top | item 46957567

(no title)

I’d treat agent “skills” the same way you’d treat running a random Docker image / npm package: the default stance should be distrust unless you’ve reviewed it or you trust the maintainer.

A few practical reasons people still install them: - Many skills are thin wrappers around an API (small surface area) and are easy to audit. - You can run OpenClaw with least-privilege: only enable the tools/skills you actually need, use throwaway API keys/accounts, and avoid giving it file/terminal access unless you’re comfortable with it. - Isolation helps: run the gateway in a container/VM, separate user accounts, and keep secrets scoped per-skill.

Verification is nice, but the security model should assume skills can be malicious, and keep the blast radius small.

discuss

No comments yet.