You assume the security is something you bolt on rather than the security weakness being inextricable from the value. The superior approach is to distill what the LLM is doing, with careful human review, into a deterministic tool. That takes actual engineering chops. There’s no free lunch.

The first company to deliver a truly secure Claw is going to make millions of dollars.

I have no idea how anyone is going to do that.

It seems almost impossible. I spent the weekend comparing nanoclaw to openclaw - nanoclaw is a slightly more secure version - containerized filesystem basically - and very popular.

It's a) harder to setup, b) less functional out of the box, c) has almost exactly the same security risk surface -- either you hook it up to your email, comms, documents and give it API tokens, or you don't. If you do -- well, at least it can't delete your hard drive without turning full evil and looking for red pill type exploits that break the container -- but, it still has the same other security dynamics.

Anyway, employing a very suspicious watcher that's hooked to the shell and API calls is probably the way forward. Can that thing be reasoned with / tricked?

I'm on my 3rd "claw" variant (currently https://github.com/moltis-org/moltis). I had the same issues you had. Moltis is better (at the moment).

The same way as delivering a "truly secure human". Which is of course impossible, that's why spies, double agents and even triple agents exist and have succeeded to do their job. And that's despite an enormous number of guardrails meant to prevent exactly that.

And simply "secure enough" doesn't help much either, because whereas a single human spy can only do so much damage, if an LLM is given access to everything in one way or another - which is the whole concept - then the potential damage is boundless.

That's easy. We just keep pumping these things and remind everyone that there's no real consequences (at least to the people who actually matter) and what was previously agreed as super important and critical will eventually turn out to no longer be super important or critical. Lethal trifecta solved. Who cares if your agent is forwarding private and confidential emails to random people, if everyone else is doing it too. Syndrome from the Incredibles movie won, and we helped make it happen. In fact, we made sure of it.

There are secure alternatives but they are not making millions of dollars.

Which secure alternatives? I've not seen any yet.

Connecting telegram to an agent with a bunch of skills and access to isolated compute environment is largely a solved problem. I don't want to advertise but here but plenty of solutions to spin this up, including what we have built.

That isn't secure is the issue, the more things you have it hooked up to the more havoc it can cause. The environment being locked down doesn't help when you're giving it access to potentially destructive actions. And once you remove those actions, you've neutered it.

The openclaw security model is the equivalent of running as root - i.e. full access. If that is insecure the inverse of it is running without any access as default and adding the things that you need.

This is pretty much standard security 101.

We don't need to reinvent the wheel.

The unsolved security challenge is how to give one of these agents access to private data while also enabling other features that could potentially leak data to an attacker (see the lethal trifecta.)

That's the product people want - they want to use a Claw with the ability to execute arbitrary code and also give it access to their private data.

But if it doesn’t have access to the network, then it’s just not very useful. And if it does, then it’s just a prompt injection away from exfiltrating your data, or doing something you didn’t expect (eg deleting all your emails).

What are your uses for it? If you don't mind sharing.

Writing blog posts and HN comments about how awesome OpenClaw is its #1 utility.

For me, personal home IT “chores” that I’ve put off for years. I can do them, but god what a pain in the ass to spin up a VM, configure Prometheus, configure grafana, configure a bunch of collectors for my WiFi and network infrastructure, and then spend a night or three tweaking dashboards and re-learning promql or whatever.

I just end up never doing it. Got it done in a couple hours with openclaw.

I’m sure there are much better ways to do that, which I will now learn in time due to the initial activation energy being broken on the topic. But for now, it’s fun running down my half decade old todo list.

I haven’t found ANY uses for it where it actually did what it was supposed to do.

I wonder about this as well. I see people breathlessly talking about how it manages their inbox or checks flight statuses, but how often should you need a bot for these things?

Can you tell me about your favorite use cases?