Discussion
OpenClaw is a Security Nightmare Dressed Up as a Daydream
zeristor: This sounds like an AI generated title.
vinni2: Now everyone has to defend their choice of words to make it sound like what you perceive as human.
buildbot: It’s a play on Taylor Swift lyric I think - “Cause, darling, I'm a nightmare dressed like a daydream“ (Blank Space)
somewhereoutth: I would like a personal assistant on my phone that, based on my usual routine and my exact position, can tell me (for example) which bus will get me home the quickest off the ferry, whether the bridge is clogged with traffic, do I need an umbrella? what's probably missing from my fridge, time to top up transit pass, did I tap in? etc etc. These things would appear on my lock screen when I most probably need to know them.No email stuff, no booking things, no security problems.
cj: I mean that also sounds like a logical first step.If “AI” can predict what you need, start with that. And layer in the “do it for me” (“book me the 1pm ferry”) later on.
vessenes: Yes, yes it is. And it's amaaaazing. We're going to have lots of sharp edges getting stuff like this secured, but it is not going to go away. Too useful.
mstkllah: What are your uses for it? If you don't mind sharing.
plufz: Can you tell me about your favorite use cases?
rickdg: Related: https://news.ycombinator.com/item?id=47475997
Oarch: Responding to the tweet quoted in the article: why are the examples given of futuristic capabilities always so visionless - it's always booking a flight or scheduling a meeting. Doing this manually is already pretty trivial, it's more productivity theatre than genuinely life-changing.There are real, impressive examples of the power of agentic flows out there. Can we up the quality of our examples just a bit?
AlienRobot: For example?
Oarch: It would probably depend on the target audience.I was very impressed by Anthropic's swarm of agents building a C compiler earlier this year with 1000 PRs per hour. Easy to nitpick that it wasn't perfect, but it sure was impressive.
AlienRobot: >it can read my text messages, including two-factor authentication codes. it can log into my bank. it has my calendar, my notion, my contacts. it can browse the web and take actions on my behalf. in theory, clawdbot could drain my bank account. this makes a lot of people uncomfortable (me included, even now).I think it's interesting that if this was a normal program this level of access would be seen as utterly insane. A desktop software could use your cookies to access your gmail account and automatically do things (if you didn't want to use the e-mail protocols that already exist for this kind of stuff), but I assume the average developer simply wouldn't want to be responsible for such thing. Now, just because the software is "AI," nothing matters anymore?
chewbacha: This read like an AI generated piece and seems to be an advertisement for their product.
ForHackernews: The dream of the middle class IT drone is to become the executive Office Man: he shouts at his PA and she books his flights.Now AI can provide a simulacrum of his fondest aspiration, to be too important to click through booking.com and make someone else do it for him.
bigstrat2003: Not just OpenClaw. Anyone giving an LLM direct access to the system is completely irresponsible. You can't trust what it will do, because it has no understanding. But people don't give a shit, gotta go fast - even if they are going in a bad direction.
usui: Have you seen how bad flight booking sites can get? I've had to download airline apps a majority of the time because the website failed to finish payment properly.
refulgentis: Right. Pretty impressive.What percentage of people will think that’s life changing?Because then we’re not talking about “can everyone up their demos to life changing, please?”, we’re talking about “can everyone use demos Oarch thinks are life changing, please?” - and “can build a C compiler draft for $XXK” isn’t really that compelling to me, and we’re both software engineers, and my whole day job has been an agentic coder for…2.5 years?…now. My incentive structure and demographics are lined up perfectly to agree with you, but I don’t :/
Oarch: I'm still sure we can do a little better though.Maybe a personalised diet and exercise plan based on a huge range of information: preferences, biometrics, habit forming, disposable income, your local area etc
refulgentis: This is an excellent point and reminds me that, in some ways, the agentic coding stuff and ability for RL to hill climb on that and improve models quickly, has distracted from prompt engineering / putting more effort into getting data to them
gos9: No security problems carries a lot of weight here because by design you’re having to expose a significant amount of information but this is doable as a weekend project
lqstuart: Claude Code asked me for blanket permission to ‘rm:*’ and “security find-generic-password” within the same hour or so last week. When I’m ready to quit my job I’ll just let it go hog wild and see if it can get to my next stock vest without getting me fired
operatingthetan: I'm using openclaw for a personal development system running obsidian. It doesn't have access to anything else. Having an LLM trigger based on crons is very powerful and helps with focus and organizing.The security risks of this setup are lower than most openclaw systems. The real risks are in the access you give it. It's less useful with limited access, but still has a purpose.I know a guy using openclaw at a startup he works at and it's running their IT infrastructure with multiple agents chatting with each other, THAT is scary.
_pdp_: It is, but I thought security wasn't the point.The point was to give it unlimited access to your entire digital life and while I'd never use it that way myself, that's what many users are signing up for, for better or worse.Obviously, OpenClaw doesn't advertise it like that, but that's what it is.Needless to say, OpenClaw wasn't even the first to do this. There were already many products that let you connect an AI agent to Telegram, which you could then link to all your other accounts. We built software like that too.OpenClaw just took the idea and brought it to the masses and that's the problem.
airstrike: I wonder just how many are compromised and waiting on a command that hasn't been given yet
measurablefunc: All of them. It's not like AI companies have managed to fix the security issues since last time they promised they had fixed all the hallucinations & accidental database deletions.
gos9: You know it’s open source code, right?
esskay: In an alternative reality Apple didn't absolutely shit the bed on AI and made this possible. Sadly they've shown they are woefully behind and have utterly useless people leading divisions they shouldn't have been allowed anywhere near.
politelemon: The overlap between the target audience for openclaw in spite of its attack surface, and the audience that considers a mac mini to be a sandbox while handing over the keys to their digital life is a Venn Eclipse.
gos9: How is a dedicated Mac not a sandbox?
Angostura: Sounds like you just need to install Apple Maps, Apple Weather^* and some separte fridge-tracking app. No need of additional intrusive AI^* or equivalents
somewhereoutth: Indeed I have a bunch of apps that do most of these things, but it's the seamless integration I'm looking for - which may not need much AI at all (especially of the LLM kind), just some well directed machine learning and UI integration.
dawnerd: Home assistant automations?
amanzi: And you want to add an unreliable, non-deterministic LLM into the flow too?
gos9: At this point, I assume anyone writing commentary on software moving faster than they can understand just simply should be ignored. So when such commentary is advertising a product worth zero
simonw: The first company to deliver a truly secure Claw is going to make millions of dollars.I have no idea how anyone is going to do that.
_pdp_: There are secure alternatives but they are not making millions of dollars.
simonw: Which secure alternatives? I've not seen any yet.
_pdp_: Connecting telegram to an agent with a bunch of skills and access to isolated compute environment is largely a solved problem. I don't want to advertise but here but plenty of solutions to spin this up, including what we have built.
Barrin92: >There are real, impressive examples of the power of agentic flowsthere aren't, and just like the blockchain "industry" with its "surely this is going to be the killer app" we're going to be in this circus until the money dries up.Just like the note-taking craze, the crypto ecosystem and now AI there's an almost inverse relation between the people advocating it and actually doing any meaningful work. The more anyone's pushing it the faster you should run into the opposite direction.
aftbit: I'm gonna keep saying this forever - there are two obvious "killer apps" for crypto:1. Semi-private blockchains, where you can rely on an actor not to be actively malicious, but still want to be able to cryptographically hold them to a past statement (think banks settling up with each other)2. NFTs for tracking physical products through a logistics supply chain. Every time a container moves from one node to the next in a physical logistics chain (which includes tons of low trust "last mile" carriers), its corresponding NFT changes ownership as well. This could become as granular as there's money to support.These would both provide material advantages above and beyond a centralized SQL database as there's no obvious central party that is trusted enough to operate that database. Neither has anything to do with retail investors or JPEGs though, so they'll never moon and you'll never hear about them.
3eb7988a1663: I read this as the aspirational dream of computers actually doing what you want. Yes, you can absolutely spend a bunch of time to build out the personal automation that will proactively inform you of relevant events. Yet, that is likely to be a lot of finicky messing around that may be pretty fragile and dependent upon N APIs staying fixed.
pron: You mean trying and failing to build a C compiler, which isn't a very hard task to begin with (assuming you know compilers, and the models do). But this time it was made unrealistically easy by giving the agents thousands of tests written by humans over years (on top of a spec and a reference implementation, both of which the models were trained on), and the agents still failed to converge. I was actually surprised that they failed as this was the purest possible example of "just do the coding" (something that isn't achievable in real or more complex cases). My thought at that failed experiment was that if agents can't even build a C compiler with so much preparation effort put into the test, then we have some ways to go. Indeed, once you work a lot with agents for a while you see that coding isn't really their strong suit (although they are impressive at debugging).
KaiserPro: Because the bit thats import is your context (ie email, credit card, privileged data), not the place where you do the execution.Having a separate machine thats isolated is all well and good, but that doesn't protect you from someone convincing your openclaw to give them your credit card.
sylos: I think some folks want a legitmate personal assistant/secretary like ceo's and wealthy people have but ai. I think that's a good goal. Modern cells and pdas kinda fell short of "your own literal secretary" and I think people want that. Still we should continue pushing the boundaries beyond that.
mjr00: AFAIK both of these use cases had many millions of invested dollars dumped into them during the Blockchain hype and neither resulted in anything. It might not be an exact match for (1), but there was famously the ASX blockchain project[0] which turned out to be a total failure. For (2), IBM made "Farmer Connect"[1], which is now almost entirely scrubbed from their website, which promised to do supply chain logistics on a blockchain.[0] https://www.reuters.com/markets/australian-stock-exchanges-b...[1] https://mediacenter.ibm.com/media/Farmer+Connect+%2B+IBM/1_8...
endofreach: > There are real, impressive examples of the power of agentic flows out there. Can we up the quality of our examples just a bit?Please don't. The reason we're still enjoying the bit of the old world as we know it, is just because nobody has really figured it out yet. Enjoy the moment, while it lasts.
enraged_camel: What does this even mean? By definition, we have been enjoying "the moment" for quite a while now. What is so special about it that we should work to prolong it, and to avoid moving forward?
the_snooze: The purpose of a personal assistant isn’t to fit people into your calendar. It’s to filter them out. They serve as a barrier to your time, not an enabler for other people to claim it. I don’t see how an AI can meaningfully accomplish that.
sdoering: Not using OpenClaw - but I have a limited agent running that currently does a few things well.Morning Briefing: - it reads all my new email (multiple accounts and contexts), calendars (same accounts and contexts), slack (and other chat) messages (multiple slacks, matrix, discord, and so on), the weather reports, my open/closed recent to dos in a shared list across all my devices, my latest journal/log entries of things done. Has access for cross referencing to my "people files" to get context on mails/appointments and chat messages.From all this, as well as my RSS feeds, it generates a comprehensive yet short-ish morning briefing I receive on weekdays at 7am.Two minutes and I have a good grasp of my day, important meetings/deadlines/to dos, possible scheduling conflicts across the multiple calendars (that are not syncable due to corporate policies). This is a very high level overview that already enables me to plan my day better, reschedule things if necessary. And start the day focused on my most important open tasks/topics. More often than not this enables me to keep the laptop closed and do the conceptual work first without getting sucked into email. Or teams.By the way: Sadly teams is not accessible to it right now. MS Power Automate sadly does not enable forwarding the content of chats. Unlike with emails or calendar appointments.Just for that alone it is worth having it to me. YMMV.I also can fire a research request via chat. It does that and writes the results into a file that gets synced to my other devices. Meaning I have it available at any device within a minute or so. Really handy sometimes. It also runs a few regular research tasks on a schedule. And a bit of prep work for copy writing and stuff like this.Currently it is just a hobby/play project. But the morning briefing to me is easily worth an hour of my day. Totally worth running it on my infra without additional costs.
vl: What are you using for email integration?I want to setup agent to clean up my gmail inbox which has many thousands of unread messages.
rvz: The security issues in OpenClaw is not even the main issue, the hype will die if there is no monetary incentive. Like I said before:If you are spending more money on tokens than the agents are making you money (or not), then it is unfortunately all for nought.The question is, who is making money on using Openclaw other than hosting?
aftbit: >possible scheduling conflicts across the multiple calendars (that are not syncable due to corporate policies)Doesn't this sorta defeat those policies though? Now all of your calendars are "synced" to a random unvalidated AI agent.
localuser13: Unless this whole setup is self-hosted (which I doubt), it's also uploaded to some data lake of a company which is in business of profiting from information.Intelligence agencies are really heading into a golden age, with everyone syncing all the data they have to the cloud, in plaintext. I mean it was already bad, but it's somehow getting worse.
sxg: Some of it is lack of imagination, but some of it is because many truly visionary examples would largely sound stupid to most of today's audience. Imagine it's 2007 and you're explaining how the smartphone will change society over the next 20 years:- A photo sharing app will change restaurants, public spaces, and the entire travel industry across the world- The smartphone will bring about regime change in Egypt, Tunisia, Lebanon, and other countries in ~4 years- We'll replace taxis and hotels by getting rides and sharing homes with strangers- Billions of people across the world will never need to own a desktop or laptop- A short video sharing app will kill TV- QR codes become relevantMost of these would be a hard sell at the time.
runarberg: None of these actually were hard to sell. In 2007 we had mobile phones, we had mp3 players (the iPod was actually very good), we had CouchSurfing, etc.I think the smart phone revolution is actually pretty overstated. It basically only made computers cheaper and handier to carry (but also more walled gardens). There are a few capabilities of smart phones we do today which we didn’t with do with computers and mobile phones back in 2007, such as navigation (GPS were a thing but not used much by the general public).Your case would be much stronger if you’d use the World Wide Web as your analogy, as in 1995 it would by hard to convince anybody how important it would be to maintain a web presence. And nobody would guess a social media like the irc would blow up into something other then a toy.However I think the analogy with smartphones are actually more apt, this AI revolution has made statistical models more accessible, but we are only using them for things we were already capable of before, and unlike the web, and much like smartphones, I don’t think that will actually change. But unlike smartphones, it will always be cheaper and often even easier to use the alternatives.
greedo: Like putting glue on your pizza?
refulgentis: > Can we up the quality of our examples just a bit?No.And there’s mundane answers why.People used to talk about phone home screens, back in the day, every iPhone had 16 spotsIt became wisdom everyone had the same 12 apps but then there were 4 that that were core for you and where most of your use went, but they were different apps from everyone else.So it goes for agent demos.Another reason: every agentic flow is a series of mundane steps that can be rounded to mundane and easy to do yourself. Value depends on how often you have to repeat them. If I have to book a flight once every year, I don’t need it and it’s mundane.There’s no life changing demo out there that someone won’t reply dismissively to. If there was, you’d see them somewhere, no? It’s been years of LLMs now.Put most bluntly: when faced with a contradiction, first, check your premises. The contradiction here being, everyone else doesn’t understand their agent demos are boring and if just one person finally put a little work and imagination into it, they’d be life changing.
otabdeveloper4: There are easy no-brainer productivity boosts with LLMs. For example, automatically sorting your email by topic.Nobody shows this because the technology is still immature and very shit.
As I have mentioned, treat OpenClaw as a separate entity. So, give it its own Gmail account, Calendar, and every integration possible. And teach it to access its own email and other accounts. In addition, create a separate 1Password account to store credentials. It’s akin to having a personal assistant with a separate identity, rather than an automation tool.
dfabulich: > Separate Accounts for your OpenClaw> As I have mentioned, treat OpenClaw as a separate entity. So, give it its own Gmail account, Calendar, and every integration possible. And teach it to access its own email and other accounts. In addition, create a separate 1Password account to store credentials. It’s akin to having a personal assistant with a separate identity, rather than an automation tool.The whole point of OpenClaw is to run AI actions with your own private data, your own Gmail, your own WhatsApp, etc. There's no point in using OpenClaw with that much restriction on it.Which is to say, there is no way to run OpenClaw safely at all, and there literally never will be, because the "lethal trifecta" problem is inherently unsolvable.https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
Trufa: I wonder how many inherently unsolvable problems have been fixed before.
j16sdiz: Human make error too, but we held them liable for lots of the mistakes they make.Can we make the agent liable? or the company behind the model liable?
dheera: Humans fear discomfort, pain, death, lack of freedom, and isolation. That's why holding them liable works.Agents don't feel any of these, and don't particularly fear "kill -9". Holding them liable wouldn't do anything useful.
0xbadcafebee: [delayed]
jesse_dot_id: This problem is inherently unsolvable because LLMS are prone to hallucinations and prompt injection attacks. I think that you're insinuating that these things can be fixed, but to my knowledge, both of these problems are practically unsolvable. If that turns out to be false, then when they are solved, fully autonomous AI agents may become feasible. However, because these problems are unsolvable right now, anyone who grants autonomous agents access to anything of value in their digital life is making a grave miscalculation. There is no short-term benefit that justifies their use when the destruction of your digital life — of whatever you're granting these things access to — is an inevitability that anyone with critical thinking skills can clearly see coming.
enraged_camel: >> This problem is inherently unsolvable because LLMS are prone to hallucinations and prompt injection attacks.Okay, but aren't you making the mistake of assuming that we will always be stuck with LLMs, and a more advanced form of AI won't be invented that can do what LLMs can do, but is also resistant or immune to these problems? Or perhaps another "layer" (pre-processing/post-processing) that runs alongside LLMs?
scuff3d: Give it a hundred years or so and we're gonna have robots wandering around who about 10% of the time go totally insane and kill anyone around them. But we'll all just shrug and go about our day, because they generate so much revenue for the corporate overlords. What are a few lives when stockholder value is on the line.
