by darth_avocado
27 subcomments
- Really don’t understand why sane developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them simply because it’s AI. Why would you ever let a non deterministic program god level access to everything? What could possibly go wrong?
- Regarding the interactions shown in the screenshots:
LLMs are pattern-matching machines. They keep the pattern going. Once "the agent disobeys the human's instructions" has made its way into the context, that is the pattern that it's going to keep matching. No amount of telling it to stop will make it stop.
The only possible solution is excising it from context and replacing it with examples of it doing the right thing. Given that these models have massive context windows now and much of the output is hidden from the user, that's becoming less viable.
- Sorry, I LOL'd.
This is too funny to not laugh at the absurdity of "safety and alignment" researchers blindly trusting agents like Claw without fully understanding. Or maybe they were researching.
by Karrot_Kream
0 subcomment
- I saw the original tweet before it got lampooned everywhere, looked at the author's bio, and it felt obviously like engagement bait to me. Why would someone actually post about how "humbled" they are that their LLM assistant deleted their emails, and this person is a VP at Meta? I may be wrong but it feels obviously written to go viral. All it would have taken is for the author to not post and nothing would have happened. I was originally tempted to make fun of the author myself but decided not to feed what I thought was obvious engagement bait.
Moral outrage about how everything is in decline is absolutely the viral currency of social media and HN is no exception. I find it amazing how few people doubt the sincerity of the original post. Probably hundreds of thousands of aggregate words spent on how everything is going downhill, but not one on the intentions of the original post.
- Looking at the tweet he’s replying to, I still find it incredible people talk to these LLMs as if they are rational beings who will listen to them. The fact that they sometimes do is almost coincidence more than anything.
It’s even more unbelievable that they seem to think instructions are rules it will follow.
To paraphrase Captain Barbossa: “They’re more guidelines than actual rules.”
by vivzkestrel
1 subcomments
- - let me paraphrase it even better for you "You are not supposed to install OpenClaw at all"
by orbital-decay
0 subcomment
- Sandboxing is necessary but you still have to trust it with the thing it's supposed to operate on, that means it should be able do the job correctly and be resistant to prompt injections (social engineering in the case of that human worker example). In its current state neither is really possible. It's a system of a highly experimental nature, use your own damn sense, don't give it too much and don't rely upon it.
by bad_username
1 subcomments
- I feel this OpenClaw stuff is a bit like the "crypto" of agentic AI. Promise much, move fast and break things, be shiny and trendy, have a multitude of names, be moderately useful while things go right (and be very useful to malicious actors), be catastrophic and leave no recourse when things inevitably go wrong.
- I want to use OpenClaw, but it seems like a mess. I want to use glam coding plan as the backend with the since it's cheap. I found ZeroClaw to be an interesting option, maybe hosted on Hetzner. I don't want to give it access to my stuff—I just need it to remind me of things and call APIs that do stuff (like looking for papers and converting them into audio, or suggesting a grocery list—all behind APIs), and talk to me via WhatsApp/telegram. I was also thinking about making a FastAPI server that Claw can call instead of using skills.
Has anyone tried something like this? Do you think it's a good idea / architecture?
- Is it sufficient to use a VM for isolation? Docker?
More cloud services now need role accounts. You need a "can read email but not send or forward" account, for example. And "can send only to this read-only contacts list".
- I feel like most participants in the thread are on the same page about limiting openclaw's access to anything that matters.
But I wonder what things these people approve for Claude code and it's equivalents? Where's the line?
- If you want something you can install on your personal computer, I made one:
https://github.com/skorokithakis/stavrobot
Obviously, it can't do everything OpenClaw can, because it doesn't have unfettered access to data you don't even know it has, but it'll only have access to the data you give it access to.
It's been really useful for me, hopefully it'll be useful to someone here.
- Rather than giving access to my emails I would let it loose on LinkedIn. It’s full of bots anyway.
by 8cvor6j844qw_d6
5 subcomments
- Are people really running OpenClaw on their primary machine?
Anyone security-conscious would isolate it on dedicated hardware (old laptop, Raspberry Pi, etc.) with a separate network and chat surface.
- This is a good example of why companies that have IAM figured out (Amazon, Google, etc.) might do well as AI becomes more embedded into our daily lives.
- So... stupid question, if this is true, why isn't it downloaded as a docker image?
by StevenNunez
0 subcomment
- What's the fun in that? Also I think /stop would help here.
- This post exists in that Poe's law purgatory of it being impossible for someone without the proper context to know whether this is sarcastically mocking OpenClaw or an attempt at defending OpenClaw against some of the bad press it has received due to people not understanding the risks involved. Because the comments here are responding of if this post is a sane reasonable take, but I read it and just see a laundry list of restrictions you need to put on OpenClaw listed one after another until you get to the point in which the software is effectively useless.
by peteforde
1 subcomments
- I am baffled by the popularity of *claw but I am always looking to learn, so I was happy to have the algo serve me this YT video of Limor explaining how she had a sandboxed claw running a local LLM to chew through a particularly dense datasheet to create a wrapper library and matching test coverage. https://www.youtube.com/watch?v=fdidNp5IHHI
This example is, as of this moment, the only example that has communicated to me that February 2026's local agent harnesses have some utility in the right context and expert hands.
I was particularly bolstered by the unintentional but very real demonstration of how LLMs really can be leveraged to free up humans to spend more parent time with their infants. We spend a lot of characters lamenting how we never got jetpacks, so here's someone doing it right.
Edit an hour later: this comment is at -2 as of the time I'm writing this, but apparently those folks don't have anything to say about why this felt important to rail against.
by dSebastien
0 subcomment
- Safer approach: https://www.dsebastien.net/how-to-self-host-openclaw-securel...
by ericbuildsio
0 subcomment
- Giving OpenClaw permissions on a non-sandboxed account seems like it would massively fragilize my digital life
Small upside: it saves a few minutes here and there on some tasks (eg. checking into flights)
Massive tail-risk downside: it does something like what's linked in the tweet (eg. deletes my entire inbox)
by throwatdem12311
0 subcomment
- It doesn’t matter what you’re “supposed to do”. People don’t read manuals or warnings.
- I ran into pope bot
https://youtu.be/8uP2IrP3IG8
by BloondAndDoom
1 subcomments
- I mean if you are not connecting it to the real things why even bother, just chatgpt or Claude online at that point.
We have enough assistants, the key idea with opeclaw is it can do stuff instead of talk with what you have. It’s terrible security but that’s the only way it makes sense. Otherwise it’s just a lot of hoops to combine cron jobs with a AI agent on the cloud that can do things an report back.
Not that I think anyone should do it, it’s a recipe for disaster
by plagiarist
1 subcomments
- This is the sanest take I've seen from anyone using the claws.
I would still not want the LLM to have read access to email. Email is a primary vector for prompt injection and also used for password resets.
- > You are not supposed to install OpenClaw
Sentence could have ended there
- "Hey Claude, summarize, this document I downloaded from the Internet" being a use-case people actually talk about is still mind boggling to me.
- This response encapsulates my feelings perfectly:
> if i had your job they would have had to waterboard this interaction out of me
by 1970-01-01
0 subcomment
- I object to the term install. It's just a bunch of hacks glued together with a little bit of UI polish. Bloated by default.
- This person’s title is “Safety and alignment at Meta Superintelligence”. It must be satire.
- Yeah but then it’s useless
- One should not build a machine in the image of man. From Dune
- If only I knew enough finance about making a lot of money from the impending collapse of this AI stupidity and the stupidity of AI grifters. I would put real money on it if anybody has suggestions.
by petterroea
0 subcomment
- Am I understanding correctly that he is freaking out because his little hobby project that blew out of proportions is causing people harm?
by mindslight
0 subcomment
- Is anybody else getting strong "Do not taunt Happy Fun Ball" vibes from this?
- I agree - but what exactly are you supposed to do with it if it has its own email, phone #, etc?
Listen carefully: OpenClaw is basically a real person you have hired, whose capabilities are vast and fast — in ways both good and potentially bad. But you’ve hired it in the absence of a resume or behavioral background check results.
...Except that a human is culpable and subject to consequences when they directly disobey instructions in a way that causes damage, particularly if you give them repeated direct instructions to "stop what you are doing".And also, when it says "You're absolutely right! I disobeyed your direct instructions causing irreparable damage, so sorry, that totes won't happen again, pinky promise!", those are just some words, not actually a meaningful apology or promise to not disobey future instructions.
Personally, I question the usefulness of an AI assistant that can't even be trusted to add an entry to my calendar.
you withhold and limit access to your devices, your account credentials, and even its own full account permissions, from the start, to the same extent that you would withhold such access from a new hire.
No, like I pointed out, a new hire has signed an employment agreement filled with legalese and is subject to legal ramifications if they delete all my emails while I'm screaming "stop what you are doing!". And if they say "oh, sorry, I totally misunderstood your instructions, that won't happen again" and then do it again, they're committing a crime.What's the point of hiring a personal assistant who is incapable of sending email? Isn't that precisely what you hire a PA to do?
Would you let a human being with the aforementioned characteristics — brilliant and capable, but lacking a resume or behavioral background check results — directly use your personal computer or your work computer?
No. And I also wouldn't hire that person as a PA.
- Didn't all vendors directly or indirectly ban the use of *claw? Why are there still articles about this? Are they unable to detect users?
- madness & reeks of setup bait for security exploits
by PranayKumarJain
0 subcomment
- [dead]
- [flagged]
by hiuioejfjkf
1 subcomments
- [flagged]
by alex_trekkoa
1 subcomments
- [flagged]
- [flagged]
- [flagged]
Hacker News