Where OpenClaw Security Is Heading

Where OpenClaw Security Is Heading(openclaw.ai)

24 points by paulofeliciano 8 hours ago | 14 comments

Arcuru 7 hours ago |

I run a home-grown 'Agent' by just making a local user on my linux box. I treat it like an untrusted local user, I only give it scoped API keys, and manage permissions just like any other thing. I have a NixOS machine and I have the Agent setup to just use home-manager to manage itself and its timers and deps and stuff inside its own config.

It would be insane to run a full fledged Agent from your own accounts, with the same access as yourself. At the same time running it fully scoped inside a container/VM seemed a little bit too heavy handed to me and the Agent-as-user seems like a better fit for me right now. (I did run my coding agents inside a microVM for a while but ran into a few too many annoyances)

nullc 3 hours ago | |

Better to run a simple full virtual machine. It's easy to spin one up on any modern linux distro (okay, not as easy it is in Qubes-- only three mouse clicks, but still pretty easy).

There are many advantages of running it in a VM: really clean and strong sandboxing and it's easy to put that VM behind its own VPN / firewall external to the VM to reduce the escape risk.). It's also handy if you run a different distro than the agent ecosystem, since you can just run whatever OS works best for the agent.

cyanydeez 4 hours ago | |

arent the recent RCE vulnerabilities the agent as user equally vulnerable to, just way more obscured. id be curious if someone has tried a prompt injection form of attack.

its kinda amusing to think if something like mythos actually is a competent malware expert, then users of it could easily be vupnerable to prompt injection attacks.

cedws 3 hours ago |

Agents are fundamentally insecure, there’s no getting around it. You can put OpenClaw in a box but for it to do anything useful it still needs some access to the outside world, and any untrusted tokens that go into its context are a threat.

Claude’s auto mode classifier is probably the best ‘firewall’ out there right now, but it’s a non deterministic layer with a failure rate of 17%.

shiandow 7 hours ago |

I know it's probably against the guidelines to comment on it, but any chance you could ask whatever agent is responsible to remove the scroll highjacking? It makes it incredibly tedious to read this article.

echoangle 6 hours ago |

What is happening in the first screenshot under "Command approvals and prompt fatigue"?

Why is "Allow Once" completely red, "Always allow" is black and "Deny" is muted red? Isn't the order of safety (descending) "Deny", "Allow Once" and "Always Allow"?

weikju 5 hours ago | |

I think it's something to do with macos dark mode and accent colors.. So allow once is highlighted because it's the default option if you press enter. The next button is dark because it's themed and people (errr LLMs) who wrote the code didn't consider that a button should be distinct from the background theme of the window. And finally the other one's text is red because it's a dangerous action.

moron4hire 7 hours ago |

Isn't a lot of this what containerization was supposed to solve? Why are they reimplementing file system isolation from scratch when jails and chroots exist? Why do they have to reason about arbitrary HTTP requests when firewalls and content filtering exist?

$ grep ^CapBnd /proc/$$/status CapBnd: 000001ffffffffff $ capsh --decode=000001ffffffffff 0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore