53 comments

[ 2.7 ms ] story [ 63.4 ms ] thread
What's the fun in that? Also I think /stop would help here.
Really don’t understand why sane developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them simply because it’s AI. Why would you ever let a non deterministic program god level access to everything? What could possibly go wrong?
Obviouly the assumption of sanity was premature.
OpenClaw has now weeded out the shills, leaving only the real pros :D.
Are people really running OpenClaw on their primary machine?

Anyone security-conscious would isolate it on dedicated hardware (old laptop, Raspberry Pi, etc.) with a separate network and chat surface.

This is the sanest take I've seen from anyone using the claws.

I would still not want the LLM to have read access to email. Email is a primary vector for prompt injection and also used for password resets.

I mean if you are not connecting it to the real things why even bother, just chatgpt or Claude online at that point.

We have enough assistants, the key idea with opeclaw is it can do stuff instead of talk with what you have. It’s terrible security but that’s the only way it makes sense. Otherwise it’s just a lot of hoops to combine cron jobs with a AI agent on the cloud that can do things an report back.

Not that I think anyone should do it, it’s a recipe for disaster

(comment deleted)
So... stupid question, if this is true, why isn't it downloaded as a docker image?
This post exists in that Poe's law purgatory of it being impossible for someone without the proper context to know whether this is sarcastically mocking OpenClaw or an attempt at defending OpenClaw against some of the bad press it has received due to people not understanding the risks involved. Because the comments here are responding of if this post is a sane reasonable take, but I read it and just see a laundry list of restrictions you need to put on OpenClaw listed one after another until you get to the point in which the software is effectively useless.
Didn't all vendors directly or indirectly ban the use of *claw? Why are there still articles about this? Are they unable to detect users?

    Listen carefully: OpenClaw is basically a real person you have hired, whose capabilities are vast and fast — in ways both good and potentially bad. But you’ve hired it in the absence of a resume or behavioral background check results. 

...Except that a human is culpable and subject to consequences when they directly disobey instructions in a way that causes damage, particularly if you give them repeated direct instructions to "stop what you are doing".

And also, when it says "You're absolutely right! I disobeyed your direct instructions causing irreparable damage, so sorry, that totes won't happen again, pinky promise!", those are just some words, not actually a meaningful apology or promise to not disobey future instructions.

Personally, I question the usefulness of an AI assistant that can't even be trusted to add an entry to my calendar.

    you withhold and limit access to your devices, your account credentials, and even its own full account permissions, from the start, to the same extent that you would withhold such access from a new hire.
No, like I pointed out, a new hire has signed an employment agreement filled with legalese and is subject to legal ramifications if they delete all my emails while I'm screaming "stop what you are doing!". And if they say "oh, sorry, I totally misunderstood your instructions, that won't happen again" and then do it again, they're committing a crime.

What's the point of hiring a personal assistant who is incapable of sending email? Isn't that precisely what you hire a PA to do?

    Would you let a human being with the aforementioned characteristics — brilliant and capable, but lacking a resume or behavioral background check results — directly use your personal computer or your work computer?

No. And I also wouldn't hire that person as a PA.
Giving OpenClaw permissions on a non-sandboxed account seems like it would massively fragilize my digital life

Small upside: it saves a few minutes here and there on some tasks (eg. checking into flights)

Massive tail-risk downside: it does something like what's linked in the tweet (eg. deletes my entire inbox)

It doesn’t matter what you’re “supposed to do”. People don’t read manuals or warnings.
I agree - but what exactly are you supposed to do with it if it has its own email, phone #, etc?
This person’s title is “Safety and alignment at Meta Superintelligence”. It must be satire.
Looking at the tweet he’s replying to, I still find it incredible people talk to these LLMs as if they are rational beings who will listen to them. The fact that they sometimes do is almost coincidence more than anything.

It’s even more unbelievable that they seem to think instructions are rules it will follow.

To paraphrase Captain Barbossa: “They’re more guidelines than actual rules.”

What's incredible is that talking to them as if they're rational beings typically produces the outcome you're looking for.
I am baffled by the popularity of *claw but I am always looking to learn, so I was happy to have the algo serve me this YT video of Limor explaining how she had a sandboxed claw running a local LLM to chew through a particularly dense datasheet to create a wrapper library and matching test coverage. https://www.youtube.com/watch?v=fdidNp5IHHI

This example is, as of this moment, the only example that has communicated to me that February 2026's local agent harnesses have some utility in the right context and expert hands.

I was particularly bolstered by the unintentional but very real demonstration of how LLMs really can be leveraged to free up humans to spend more parent time with their infants. We spend a lot of characters lamenting how we never got jetpacks, so here's someone doing it right.

Edit an hour later: this comment is at -2 as of the time I'm writing this, but apparently those folks don't have anything to say about why this felt important to rail against.

madness & reeks of setup bait for security exploits
Is it sufficient to use a VM for isolation? Docker?

More cloud services now need role accounts. You need a "can read email but not send or forward" account, for example. And "can send only to this read-only contacts list".

I saw the original tweet before it got lampooned everywhere, looked at the author's bio, and it felt obviously like engagement bait to me. Why would someone actually post about how "humbled" they are that their LLM assistant deleted their emails, and this person is a VP at Meta? I may be wrong but it feels obviously written to go viral. All it would have taken is for the author to not post and nothing would have happened. I was originally tempted to make fun of the author myself but decided not to feed what I thought was obvious engagement bait.

Moral outrage about how everything is in decline is absolutely the viral currency of social media and HN is no exception. I find it amazing how few people doubt the sincerity of the original post. Probably hundreds of thousands of aggregate words spent on how everything is going downhill, but not one on the intentions of the original post.

- let me paraphrase it even better for you "You are not supposed to install OpenClaw at all"
Am I understanding correctly that he is freaking out because his little hobby project that blew out of proportions is causing people harm?