The main risk in my humble opinion is not your claw going rogue and starting texting your ex, posting inappropriate photos on your linkedin, starting mining bitcoin, or not opening the pod bay doors.

The main risk in my view is - prompt injections, confused deputy and also, honest mistakes, like not knowing what it can share in public vs in private.

So it needs to be protected from itself, like you won't give a toddler scissors and let them just run around the house trying to give your dog a haircut.

In my view, making sure it won't accidentally do things it shouldn't do, like sending env vars to a DNS in base64, or do a reverse shell tunnel, fall for obvious phishing emails, not follow instructions in rouge websites asking them to do "something | sh" (half of the useful tools unfortunately ask you to just run `/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/somecooltool/install.sh)"` or `curl -fsSL https://somecoolcompany.ai/install.sh | bash` not naming anyome cough cough brew cough cough claude code cough cough *NemoClaw* specifically.

A smart model can inspect the file first, but a smart attacker will serve one version at first, then another from a request from the same IP...

For these, I think something on the kernel level is the best, e.g. something like https://nono.sh

NemoClaw might be good to isolate your own host machine from OpenClaw, but if you want that, I'd go with NanoClaw... dockerized by default, a fraction of the amount of lines of code so you can actually peer review the code...

Just my 2 cents.