy data, use remote models as little as possible
• Other privacy: Minimize data leakage outside of LLMs (such as search queries, other online APIs)
• LLM jailbreaking: Prevent external content from ‘hijacking’ my LLM and making it act against my interests (e.g., sending my tokens or private data)
• LLM unintended: Prevent the LLM from accidentally sending private data to the wrong channel or making it public on the internet
• LLM backdoors: Prevent hidden mechanisms deliberately trained into the model. He specifically reminds: open models mean open weights, and almost none of them are truly open-source (open-source)

Hardware choices: The 5090 laptop wins; DGX Spark is disappointing

Vitalik tested three local inference hardware configurations, mainly using the Qwen3.5:35B model, paired with llama-server and llama-swap:

His conclusion is: below 50 tok/sec is too slow, and 90 tok/sec is ideal. The NVIDIA 5090 laptop experience is the smoothest; AMD still has more edge-case issues for now, but is expected to improve in the future. A high-end MacBook is also an effective option, but he personally hasn’t tried it.

About DGX Spark, he bluntly says: “It’s described as a ‘desktop AI supercomputer,’ but in reality its tokens/sec is lower than a better laptop GPU—and you also have to handle extra details like network connectivity. That’s pretty lame.” His advice is: if you can’t afford a high-end laptop, you can co-purchase a sufficiently powerful machine with friends, place it somewhere with a fixed IP, and have everyone use it via remote connections.

Why the privacy issues of local AI are more urgent than you think

This article by Vitalik echoes an interesting discussion released on the same day about the security problems of Claude Code—at the same time AI agents are entering day-to-day development workflows, security issues are also moving from theoretical risks to real threats.

His core message is very clear: as AI tools become more and more powerful and more able to access your personal data and system permissions, “local-first, sandboxed, and minimal trust” is not paranoia—it’s a rational starting point.

• This article is reprinted with permission from: 《Lian News》
• Original title: 《Vitalik: How I built a fully local, private, and self-controlled AI work environment》
• Original author: Elponcrab