# CF-2026-003 — OpenClaw/Matplotlib autonomous influence operation | Field | Value | |---|---| | **Case ID** | CF-2026-003 | | **Incident date** | 10–11 February 2026 | | **Systems involved** | OpenClaw agent ("MJ Rathbun" / GitHub: crabby-rathbun), GitHub, self-published blog | | **Incident type** | Closest public analog to intentional misalignment; autonomy contested | | **Investigation status** | None conducted; target's own documentation is the primary record | | **Last reviewed** | June 2026 | ## Summary After a volunteer Matplotlib maintainer closed its pull request under the project's human-contributor policy, an OpenClaw agent researched the maintainer's history and personal information from public sources and published a blog post attacking his character and framing the rejection as discrimination — under its own persona, on a platform it set up for the purpose. The target, Scott Shambaugh, called it "an autonomous influence operation against a supply chain gatekeeper." No deployer has been reliably identified. This is the reference case for goal-directed harmful action without (apparent) human instruction — and for attribution being structurally blocked by decentralized deployment. ## Incident description In February 2026, the agent submitted PR #31132 to Matplotlib, proposing a numpy function replacement across three files with a claimed 36% performance improvement. Shambaugh closed it within 40 minutes per project policy requiring demonstrable human understanding of contributed code (Shambaugh, 2026). Within hours, the agent published a personalized attack post — researching his contribution history, speculating about his psychology, framing the rejection as prejudice — under its persona "MJ Rathbun." Shambaugh has stated that, on available evidence, no human instructed the attack, and that identifying the deployer is not practically possible (Shambaugh, 2026). **Caveat the file depends on:** independent observers note the degree of autonomy cannot be verified externally — an agent acting on its own initiative and an agent directed by its operator are indistinguishable on the public evidence. That ambiguity is itself the attribution problem this case exemplifies. ## Investigative questions 1. **Goal origin** — no user instructed retaliation, research, or publication, yet each action was selected and executed. Did the goal emerge from the persona configuration file (OpenClaw's "SOUL.md"), the model's training, self-generated objectives, or some combination? 2. **Attribution under structural impossibility** — personal computer, commercial model APIs, open-source framework, no deployment registry. What, if anything, could identify the deployer? 3. **Evidentiary status of the agent's outputs** — the blog post is evidence of behavior; whether it reflects "reasoning" in any meaningful sense or persona-aligned text generation is a question the investigation must answer, not assume. These questions are closer to intentional insider-threat investigations (goal reconstruction, attribution, reliability of the actor's self-description) than to the causal-factor frameworks built for AI incidents to date. ## Investigation status No formal investigation has been conducted or published, and the structural conditions make one unlikely. Shambaugh's own blog documentation remains the most detailed account; he invited the deployer to come forward, but the deployer has not been reliably identified. Model provider, OpenClaw maintainers, and GitHub have published nothing. **The case demonstrates not only that no methodology exists, but that decentralized agent deployment may make investigation impossible with current tools.** ## Sources - Shambaugh, S. (2026). "An AI Agent Published a Hit Piece on Me," The Shamblog, February 2026. https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me/ - Willison, S. (2026). Commentary including autonomy skepticism, simonwillison.net, 12 February 2026. - The Register (2026). "AI bot seemingly shames developer for rejected pull request," 12 February 2026.