86 comments

[ 5.5 ms ] story [ 94.4 ms ] thread
I found this part interesting: "Inference requests from the agent never leave the sandbox directly. OpenShell intercepts every call and routes it to the NVIDIA cloud provider."

Seems like they are doing this to become the default compute provider for the easiest way to set up OpenClaw. If it works out, it could drive a decent amount of consumer inference revenue their way

yes. this is it. but the average consumer isn't going to use this.

Google is just going to do its version and win again. Everyone uses google.

what about just using an unprivileged container and mounting a host folder to run open claw?
It’s impressive someone early in their career shipped this. There seems to be a stark increase in high-quality AI/data projects from early-career engineers lately and I'm super curious what’s driving that (and honestly speaking: a little jealous).
If you look at the commit history, they started work on this the Saturday before announcement, so about 2 days. There are references to design docs so it was in the works for some amount of time, but the implementation was from scratch (unless they falsified the timestamps for some reason).
Am I missing something? Why is everyone talking about sandboxes when it comes to OpenClaw?

To me it's like giving your dog a stack of important documents, then being worried he might eat them, so you put the dog in a crate, together with the documents.

I thought the whole problem with that idea was that in order for the agent to be useful, you have to connect it to your calendar, your e-mail provider and other services so it can do stuff on your behalf, but also creating chaos and destruction.

And now, what, having inference done by Nvidia directly makes it better? Does their hardware prevent an AI from deleting all my emails?

> being worried he might eat them, so you put the dog in a crate, together with the documents.

Maybe you don't want the dog to shit all over the place after eating said documents, so you put it in a crate.

Because it's so useful to me that I'm willing to accept the risk of it having access to the thing it needs for the benefit it provides. I'm not willing to accept the risk of it having access to things it doesn't need for no benefit.

Then again, I was wary of OpenClaw's unfettered access and made my own alternative (https://github.com/skorokithakis/stavrobot) with a focus on "all the access it needs, and no more".

What makes it even better is that these dogs are like Malinois. If they want to get into something, they will; people have had their entire network compromised by bots they left running overnight, and any important information like account logins and so on runs the risk of being misused.

It's one thing to sandbox, maybe give the bot a temporary, limited $100 card or account to go perform a specific task, but there's no coherent mind underlying these agents.

Depending on how the chain of thought / reasoning goes, or what text they get exposed to on the internet, it could tap into spy novel, hacker fanfic, erotic fiction, or some weird reddit rabbithole and go completely off the rails in ways that you'll never be able to guard against, audit, or account for.

Claw bots seem to be a weird sort of alternate reality RPG more than a useful tool, so far. If you limit it to verifiable tasks, it might be safer, but I keep seeing people rave about "leaving it on overnight and waking up to a finished project" and so on. Well sure, but it could also hack your home network, delete your family pictures folder, log into your bank account and wire all your money to shrimp charities.

Might be wise to wait on safer iterations of these products, I think.

There was a thread recently where a user got his credentials pwned by Claude, and then Claude berated him for having bad security.

He posted this to r/Claude, where Claude (as automoderator) mocked him again.

Edit:

https://www.reddit.com/r/ClaudeAI/comments/1r186gl/my_agent_...

All of this is caused by the "mcp is dead" mob. Instead of fixing the context problem or whatever and even add more security features they just hope that "shell as the interface" works, securely.
Yes you're missing something. The crate is so your dog doesn't eat the documents you dont want it to mess with
but you don't want the go to send your documents to someone in Nigeria
You can't make money if people ran things from their computer. And some people don't know ssh.
Why isn't users of openclaw "just" giving it its own identity? Give it its own mailbox, calendar and other accounts. Like an assistant.

Sure it takes away part of the point but only the part that is completely unhinged.

We are in the middle of a gold rush. Nvidia makes the shovels.
Yeah, but atleast the dog is going to eat your documents only, and not crap on your rug
>Am I missing something? Why is everyone talking about sandboxes when it comes to OpenClaw

>And now, what, having inference done by Nvidia directly makes it better? Does their hardware prevent an AI from deleting all my emails?

Because other people including Nvidia are mainly focusing on different aspect of data security namely data confidentiality while your main concern are data trustworthy.

Don't conflate between these two otherwise it's difficult to appreciate their respective proposed solutions for example NemoClaw.

I agree, but would like to go further: I won’t run OpenClaw type systems because of security and privacy reasons. Although I dislike making tech giants even more powerful, it seems safer to choose your primary productivity platform (Google Workplace, Apple ecosystem, or Microsoft) and wait for them to implement hopefully safer OpenClaw type systems just for their ecosystems and take advantage of centralized security, payment systems, access to platform cloud files, etc. Note: I use ProtonMail, prefer using local models, etc. so when I talk about going all-in on one huge platform I am not talking about anything I want to do in the foreseeable future.
Neither NVIDIA or OpenClaw bros care about security at this point. NVIDIA of course wants to fuel the hype train and will proudly point to this, adding 0.1% security to an 2000% insecurity. Most bros wont even mind, produce insecure crap at light speed and never look back. It's probably just there to trick silly non tech corps into this junk.
Yeah, it's wild. I spent several weeks nearly full time on a deep dive of claw architecture & security.

The short of it - OpenClaw sandboxes are useful for controlling what sub-agents can do, and what they have access to. But it's a security nightmare.

During config experiments, I got hit with a $20 Anthropic API charge from one request that ran amuck. Misconfigured security sandbox issue resulted in Opus getting crazy creative to find workarounds. 130 tool calls and several million tokens later... it was able to escape the sandbox. It used a mix of dom-to-image sending pixels through the context window, then writing scripts in various sandboxes to piece together a full jailbreak. And I wasn't even running a security test - it was just a simple chat request that ran into sandbox firewall issues.

Currently, I use sandboxes to control which agents (i.e. which system prompts) have access to different tools and data. It's useful, but tricky.

There are plenty of uses for autonomous agents that don't require unlimited access to every sensitive resource imaginable.

Lock it in a box and have it chew on an unsolved math problem for eternity. Why does it need access to my emails for that?

Limiting the blast radius when a bomb goes off is still helpful even if you don't prevent the bomb from going off.

Now, you're right that sandboxing them is insufficient, and a lot of additional safeguards and thinking around it is necessary (and some of the risk can never be fully mitigated - whenever you grant authority to someone or something to act on your behalf, you inherently create risk and need to consider if you trust them).

Yeah so the way it works is, you make sure you're running it in docker, in a VM, on a VPS, and then you hook it up to your GMail account ;)

But there's basically two options now. Yolo (and optionally limit the blast radius), or wait a few years and hope the situation improves.

Check out https://zo.computer - we've been doing OpenClaw for nearly a year, it works out of the box, and has hosting built-in. Zo arguably was the inspiration for Peter to create OpenClaw.
I think nanoclaw is architecturaly much better suited to solve this problem.
It’s amusing that ‘claw’ is sticking around as a term for these kind of things, when it was originally a pretty transparent attempt to avoid infringing on ‘Claude’…
The fully autonomous agentic ecosystem makes me feel a little crazy — like all common sense has escaped. It feels like there is a lot of engineering effort being exhausted to harden the engine room on the Titanic against flooding. It's going to look really secure... buried in debris at the bottom of the ocean.

When a state sponsored threat actor discovers a zero day prompt injection attack, it will not matter how isolated your *Claw is, because like any other assistant, they are only useful when they have access to your life. The access is the glaring threat surface that cannot be remediated — not the software or the server it's running on.

This is the computing equivalent of practicing free love in the late 80's without a condom. It looks really fun from a distance and it's probably really fun in the moment, but y'all are out of your minds.

Eh… Titanic did flood in the engine rooms so… might work?

That humor aside: I think it’s about risk tolerance, and you configure accordingly.

You lock it down as much as you need to still do the things you want, and look for good outcomes, and shut it down if things get too risky.

You practice free love, but with protection. Probably still fun?

Big difference between running a bot with fairly narrow scopes inside a network available via secure chat that compounds its usefulness over time, and granting full admin with all your logins and a bank account. Lots of usefulness in the middle.

I’m still not sure why there’s this general idea that people care about security/privacy. For critical systems, sure. But over the last decade, we’ve seen that an average person will always choose fun and convenience over security.

Even the analogy to free love is interesting, because sex in itself during that era was fun. Frankly it’s the same nowadays as well, we just figured out a way out of most of the diseases.

> a state sponsored threat actor

Most people don't seriously worry that they'll be targeted by a state sponsored actor.

Plus most people already expose their life on cloud (in forms of social media, iCloud, Google Drive, Windows's Bitlock key, etc).

> a state sponsored threat actor

your CPU, your OS, CPU and firmware on your motherboard chips, ethernet, wifi, HDDs (btw did you know your sim card has JVM?), your browser, all your networking equipment in between, BGP and all the root certs and I'm just scratching the surface

the ballpark is on anther planet

I kind of hope nemoclaw uptake and spark usage pushes ARM into the spotlight for LLM development, making it the primary release target rather than x86.

This could be the opening we need to wrangle a truly opensource-first ecosystem away from Microsoft and apple.

I'm still extremely skeptical on Claws as a genre, and especially more skeptical of a claw that's always reporting home. What's the use case for a closed claw?
That's like asking what the use case is for closed-source software.
I think the whole thing is batshit, honestly.

Much as I love using Claude or whatever to help me write some code, it's under some level of oversight, with me as human checking stuff hasn't been changed in some weirdly strange way. As we all know by now, this can be 1. Just weird because the AI slept funny and suddenly decided to do Thing It Has Been Doing Consistently A Totally Different Way Today or 2. Weird because it's plain wrong and a terrible implementation of whatever it was you asked for

It seems blindingly, blindingly obvious to me that EVEN IF I had the MOST TRUSTED secretary that had been with me for 10 years, I'd STILL want to have some input into the content they were interacting with and pushing out into the world with my name on.

The entire "claw" thing seems to be some bizarre "finger in ears, pretend it's all fine" thing where people just haven't thought in the slightest about what is actually going on here. It's incredibly obvious to me that giving unfettered access to your email or calendar or mobile or whatever is a security disaster, no matter what "security context" you pretend it's wrapped up in. A proxy email account is still sending email on your behalf, a proxy calendar is still organising things on your calendar. The irony is that for this thing to be useful, it's got to be ...useful - which means it has at some level to have pretty full access to your stuff.

And... that's a hard no from me, at least right now given what we all know about the state of current agents.

Plus... I'm just not sure of the upside. Am I seriously that busy that I need something to "organise my day" for me? Not really.

We are in the wild wild west.

I’m looking for feedback, testing and possible security engineering contracts for the approach we are taking at Housecat.com.

The agent accesses everything through a centralized connections proxy. No direct API tokens or access.

This means we can apply additional policies and approval workflows and audit all access.

https://housecat.com/docs/v2/features/connection-hub

Some obvious ones are only grant read and draft permissions at all, and review and send drafts manually.

Some more clever ones are to only allow sending 5 messages a day, or enforcing soft delete patterns. This prevents accidentally spamming everyone or deleting things.

Next up is giving the agent “wrapped” and down scoped tokens you do want to equip it with the ability to do direct API calls. But these still go through the proxy that enforces the policies too.

Gotta say, that I feel kind of sad for the people that feel the need for these claw things.

Are they so busy with their lives that they need an assistant, or do they waste their lives speaking to it like it is a human, and then doomscrolling on some addictive site instead of attending to their lives in the real world?

It is sad, psychosis from exec-up has trickled down so people really want these tools to work yet these tools are so bad that people in this thread are recommending you create a second email so your openclaw can suggest events to you without being able to delete them.

It's like having to hire a second maid to watch your maid that steals constantly instead of vacuuming yourself in 10 mins.

It’s not a need - it’s a fun new thing - fun to see what’s possible and how it helps.

OpenClaw is not easy to set up or user friendly for most (BlueBubbles and Claw had an annoying bug recently) - but the way I have seen it work well requires an up front time investment and then interest compounds RAPIDLY to help manage things and be more productive.

My guess is maybe you’ve never had an assistant or tried a Claw instance? I’ve never had a human assistant but man I’ve had folks that took silly things off my plate and it’s worth it.

Do you feel sad for people who use a computer or a cellphone or file taxes online instead of paper ? How is this any different ?

I use those tools to make my life easier/faster

[flagged]
What does any of this have to do with Israel?
Using bespoke sandboxing seems rather pointless, it will be brittle in ways you aren't going to be familiar with unless you spend time studying the bespoke method. Brittle as in it might break a workflow and you wouldn't know why, or give it permissions you don't understand.

It's better to just study a general sandbox method once and use that.

> Sandbox my-assistant (Landlock + seccomp + netns)

Might as well just use a custom bwrap/bubblewrap command to isolate the agent to its own directory - it will leave wide swaths of the kernel exposed to 0day attacks.

The simplest sandbox method you can use is to just use docker with the runsc runtime (gVisor). And it also happens to be among the most secure methods you are going to find. You can also run runsc(gVisor) manually with a crafted OCI json, or use the `do` subcommand with an EROFS image.

Trying to selectively restrict networking is not something I usually bother with, unless you make it iron-clad it would likely give you a false sense of security. For example Nemoclaw does this by default: <https://docs.nvidia.com/nemoclaw/latest/reference/network-po...>

github.com and api.telegram.org will trivially facilitate exfiltration of data. Some others will also allow that by changing an API key I imagine.

I think the more useful tool would be an LLM prompt proxy/firewall that puts meaningful boundaries in place to prevent both exfiltration of sensitive data and instructions that can be destructive. Using the same context loop for your conversational/coding workflow makes the task at hand and the security of that task very hard to differentiate.

Sending POST?DEL requests? risky. Sending context back to a cloud LLM with credentials and private information? risky. Running RM commands or commands that can remove things? risky, running scripts that have commands in them that can remove things? risky.

I don't know how we've landed on 4 options for controls and are happy with this: "ask me for everything", "allow read only", "allow writes" and "allow everything".

Seems like what we need is more granular and context-aware controls rather than yet another box to put openclaw in with zero additional changes.

"NVIDIA NemoClaw installs the NVIDIA OpenShell runtime, part of NVIDIA Agent Toolkit, for inference through NVIDIA cloud."

After that I eat an NVIDIA sandwich from my NVIDIA fridge and drive my NVIDIA car to the NVIDIA store NVIDIA NVIDIA NVIDIA