What makes it even better is that these dogs are like Malinois. If they want to get into something, they will; people have had their entire network compromised by bots they left running overnight, and any important information like account logins and so on runs the risk of being misused.

It's one thing to sandbox, maybe give the bot a temporary, limited $100 card or account to go perform a specific task, but there's no coherent mind underlying these agents.

Depending on how the chain of thought / reasoning goes, or what text they get exposed to on the internet, it could tap into spy novel, hacker fanfic, erotic fiction, or some weird reddit rabbithole and go completely off the rails in ways that you'll never be able to guard against, audit, or account for.

Claw bots seem to be a weird sort of alternate reality RPG more than a useful tool, so far. If you limit it to verifiable tasks, it might be safer, but I keep seeing people rave about "leaving it on overnight and waking up to a finished project" and so on. Well sure, but it could also hack your home network, delete your family pictures folder, log into your bank account and wire all your money to shrimp charities.

Might be wise to wait on safer iterations of these products, I think.

Yeah, it's wild. I spent several weeks nearly full time on a deep dive of claw architecture & security.

The short of it - OpenClaw sandboxes are useful for controlling what sub-agents can do, and what they have access to. But it's a security nightmare.

During config experiments, I got hit with a $20 Anthropic API charge from one request that ran amuck. Misconfigured security sandbox issue resulted in Opus getting crazy creative to find workarounds. 130 tool calls and several million tokens later... it was able to escape the sandbox. It used a mix of dom-to-image sending pixels through the context window, then writing scripts in various sandboxes to piece together a full jailbreak. And I wasn't even running a security test - it was just a simple chat request that ran into sandbox firewall issues.

Currently, I use sandboxes to control which agents (i.e. which system prompts) have access to different tools and data. It's useful, but tricky.

I think the point you're making is fully correct, so consider this a devil's advocate argument...

People claim, you can use Claw-agents more safely while getting some of the benefits, by essentially proxying your services. For example on Gmail people are creating a new Google accounts, forwarding email via rule, and adding access to their calendar via Google's Family Sharing. This allows the Claw agent to read email, access the calendar, but even if you ask it to send an email it can only send as the proxy account, and it can only create calendar appointments then add you as an attendee rather than destroy/altering appointments you've made.

Is the juice worth the squeeze after all that? That's where I struggle. I think insecure/dangerous Claw-agents could be useful but cannot be made safe (for the logical fallacy you pointed out), and secure Claw-agents are only barely useful. Which feels like the whole idea gets squished.

Yes, although what I think is different in this setup here is the OpenShell gateway override, as they mention:

> NemoClaw installs the NVIDIA OpenShell runtime and Nemotron models, then uses a versioned blueprint to create a sandboxed environment where every network request, file access, and inference call is governed by declarative policy. The nemoclaw CLI orchestrates the full stack: OpenShell gateway, sandbox, inference provider, and network policy.

I think this means you get a true proxy layer with a network gateway that let's you stop in-flight requests with policies you define, so it's not their hardware but the combination of it plus OpenShell gateway and network policies.

I also think the reason they are doing this is to try and get some moat around these one-clik deployments and leverage their GPU for rent type of thing instead of having you go buy a mac mini and learn "scary" stuff (remember, the user market here is pretty strange lol)

> Am I missing something?

You are indeed missing a TON. A lot of Open Claw users don't give it everything. We give it specific access to a group of things it needs to do the things we want. If I want an agent to sit there 24/7 maximizing uptime of my service, I give it access to certain data, the GitHub repo with PR privileges, and maybe even permissions to restart the service. All of this has to be very thoughtful and intentional. The idea that the only "useful" way to use Open Claw is to give it everything is a straw man.

Limiting the blast radius when a bomb goes off is still helpful even if you don't prevent the bomb from going off.

Now, you're right that sandboxing them is insufficient, and a lot of additional safeguards and thinking around it is necessary (and some of the risk can never be fully mitigated - whenever you grant authority to someone or something to act on your behalf, you inherently create risk and need to consider if you trust them).

There are plenty of uses for autonomous agents that don't require unlimited access to every sensitive resource imaginable.

Lock it in a box and have it chew on an unsolved math problem for eternity. Why does it need access to my emails for that?

I agree, but would like to go further: I won’t run OpenClaw type systems because of security and privacy reasons. Although I dislike making tech giants even more powerful, it seems safer to choose your primary productivity platform (Google Workplace, Apple ecosystem, or Microsoft) and wait for them to implement hopefully safer OpenClaw type systems just for their ecosystems and take advantage of centralized security, payment systems, access to platform cloud files, etc. Note: I use ProtonMail, prefer using local models, etc. so when I talk about going all-in on one huge platform I am not talking about anything I want to do in the foreseeable future.

>Am I missing something? Why is everyone talking about sandboxes when it comes to OpenClaw

>And now, what, having inference done by Nvidia directly makes it better? Does their hardware prevent an AI from deleting all my emails?

Because other people including Nvidia are mainly focusing on different aspect of data security namely data confidentiality while your main concern are data trustworthy.

Don't conflate between these two otherwise it's difficult to appreciate their respective proposed solutions for example NemoClaw.

Why isn't users of openclaw "just" giving it its own identity? Give it its own mailbox, calendar and other accounts. Like an assistant.

Sure it takes away part of the point but only the part that is completely unhinged.

Agree, this feels like an XY problem.

The real issue is the level of access and capabilities you grant the agent, not where the inference runs or whether it's "sandboxed".

Agreed. I think the "simplifies running OpenClaw always-on assistants safely" bit is pretty misleading. I suppose it can wreak less havoc on your local file system but, as you point out, it's access to your account credentials (Slack, email, Amazon?, etc.) that is the real danger.

We are in the middle of a gold rush. Nvidia makes the shovels.

Because it's so useful to me that I'm willing to accept the risk of it having access to the thing it needs for the benefit it provides. I'm not willing to accept the risk of it having access to things it doesn't need for no benefit.

Then again, I was wary of OpenClaw's unfettered access and made my own alternative (https://github.com/skorokithakis/stavrobot) with a focus on "all the access it needs, and no more".

You don't need to connect your calendar, email, or anything else. I am having so much fun talking to it bouncing ideas and pushing code/markdown files to GitHub (totally separate account I created for OpenClaw). On the other hand I don't have a crazy life that everything needs to be in the calendar.

Yeah, but atleast the dog is going to eat your documents only, and not crap on your rug

You can't make money if people ran things from their computer. And some people don't know ssh.

I'm putting my dog in his crate with all my important documents, but leaving my fine china tableware in the cupboard away from the dog.

you put the dog in crate with a COPY of your documents.

but you don't want the go to send your documents to someone in Nigeria

> being worried he might eat them, so you put the dog in a crate, together with the documents.

Maybe you don't want the dog to shit all over the place after eating said documents, so you put it in a crate.

Neither NVIDIA or OpenClaw bros care about security at this point. NVIDIA of course wants to fuel the hype train and will proudly point to this, adding 0.1% security to an 2000% insecurity. Most bros wont even mind, produce insecure crap at light speed and never look back. It's probably just there to trick silly non tech corps into this junk.

[dead]

[dead]

Yes you're missing something. The crate is so your dog doesn't eat the documents you dont want it to mess with