The core issue with OpenClaw on personal machines isn't just the attack surface — it's the trust boundary collapse. Personal machines have mixed-trust contexts: work credentials alongside personal accounts, cached auth tokens from dozens of services. An agent with broad access operates in an environment where the cost of a compromise is asymmetric.

Enterprise deployments of AI agents solve this differently: scoped credentials, audit logs, explicit action authorization per-user. The 'install on your laptop' paradigm trades all of that for convenience.

The interesting design question is whether you can get personal-machine convenience without trust boundary collapse. Probably not, without fundamental changes to how OS-level permissions interact with agent action APIs.