OpenClaw: When AI Agents Get Full System Access. Security nightmare?

> LLM is Immune to Prompt Injection

> Despite all advances:

> * No large language model can reliably detect prompt injections

Interesting isn't it, that we'd never say "No database manager can reliably detect SQL injections". And that the fact it is true is no problem at all.

The difference is not because SQL is secure by design. It is because chatbot agents are insecure by design.

I can't see chatbots getting parameterised querying soon. :)

OpenClaw does present security risks, and the recommendations outlined in this article are apt.

That said, OpenClaw is more powerful than Claude Code due to its self-evolving agent architecture and its unfettered access to terminal and tools.

A secure way to provide access to additional non-sensitive API keys and secrets is by introducing a secure vault and ensuring OpenClaw’s skills retrieve credentials from it using time-scoped access (TTL of 15-60 mins). More details are available in this article: https://x.com/sathish316/status/2019496552419717390 . This reduces the attack surface to 15+ mins and the security can be further improved with Tailscale and sandboxing.

Telling people to only run OpenClaw in a full isolated sandbox kind of misses the point. It's a bit like saying, "gambling fine so long as you only use Monopoly money". The think that makes OpenClaw useful to people is precisely that it's _not_ sandboxed, and has access to your email, calendar, messages, etc. The moment you remove that access, it becomes safe, but also useless.

>networks: openclaw-restricted

agree - when code is increasingly difficult to control, take control of the network.

but how to do the "openclaw-restricted" network itself in practice?

I would hope anyone with the knowledge and interest to run OpenClaw would already be mostly aware of the risks and potential solutions canvassed in this article, but I'd probably be shocked and disappointed.

# 4. No shared folders to host system!

Why? No one will execute files shared by the agent.

What conceptually makes it hard to make an AI system with a concept of a "control plane"?