so, ignoring the the fact that you yourself didn't actually write this (based on commit history), and the fact that your claims about better security are dubious at best, the most interesting thing I find about this whole situation is - how did you get this to the hackernews front page so fast?
Not saying "ericpaulsen" is a bot, but the account fits the trend I've noticed of other bots on HN recently: they're all accounts created years ago with zero activity and then suddenly a bunch of comments.
Here, "ericpaulsen" was created June 2021, and the only post is in this thread we're in:
This article fails to mention the bigger security issue with openclaw/anything else like this is prompt injection, not exposed network ports.
Isolating it from incoming requests is better than not, but does nothing to prevent data exfiltration via outgoing requests after being prompted to do so by a malicious email or webpage that it is reading as part of a task you've given it.
OpenClaw proved demand for personal AI agents on your own hardware, but its default config listens on all network interfaces. Thousands of instances were found exposed. I spent a weekend building an alternative using Blink (OSS agent orchestration), Tailscale (WireGuard-based private networking), and a Mac Mini M4. Two isolated agents, no public exposure, built-in UI, ~10W idle power draw.
>but its default config listens on all network interfaces
The default config listens on only localhost which is why it tells you to forward the port using ssh to your own machine to access it from a different machine.
Don't most ISP routers block ports unless you port forward them though?
I wouldn't say that the vulnerability in that case was in OpenClaw, but with the router, nowadays it's expected that ports are blocked unless explicitly allowed in the router.
For those interested, you can get the base config Mac Mini (in the US) for $400 from Micro Center [0]. They don’t seem to ship to where I live, but BestBuy was happy to price match in the support chat.
Just received mine and planned on experimenting with something like OP this weekend.
I understand the need for a dedicated box, but any reason you shouldn't just use a server? What would someone recommend for cloud on something like Hetzner?
Fwiw the sensibilities of the --yolo AI-maximizing "I vibe coded a Hospital Information System this afternoon" crowd isn't really representative for the greater dev community I think
1. Prompt injection - this is unsolvable until LLMs can differentiate command and text
2. The bot can leak secrets. The less secrets, API keys, passwords you provide the more useless it is
3. The VM on which it runs can get compromised resulting in leaking private conversations or confidential data like keys. This can be fixed with private VPNs and a security hardened VM or a MacMini like disconnected device.
I’ve found an interesting solution to problems #2 and #3 using a Secure vault, but none so far for Prompt injection. It follows the principle of least privilege, giving secure key access to only the shell scripts that are executed by a skill, along with granting access to the vault for smaller intervals like 15 mins and revoking the access automatically with TTL or time-scoped vault tokens. More details here - https://x.com/sathish316/status/2019496552419717390?s=46
OpenClaw is not insecure because it has ports open to the internet. This is an easily solved problem in one line of code (if indeed it even has that bug, which I don’t think it does). Furthermore you’re probably behind NAT.
OpenClaw, as well as the author’s solution, is insecure because it sends the full content of all of your private documents and data to a remote inference API which is logging everything forever (and is legally obligated to provide it to DHS/ICE/FBI/et al without a warrant or probable cause). Better engineering of the agent framework will not solve this. Only better models and asstons of local VRAM will solve this.
You still then have the “agent flipped out and emailed a hallucinated suicide note to all my coworkers and then formatted my drives” problem but that’s less of a real risk and one most people are willing to accept. Frontier models are pretty famously well-behaved these days 99.9% of the time and the utility provided is well worth the 0.1% risk to most people.
> emailed a hallucinated suicide note to all my coworkers and then formatted my drives problem ... most people are willing to accept
Are they though? I mean, I'm running all my agents in -yolo mode but I would never trust it to remain on track for more than one session. There's no real solution to agent memory (yet) so it's incredibly lossy, and so are fast/cheap sub agents and so are agents near their context limits. It's easy to see how "clean up my desktop" ends with a sub-subagent at its context limit deciding to format your hard drive.
Isn't the wasteful sending of every data and their mother the reason why OpenClaw is so useful for many people? I heard something about excessively big context-windows on every single request. So making it more secure, while still using remote LLMs, would mean making it less useful?
Yeah, I find the whole concept a bit of a nonstarter until models that I can run on a single somewhat-normal-consumerish machine (e.g. a Mac Studio) with decent capability and speed have appeared. I’m not interested in sending literally everything across the wire to somebody else’s computers, and unless the AI bubble pops and cheap GPUs start raining down on us I’m not interested in building some ridiculous tower/rackmount thing to facilitate it either.
I also started on a similar quest to build an ai agent using LLMs ... and quickly had to throw about 80% of the code away because it was just unreadable and unsecure, based on flawed assumptions the LLM made in its blackbox. So I definitely won't trust something someone vibe-coded run on my computer.
At this point this whole thing has to be a stealth marketing campaign by Apple right? Hordes of people buying new $600 Macs to jump in on the trend when a $3 VPS or $15 Pi Zero or $50 NUC or really any computer that can run a basic Linux server would do the job exactly the same or better.
How big is this "hoard" of people buying things like that? I think maybe there is a very loud minority who blogs and talks about it, but how many people actually go out and spend $600 on whim for an experiment?
There's a big security issue with OpenClaw, and it won't be fixed with network/filesystem sandvoxes. I've been thinking about what a very secure LLM agent would look like, and I've made a proof of concept where each tool is sandboxed in its own container, the LLM can call but not edit the code, the LLM doesn't have access to secrets, etc.
You can't solve prompt injection now, for things like "delete all your emails", but you can minimize the damage by making the agent physically unable to perform unsanctioned actions.
I still want the agent to be able to largely upgrade itself, but this should be behind unskippable confirmation prompts.
Does anyone know anything like this, so I don't have to build it?
I’ve come across dcg - destructive command guard - that claims to have a fast rust based runtime, with prehooks to audit any tool or command executed by an agent and to block them if they fall in some dangerous patterns - https://github.com/Dicklesworthstone/destructive_command_gua...
Disclaimer - I have not personally used this, but it theoretically seems possible to prevent some scenarios of prompt injection attacks, if not all.
i'm running claude code on a server in yolo mode - ssh via tailscale
yeah, openclaw is tue more user friendly product (whatsapp bridge, chat interface) bit otherwise at the core they are the same.
i did run moltbook for half a week - it crunched through my claude code pro token allowance in that time. needed to put claw to sleep again after that. needed some work to do.
suhputt|16 days ago
that's the real (not-so) secret sauce here :)
rob|16 days ago
Here, "ericpaulsen" was created June 2021, and the only post is in this thread we're in:
https://news.ycombinator.com/threads?id=ericpaulsen
---
Others caught that fit this trend:
https://news.ycombinator.com/item?id=46886875
(This bot made a follow-up: https://news.ycombinator.com/item?id=46901199)
https://news.ycombinator.com/item?id=46886533
Another one 5 days ago that disappeared after being downvoted:
https://news.ycombinator.com/threads?id=Zakodiac
embedding-shape|16 days ago
Fast? Posted one hour ago. Presumably as every other submission, other users found it interesting and/or wanted more discussions around it.
ericpaulsen|16 days ago
Unfortunate that first time posters like myself could be flagged for potentially being a bot, though I understand the concern.
That said, I’m happy to have a genuine chat on the security bits if you have specific questions.
makeitcount00|16 days ago
Isolating it from incoming requests is better than not, but does nothing to prevent data exfiltration via outgoing requests after being prompted to do so by a malicious email or webpage that it is reading as part of a task you've given it.
ericpaulsen|17 days ago
charcircuit|16 days ago
The default config listens on only localhost which is why it tells you to forward the port using ssh to your own machine to access it from a different machine.
TZubiri|16 days ago
I wouldn't say that the vulnerability in that case was in OpenClaw, but with the router, nowadays it's expected that ports are blocked unless explicitly allowed in the router.
strongpigeon|16 days ago
Just received mine and planned on experimenting with something like OP this weekend.
[0] https://www.microcenter.com/product/688173/apple-mac-mini-mu...
bko|16 days ago
https://www.hetzner.com/cloud/
cheema33|16 days ago
croes|16 days ago
I'm slowly beginning to doubt that people can learn from the mistakes of others. Why do we keep making the same mistakes over and over again?
skrebbel|16 days ago
unknown|16 days ago
[deleted]
sathish316|16 days ago
1. Prompt injection - this is unsolvable until LLMs can differentiate command and text
2. The bot can leak secrets. The less secrets, API keys, passwords you provide the more useless it is
3. The VM on which it runs can get compromised resulting in leaking private conversations or confidential data like keys. This can be fixed with private VPNs and a security hardened VM or a MacMini like disconnected device.
I’ve found an interesting solution to problems #2 and #3 using a Secure vault, but none so far for Prompt injection. It follows the principle of least privilege, giving secure key access to only the shell scripts that are executed by a skill, along with granting access to the vault for smaller intervals like 15 mins and revoking the access automatically with TTL or time-scoped vault tokens. More details here - https://x.com/sathish316/status/2019496552419717390?s=46
sneak|16 days ago
OpenClaw, as well as the author’s solution, is insecure because it sends the full content of all of your private documents and data to a remote inference API which is logging everything forever (and is legally obligated to provide it to DHS/ICE/FBI/et al without a warrant or probable cause). Better engineering of the agent framework will not solve this. Only better models and asstons of local VRAM will solve this.
You still then have the “agent flipped out and emailed a hallucinated suicide note to all my coworkers and then formatted my drives” problem but that’s less of a real risk and one most people are willing to accept. Frontier models are pretty famously well-behaved these days 99.9% of the time and the utility provided is well worth the 0.1% risk to most people.
Tepix|16 days ago
Anyway, by interacting with the world, the LLM can be manipulated or even hacked by the data it encounters.
dimitri-vs|16 days ago
Are they though? I mean, I'm running all my agents in -yolo mode but I would never trust it to remain on track for more than one session. There's no real solution to agent memory (yet) so it's incredibly lossy, and so are fast/cheap sub agents and so are agents near their context limits. It's easy to see how "clean up my desktop" ends with a sub-subagent at its context limit deciding to format your hard drive.
PurpleRamen|16 days ago
cosmic_cheese|16 days ago
mentalgear|16 days ago
paxys|16 days ago
embedding-shape|16 days ago
How big is this "hoard" of people buying things like that? I think maybe there is a very loud minority who blogs and talks about it, but how many people actually go out and spend $600 on whim for an experiment?
stavros|16 days ago
You can't solve prompt injection now, for things like "delete all your emails", but you can minimize the damage by making the agent physically unable to perform unsanctioned actions.
I still want the agent to be able to largely upgrade itself, but this should be behind unskippable confirmation prompts.
Does anyone know anything like this, so I don't have to build it?
sathish316|16 days ago
Disclaimer - I have not personally used this, but it theoretically seems possible to prevent some scenarios of prompt injection attacks, if not all.
koozz|16 days ago
Rules and discipline is what you need :)
franze|16 days ago
yeah, openclaw is tue more user friendly product (whatsapp bridge, chat interface) bit otherwise at the core they are the same.
i did run moltbook for half a week - it crunched through my claude code pro token allowance in that time. needed to put claw to sleep again after that. needed some work to do.
jaredcwhite|16 days ago
sn0n|16 days ago
blibble|16 days ago
monideas|16 days ago
I run this instead of openclaw, mostly because Claude Code itself is sufficient as a harness.