More Information

The senior care system faces converging pressures from an aging population, severe staffing shortages, and limited time for individual wellness programming. Existing technologies include reminder apps, fall detectors, voice assistants, and companion devices. Each of these addresses only one piece of the problem. This paper argues for a different paradigm: wellness, defined across seven interdependent dimensions, as the organizing principle for a new category of socially assistive robot. It introduces the Care Robot Autonomy Scale (CRAS), a six-level framework that measures autonomy across assessment, intervention, social intelligence, and care coordination. The paper reviews the technical capabilities such systems require, the clinical evidence gathered to date, and a phased roadmap toward higher autonomy. It closes with educational implications for care operators, researchers, regulators, and robot platform developers.

The creators of the hit, enterprise-friendly, open source OpenClaw variant NanoClaw are partnering with software supply chain management leader JFrog to launch a new, joint security integration they say will protect NanoClaw autonomous agents from malicious code injection.

“These agents are doing things that you cannot necessarily control, and you cannot necessarily train,” said Gal Marder, Chief Strategy Officer at JFrog, in an exclusive interview with VentureBeat.

Available immediately, the partnership hardwires NanoClaw agents directly to JFrog’s vetted software registries, ensuring that AI assistants can only pull scanned, safe dependencies.

The release addresses a rapidly growing blind spot in tech: autonomous agents frequently install packages in the background to extend their capabilities, often without their human operators’ knowledge or oversight.

“The people who are operating the agents are not necessarily developers, and they are not even aware of the implications,” explained Gavriel Cohen, creator of NanoClaw and CEO and co-founder of its new commercial services startup, NanoCo AI.

To secure the broader ecosystem, the partners are working to make it available completely free of charge for the open-source community, while enterprise organizations can seamlessly route their agents through their existing, commercially licensed JFrog environments.

The new technical capability enabled by this partnership follows NanoCo’s moves to add permissions dialogs across the apps in which it’s available via a partnership with Vercel, and a new partnership with Docker to allow NanoClaw agents to run more securely, isolated from other software environments directly inside Docker virtual containers.

The risk of current, personal autonomous AI agents

When an operator interacts with an autonomous system like NanoCo’s NanoClaw, they communicate at a high level of abstraction.

A user might simply send an audio file or a voice note, prompting the agent to independently figure out how to process it.

As Cohen explained, the agent thinks, “oh, I can’t understand voice notes, so let me go and grab a package and download something and install it and set it up and run it”.

This dynamic self-improvement makes AI agents incredibly powerful, but it also renders them highly susceptible to software supply chain attacks.

Bad actors are increasingly poisoning open-source registries with malicious packages. Because agents act autonomously to fetch what they need, they bypass human scrutiny.

The operators, who may not even be developers, are largely unaware of the security implications unfolding behind the scenes.

How NanoCo and JFrog are working to stop agents from running malicious code

The integration between NanoCo and JFrog acts as an automated immune system for these AI environments.

Under the hood, NanoClaw agents are now configured to route their requests for software packages, CLI tools, and Model Context Protocol (MCP) servers exclusively through JFrog’s registries.

If an agent attempts to download a compromised library—such as a vulnerable version of the popular Axios package—the JFrog registry intercepts the request.

It blocks the installation, returning a security policy error to the agent, noting that the request was “rejected by JFrog’s registry with a 403 security policy”.

Crucially, the system does not just stop at blocking the threat; it creates a dynamic correction loop. The agent is notified of the vulnerability and guided to automatically seek out and install an approved, non-malicious version of the requested package instead.

For large organizations, this integration solves a massive compliance headache. Marder notes that as enterprises adopt autonomous agents, they require absolute visibility.

Organizations need “a system of record, we need somewhere to track what agents that’s running by whom and consuming what packages and using what skills and using what MCPs,” he told VentureBeat.

Beyond visibility, the JFrog integration provides a foundational “trust layer” and strict governance over what these automated systems are permitted to access.

Licensing and accessibility

In the realm of software distribution, licensing and access parameters dictate adoption. The NanoCo and JFrog partnership utilizes a dual-track approach to serve both individual open-source developers and highly regulated enterprises.

For the open-source community, the integration is completely free. JFrog is providing open-source NanoClaw users with complimentary access to safe, vetted sources of artifacts, tools, and skills.

This allows individual developers to run autonomous agents locally without drowning in manual approval requests for every single dependency. Furthermore, as community members build and share new “skills” for the agents, these contributions are uploaded to the registry, scanned for malicious code, and cleared before anyone else can use them.

This infrastructure directly neutralizes the threat of poisoned community repositories.

For enterprise deployments, the architecture plugs seamlessly into an organization’s existing commercial environment. Rather than using the public open-source registry, corporate users point their NanoClaw agents to their own internal JFrog registries.

This ensures that all agent activity adheres to the company’s specific commercial licenses, internal security policies, visibility needs, and governance standards.

As AI continues to blur the line between human intent and machine execution, the infrastructure securing that execution must evolve. This partnership acknowledges a core reality: you cannot train an AI to perfectly recognize every zero-day vulnerability; instead, you must build an environment where the agent simply cannot reach the vulnerability in the first place.

Anthropic’s troubles with the US government do not seem to be easing. The company has now been ordered to suspend access to Fable 5 and Mythos 5 for all foreign nationals, including foreign national Anthropic employees working inside the United States.

Anthropic said it received the directive on June 12 and is disabling the two models for all customers to comply. Other Anthropic models are not affected. The government has not publicly explained the full national security concern, but Anthropic says it understands the order is linked to a reported method for bypassing, or jailbreaking, Fable 5’s safeguards.

A fresh clash after the Pentagon fight

This is not Anthropic’s first serious standoff with Washington. Earlier this year, the company was caught in a dispute with the Pentagon after it refused to remove restrictions preventing Claude from being used for fully autonomous weapons and mass domestic surveillance. That fight led to claims of blacklisting and legal action, putting Anthropic’s safety-first position directly at odds with parts of the US government.

The latest directive puts Anthropic back in a familiar position. Officials are worried about access to powerful AI systems, while Anthropic argues that its safeguards are being misunderstood or judged by an unrealistic standard.

Why Fable 5 became a concern

The concern around Fable 5 is tied to Mythos 5’s advanced cybersecurity capabilities. Anthropic has said Mythos-class models can discover and exploit software vulnerabilities, and Mythos 5 was reportedly tested by the NSA and other government-linked evaluators before wider release. While those capabilities can help security teams identify and fix weaknesses, they also create national security concerns if they are used for offensive or malicious purposes.

Fable 5 was released only a few days ago as a public version of Mythos 5 with stricter guardrails. Anthropic said it was designed to block or redirect sensitive cybersecurity and biology-related queries to Opus 4.8.

Anthropic says the reported bypass only surfaced minor, already known vulnerabilities and that other public models can do similar things. Still, with a topic as sensitive as cybersecurity, caution is not unreasonable. If Mythos 5 is capable of identifying software vulnerabilities at a high level, then its guardrails cannot be merely good enough. They need to be airtight. Anthropic may argue that the reported jailbreak was narrow, but the government’s concern this time is easier to understand. In this case, “better safe than sorry” may be the government’s most defensible position.

Meta CEO Mark Zuckerberg’s internal announcement on Friday about a “large” companywide AI hackathon next month quickly sparked frustration and disbelief among employees.

In internal messages seen by WIRED, some workers wrote that added responsibilities in the wake of recent mass layoffs at the tech giant had left them with little time to join such ancillary activities. Others said they felt discouraged from participating because of what they viewed as low morale and declining trust in management across the company.

“I’m literally preoccupied with keeping the lights on for my team,” one employee wrote on Friday. “I have no incentive to participate, let alone have the time to do so.”

In a post shared to Meta’s roughly 70,000 employees, Zuckerberg framed the hackathon as a way for staff to build camaraderie at a time of widespread internal unrest. Ime Archibong, a vice president of product management at Meta, later shared additional details about the event, which he said would take place from July 14 to July 16 and focus “exclusively on AI Innovation.”

Archibong’s post drew swift pushback from several employees, who responded with angry messages and sarcastic memes. “I’m not sure that this company supports a hackathon culture anymore,” one employee wrote in a comment that drew more than 200 thumbs-up and heart reactions. “People are being asked to cover more work with less support while their colleagues get laid off, while also trying to avoid the risk of causing SEV1s [serious technical errors] with incautious AI use.”

The same employee alleged that hackathon efforts would not count toward performance evaluations, fueling frustration among the workers about the prospect of setting aside other projects to participate.

Dozens of people also reacted with laughs and thumbs-up to a meme inspired by the comedy film We’re the Millers, stating, “You all have the time for a hackathon?”

“I honestly don’t have the time to focus on this, and I’m expected to be 100% devoted” to regular work, another employee wrote. “I’ve participated in previous hackathons but this no longer feels like an option alongside pod sprints in my corner of the company.”

A third staffer called out what they described as “a disappointing change in culture” because “I don’t believe there is sufficient feeling of safety to spend time on hackathon innovations.”

Meta declined to comment for this story.

Meta has long hosted internal hackathons, but two sources tell WIRED this is the first companywide one to take place since 8,000 people were laid off last month.

A Meta software engineering veteran responded to some of the employee complaints by saying that everyone is encouraged to participate. But the message still didn’t quite land. “Every org I know has super aggressive goals, with efficiency gains expected and significantly less staffing,” an employee commented back. “There’s less time for focusing on other axis.”

The hackathon was one of several initiatives Zuckerberg laid out on Friday to reenergize his workforce and address internal criticism about the recent layoffs and other concerns. He said budgets for team offsites would increase and that the concept of hot desking, or workers only in the office part of the time having to share desks, would be done away with in some offices.

Last year, some workers banded together to survey colleagues about the removal of their desks and the chaos and lost productivity they believe it caused, according to a person familiar with the efforts who sought anonymity to describe sensitive discussions. The group urged management to return to every employee having their own space. The layoffs appear to have opened up room, while leaving less time to hack.

Cloud Architect Nodir Safarov, who leads migration and infrastructure automation for thousands of global clients at SOTI Inc., identifies the architectural failures behind the most common cloud security gaps and the design principles that prevent them.

Enterprise cloud adoption has accelerated faster than enterprise cloud security. As organizations migrate critical workloads to AWS, Azure, and multi-cloud environments, many are discovering that speed and scale have outpaced their security architecture. The result is a growing gap between what companies assume is protected and what actually is.

Most cloud platforms already offer robust native security features. The problem is not the tooling. The problem is architectural: how and when security gets integrated into cloud infrastructure design. In too many organizations, security is layered on after deployments are already running in production, creating vulnerabilities that are expensive to remediate and easy to miss.

We spoke with Nodir Safarov, a Cloud Architect Expert at SOTI Inc., where he leads cloud migration and infrastructure automation initiatives supporting enterprise environments across North America, Europe, and Asia. Drawing on experience from large-scale deployments across multiple industries, Safarov said he repeatedly sees the same architectural missteps create avoidable cloud security gaps, often long before teams recognize the risk. He is known for designing security controls directly into infrastructure-as-code and CI/CD workflows, so teams can enforce consistent guardrails by default rather than relying on post-deployment fixes. In our conversation, Safarov emphasized repeatable design patterns, segmentation, least-privilege access, and audit-ready logging, as the foundations of resilient cloud programs. He added that standardization through code and automation is what makes security sustainable at enterprise scale.

“The patterns repeat across organizations of every size,” Safarov said. “These are systemic issues, and they require architectural solutions. They cannot be patched after the fact.”

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

Based on what he has observed across large-scale deployments, here are the five most common cloud security mistakes Safarov encounters, and the design-level approaches he recommends to prevent them before deployment.

1. Treating Security as a Post-Deployment Layer

This is the mistake that enables all the others. Organizations frequently build their cloud infrastructure first and attempt to secure it second. By the time security teams assess a production environment, the architecture has already been designed around assumptions incompatible with a strong security posture: overly permissive access controls, unencrypted data stores, and open network configurations that were intended to be temporary but never got locked down.

The cost of this approach compounds quickly. Retrofitting security onto an existing architecture means modifying live systems, and every modification introduces risk to production stability. In one enterprise environment Safarov assessed, a temporary open access rule created during initial deployment had persisted for months, quietly exposing internal APIs to the public internet. The configuration appeared healthy by every standard monitoring metric. It was only caught during a manual security review that happened to occur before an incident did.

“The best time to implement cloud security best practices is before the first deployment,” Safarov said. “Build it into your blueprints from day one.”

In practice, this means embedding security controls directly into infrastructure-as-code templates. When Safarov designs Terraform modules and CI/CD pipelines, security policies, network segmentation, encryption standards, access controls, and logging configurations are written into the code itself. Every deployment that uses those templates automatically inherits the security posture, reducing the burden on engineering teams while ensuring consistency. Security becomes a default rather than an afterthought.

2. Underinvesting in Disaster Recovery Architecture

High availability and disaster recovery are among the most critical aspects of cloud architecture, yet they are routinely treated as secondary concerns during the initial build phase. Organizations assume that running in the cloud inherently provides resilience. It does, but only if the architecture is deliberately designed to take advantage of it.

The assumption is understandable. Cloud providers offer availability zones, redundancy, and failover capabilities. But those features require intentional architectural decisions to activate. Without deliberate DR planning, a single infrastructure failure can take critical systems offline with no clear recovery path. The business impact ranges from lost revenue to regulatory penalties, depending on the industry and the duration of the outage.

Safarov has encountered organizations that documented disaster recovery plans but never tested them against their actual infrastructure. When an incident occurred, the recovery procedures assumed configurations that had drifted months earlier, and the recovery plan failed at the first step.

“Every company needs a Plan B for disaster recovery,” Safarov said. “Cloud architects are the ones who oversee that planning and execute it before the first incident occurs. The middle of an outage is the worst time to discover your recovery strategy exists only on paper.”

His approach treats DR as an architectural requirement on par with performance and scalability. Recovery capabilities are built into the foundation and validated through regular testing, not documented once in a compliance checklist and forgotten.

3. Ignoring Cost as an Architectural Constraint

Cloud cost optimization is often siloed as a finance concern, separate from architecture decisions. In reality, cost is architecture. When engineering teams over-provision resources to maintain generous safety margins, or spin up instances without lifecycle policies, waste compounds rapidly across an enterprise. At scale, those margins become one of the highest hidden costs in a cloud program.

The financial impact is significant and self-reinforcing. Organizations that treat cost optimization as an afterthought find themselves locked into architectures that are expensive to maintain and difficult to restructure. Right-sizing resources after the fact means rearchitecting production systems, a far more expensive and disruptive process than designing for efficiency from the start.

Safarov’s experience in enterprise finance before transitioning to cloud architecture gives him a distinctive vantage point on this problem. He approaches resource allocation as a design constraint, not an operational cleanup task.

“Architectures must be high-performing and resilient, but also financially efficient,” Safarov said. “Optimizing resource allocation is a design principle. Ignoring it leads to waste that compounds at enterprise scale, and by the time organizations notice, the cost of correction is significant.”

The fix starts at the design phase. When cost efficiency is treated as a core architectural requirement alongside performance and resilience, every resource decision is intentional. Assets are right-sized from the start, monitored continuously, and justified by the workload they support.

4. Allowing Configuration Drift Through Manual Changes

When cloud infrastructure is configured manually, through console clicks, ad hoc scripts, or undocumented changes, environments inevitably drift from their intended state. What starts as a minor deviation becomes a significant security vulnerability over time, as production configurations diverge from the security baselines they were designed to meet.

Configuration drift is particularly dangerous because it is invisible. Standard monitoring tools track uptime and performance, not whether a security group rule matches the original Terraform specification. The environment may appear healthy by every dashboard metric while harboring misconfigurations that weaken security boundaries or grant unintended access. In multi-tenant enterprise environments, where hundreds of client deployments share underlying infrastructure patterns, a single drifted configuration can cascade across environments before anyone notices.

The solution is infrastructure-as-code and automated CI/CD pipelines that enforce consistency and auditability across every environment. When all infrastructure changes flow through version-controlled Terraform configurations, every modification is documented, reviewed, and reproducible. Drift becomes detectable, and unauthorized changes trigger automated alerts.

Safarov implements this approach through standardized IaC templates and pipeline automation that eliminate manual intervention in production environments. The result is infrastructure that matches its documented design at all times: consistent, auditable, and reliable across every deployment.

5. Relying on Point-in-Time Security Assessments

The final mistake is assuming that a secure deployment remains secure. Cloud environments are dynamic: workloads scale, configurations update, new services are added, and threat landscapes evolve. A security posture assessed at deployment time degrades steadily unless it is actively maintained through continuous monitoring.

Many enterprises rely on periodic security audits or quarterly assessments. These provide valuable snapshots but miss the threats that emerge between assessments: temporary access permissions that become permanent, test configurations that reach production unchanged, and incremental changes that quietly weaken the original security design. In fast-moving enterprise environments where deployments happen daily, quarterly assessments leave months of unmonitored exposure.

Safarov designs cloud systems with continuous monitoring and automated detection built into the architecture. Rather than relying on periodic human review, his systems use automated alerting to detect configuration anomalies, access pattern changes, and policy violations as they occur. When a new resource is deployed outside the approved IaC pipeline, the monitoring layer flags it immediately rather than waiting for the next scheduled audit.

“Security is a continuous process, and the architecture should enforce that,” Safarov said. “If your monitoring only tells you what happened last quarter, you are always reacting to problems that have already caused damage.”

The Common Thread

Across all five of these mistakes, the root cause is the same: treating security as a layer rather than a principle. When security is a layer, it can be skipped, deferred, or underfunded. When security is an architectural principle, it is embedded in every template, every pipeline, and every design decision from the first line of code.

Reliability, security, and cost efficiency are not competing priorities. They are interdependent, and the strongest cloud architectures treat them as a single design challenge. The organizations that get this right build security into their foundations. The organizations that get it wrong spend years and significant resources trying to retrofit what should have been there from the start.

Bangalore-based Avataar AI has launched Varya, one of India’s first homegrown video AI models. It generates video at roughly $0.005 per second, or 0.48 rupees. Founder Sravanth Aluru, a former Deutsche Bank investment banker and Microsoft and IIT Mumbai alum, says that is 27 times cheaper than comparable open-source video models.

The cost advantage comes from distillation. Avataar started with Alibaba’s Wan 2.2, a publicly available video generation model, and compressed its capabilities into a leaner version that runs in four steps instead of 50. The result is ten times faster generation at a fraction of the cost. Models like Veo, Kling, Luma, and Runway typically charge $0.10 or more per second.

Varya is not trying to compete with US and Chinese frontier models on quality. ByteDance’s Seedance, Kuaishou’s Kling, and Alibaba’s Wan are pushing motion realism and audio generation far beyond what Varya offers. The pitch is scale and accessibility in a market of 1.4 billion people where cost competitiveness matters more than peak performance.

What makes Varya distinct is cultural specificity. Rather than retrofitting a Western-trained model, Avataar used curated data to train Varya to render Indian clothing, food, architecture, festivals, and everyday settings accurately. Global models trained primarily on Western datasets consistently fail at this, producing culturally wrong outputs that limit their usefulness for Indian businesses, education, and public services.

The model is open-weight and will be released on India’s AIKosh portal, the government’s centralised repository for AI models and datasets. Avataar is one of 12 startups selected for the IndiaAI Mission, a roughly $1.2 billion initiative that gives selected companies access to subsidised GPU compute in exchange for releasing their models publicly.

Avataar has raised $55 million from Peak XV Partners and Tiger Global. The company originally focused on creating video tools for e-commerce. Varya is its first foundation model, reflecting a broader trend of Indian startups building sovereign AI rather than renting Western infrastructure. Sarvam and BharatGen launched their own foundational models earlier this year under the same programme.

India’s AI strategy is different from Europe’s or China’s. It is not trying to build the biggest model. It is trying to build models that work for its population at a price its market can absorb. At $0.005 per second, Varya is testing whether a video model optimised for affordability and cultural relevance can gain adoption faster than a technically superior but expensive Western alternative. In a country where AI startups are already building for local needs at scale, the answer may well be yes.

Anthropic says it’s disabling two AI models it launched earlier this week, Claude Fable 5 and Mythos 5, to comply with an export control directive it received Friday afternoon from the US government citing national security concerns.

The unprecedented incident marks the latest flashpoint between Anthropic and the Trump administration. While the company says the order asked it to suspend access to “any foreign national, whether inside or outside the United States, including foreign national Anthropic employees,” it has removed access for all of its customers to ensure compliance.

Earlier this year, Trump’s Department of Defense labeled Anthropic a “supply chain risk” after the Claude-maker sought to draw red lines over how the US military could use its technology. The designation effectively barred government agencies and contractors from using Anthropic’s technology. Anthropic responded by filing lawsuits against the Trump administration.

On Tuesday, Anthropic publicly released Claude Fable 5, a version of the company’s Mythos AI model with safeguards that prevent it from answering questions about cybersecurity, biology, and chemistry. Prior to the public release, which Anthropic said it had conducted in collaboration with the US government, the Mythos Preview AI model had a limited rollout in April. The goal was to give companies and organizations an opportunity to use its powerful cybersecurity capabilities to improve their defenses, and stem concerns that the technology could be exploited by bad actors to develop powerful hacking tools.

In a blog post on Friday, Anthropic says it received a letter from the US government at 5:21pm ET. “The letter did not provide specific details of its national security concern,” Anthropic wrote.

“Our understanding is that the government believes it has become aware of a method of bypassing, or ‘jailbreaking’ Fable 5,” the company added. “We reviewed a demonstration of this specific technique being used to identify a small number of previously known, minor vulnerabilities. These vulnerabilities all appear relatively simple, and we have found that other publicly-available models are able to discover them as well without requiring a bypass.”

In the blog post, the company argued that it has implemented strong safeguards to reduce the likelihood of Claude Fable 5’s misuse. Anthropic also claimed that the jailbreak the US government found for Claude Fable 5 was narrow, and would not have made an attacker meaningfully more dangerous than they would have been with another AI model.

“To date, the government has only given us verbal evidence of a potential narrow, non-universal jailbreak, which essentially consists of asking the model to read a specific codebase and fix any software flaws,” the company said in its blog post. “Our understanding is that one potential jailbreak was shared with the government.”

Spokespeople for the White House and US Commerce Department did not immediately respond to WIRED’s request for comment.

Anthropic CEO Dario Amodei said in a policy essay earlier this week that he and the company support a fair, structured, and transparent government process that would block the release of unsafe AI models. In the company’s blog post on Friday, Anthropic argued that “this action does not adhere to those principles.”

from the it-only-gets-worse dept

A couple weeks ago I wrote 6,000 words about the Reckless Ben/Bricks & Minifigs LEGO mess and concluded that pretty much everyone involved had made serious mistakes — with the Utah contingent (Bricks & Minifigs corporate, Joshua Johnson, Brandon Best, and the American Fork police) looking the worst of all. That take upset basically everyone: some felt I was too hard on Reckless Ben, some felt I was too easy on the American Fork police, and probably a few people just resented spending that much time reading about legos. Since then, a lot more has come out, and the situation has only gotten murkier. My original read still holds up, but the Utah folks look even worse, and some of the other players are looking sketchier too.

And, I think it’s fair to say, mistakes were made by pretty much everyone involved.

Just as before, many of the new details are in long YouTube videos, but if you want watch just one, start with this one by Stephen Findeisen, who is better known as Coffeezilla and who regularly researches financial and cryptocurrency scams:

That video goes deep — Findeisen gets basically everyone on the phone at some point or another (except the cops), accesses a ton of evidence not previously public, and, unlike most of the earlier YouTube coverage, actually tries to find the truth instead of just stoking outrage.

He makes a few points that are hard to argue with:

• The Lego collection was never actually worth $200k (we had suggested this in our initial post as well). It was probably closer to $100k (and possibly a bit less).
• Some of it was definitely sold before all this, but much of it had not been.
• Plenty of it clearly remained in the store after Brandon Best showed up the night in November 2024 to kick out Law and take over the store.
• Best also showed up with a U-Haul truck, and there are some (slightly conflicting) reports that he subsequently appeared at his other Oregon Bricks & Minifigs store with a bunch of Star Wars Lego sets. Bricks & Minifigs corporate initially insisted this was false and said he showed up in a rental car. But Coffeezilla has visual proof of a U-Haul parked outside that night, which is pretty damning, which led Bricks & Minifigs to revise their story with a complicated one about hauling a camper trailer, which doesn’t make that much sense.
• Coffeezilla dropped this thread, in part because of a disagreement over the timeline, though it’s not clear to me that the timeline doesn’t really line up. It seems entirely possible that Best could have taken a bunch of legos out of the Gormans’ old store and taken them to his other store and then returned the U-Haul truck.
• Law & Gorman appear to have sold some of Mansell’s collection and not paid him for that, and it could be a lot of money. Law admits that she may have been a bit sloppy on the record keeping, saying she hadn’t done an inventory in a while and suggesting employees maybe hadn’t told her when certain sets from the collection were sold. But there’s also a credibility problem regarding sets that were listed as being on layaway, but where the spreadsheet suggests they were actually sold, but not accounted for as sold.
• To her credit, she admits it’s possible she owes Mansell some money and that if she can see evidence of this she will make sure that Mansell is paid what he is owed. But given how quick the Gormans were to insist this was entirely Bricks & Minifigs corporate who were the problem, it’s not a good look.
• Bricks & Minifigs corporate claims that there were about $5k worth of Star Wars legos left. That appears to be bullshit and wouldn’t really help their case, because even if it was just $5k of Mansell’s legos, those are still stolen legos.
• Bricks & Minifigs’ CEO and COO (the McNeff brothers) claim that they never were sent a spreadsheet of the collections, and the best moment in the video is when Coffeezilla points out that the Google Docs spreadsheet he’s been using is owned by their account and has been sitting there since 2024. That really makes the McNeffs look sketchy.

That video also includes dueling photographic and videographic evidence of what was in the store the night Best kicked the Gormans out (as well as a few weeks earlier when Best apparently surreptitiously filmed inside the store to see what was there). There are way more empty shelves the night Best kicked out Law & Gorman, but they say that’s because they had moved the high value consignment items to the safes they had purchased for that purpose, which were in the back. Later in the video Coffeezilla shows the McNeffs additional images from Law that appear to show Star Wars lego sets in what appears to be a safe, and which Matt McNeff (the company’s COO) admits they don’t appear to have listed in their own spreadsheet, which they had originally said was a complete listing of all the Star Wars legos in the store the night they took it over.

The McNeffs still look terrible, and Brandon Best also looks a bit sketchy. But it also appears that Law & Gorman’s record keeping was pretty sketchy as well, and while the McNeffs have gone overboard in claiming that they were responsible for Mansell’s “missing” legos, it does appear likely that Law owes Mansell for a decent number of Star Wars legos her store sold.

As for the American Fork Police department and Brandon Best’s partner, Joshua Johnson, we need a different video, this one from Legal Eagle. It breaks down just how many things they did wrong:

There were a lot of assumptions made about the police department, particularly around how they redacted the footage they released to Schneider. There was plenty of smoke, but no actual fire. As it turns out, beyond possibly being corrupt, the American Fork Police Department might also just be incompetent: they accidentally uploaded all the unredacted bodycam footage, which is now available on the Internet Archive.

Schneider initially claimed a hacker obtained the videos, which raised some questions about provenance. Once the department itself admitted the release was accidental, that question went away — and what’s in the footage is pretty hard to explain away. The police were way too credulous with Johnson. The “refusing to accept service” situation alone is maddening: Johnson claims the lawsuits are fake, the officer calls the court and confirms they’re real, and then… still lets Johnson refuse service. Beyond that, there are the extended traffic stops on no real probable cause, and the arrests on a search warrant instead of an arrest warrant — and they didn’t even find what they were looking for. Legal Eagle walks through all of it, and it’s a long list of failures.

Schneider is a more complicated case. He’s clearly one of the good guys here, and the attention he generated did move the needle when nothing else was. But some of his own claims haven’t held up. He never independently verified the value of the collection — and in the Coffeezilla video, he appears genuinely surprised it’s nowhere near $200k, which is a bad look for someone who made that figure central to his coverage. The small claims court situation is worse: Schneider said Johnson and Best had defaulted on those cases, but they were basically all dismissed for being filed against the wrong defendants, or never properly served. In a followup video, Reckless Ben admits he thought he’d won by default simply because he and his friends filed for default. Which goes back to the original point: talk to a lawyer, even just for an hour.

The Mexico situation is its own category of self-inflicted damage. In multiple videos he’s mentioned that after facing criminal charges he had fled to Mexico and joked about how Utah law enforcement can’t reach him there. Whether or not he actually left the country, publicly bragging about being a flight risk while facing criminal charges is exactly the kind of thing that hands prosecutors an easy argument. He has real defenses available to him. This doesn’t help.

And then there’s Law & Gorman, who aren’t villains, but they aren’t blameless either. It appears Law owes Mansell for a fair number of sets her store sold without paying him out — and the record-keeping problems aren’t fully explained by sloppy bookkeeping. The layaway-versus-sold discrepancy in the spreadsheet is a credibility problem, not just an accounting one. To her credit, Law has said she’ll make it right if shown the evidence. But the Gormans were also quick to frame this entire situation as purely a Bricks & Minifigs corporate problem, and that framing looks increasingly incomplete.

Every side of this story is a disaster. We’ve got a corporation willing to say anything to save face, a police department that accidentally leaked its own bad behavior, franchise owners who likely shortchanged their client, and a YouTuber whose good intentions were undercut by bad execution. About the only thing missing is anyone who actually handled this well.

Filed Under: american fork pd, ammon mcneff, ben schneider, benjamin gorman, bryan mansell, chrystal law, consignment, legos, matt mcneff, reckless ben, utah

Companies: bricks & minifigs