Testing ZeroClaw, Part 2.5: ZeroClaw is alive!

Yesterday, I wrote about how the ZeroClaw GitHub repository had been down for two days with little explanation. Earlier today, the project provided a little more information on Twitter:

They flagged our org which is why we’re down. Code is safe and we’re still working, just waiting for @github

Since March 30 (the day after their repo started 404ing), they project has been promising a blog post to explain the situation. As of now, that post is now available:

Over the past few days, a maintainer used aggressive AI automation to review and merge PRs:

• Merges went through that shouldn’t have.
• In the process of trying to undo the damage, the maintainer’s GitHub account was flagged, which triggered enforcement actions on the ZeroClaw org itself.
• That maintainer has been removed from the project.

This sounds strikingly similar to the incident that occurred about a month ago, which I also mentioned in yesterday’s post:

Earlier today, during routine maintenance, the visibility of the ‎`zeroclaw-labs/zeroclaw` repository was accidentally changed from public to private and was later restored to public.

After reviewing the GitHub API audit logs and collecting detailed feedback from our engineers, we confirmed that the incident was caused by improper use of an AI agent tool during maintenance.

Obviously, the use agentic workflows in open source projects is an emerging field where best practices have not yet been established. The case of ZeroClaw should be a warning to other projects to keep human review in the loop, or at least to limit the autonomy of agents when a project has numerous contributors. As they say in their blog post:

Adoption of open-source agentic engineering practices

• We’re getting smarter about how we move fast.
• LLM review will be advisory. A human maintainer must approve and merge.
• We want ZeroClaw to be a model for how open-source projects integrate AI tooling into their workflows responsibly.