| ▲ | vulnwrecker5000 5 hours ago |
| what worries me here is that the entire personal AI agent product category is built on the premise of “connect me to all your data + give me execution.” At that point, the question isn’t “did they patch this RCE,” it’s more about what does a secure autonomous agent deployment even look like when its main feature is broad authority over all of someone's connected data? Is the only real answer sandboxing + zero trust + treating agents as hostile by default? Or is this category fundamentally incompatible with least privilege? yikes |
|
| ▲ | mh2266 5 hours ago | parent | next [-] |
| > “did they patch this RCE,” no, they documented it https://docs.openclaw.ai/gateway/security#node-execution-sys... |
| |
| ▲ | g947o 5 hours ago | parent | next [-] | | So that's shifting the responsibility to users. And likely many users tools don't understand what those words mean. All these companies/projects break decades of our security practice and sell you AI browser, AI agent for... I don't know what? | | | |
| ▲ | vulnwrecker5000 4 hours ago | parent | prev [-] | | yeah fair, but “documented” isn’t really a mitigation... most people are gonna run defaults, so defaults basically are the security model imo | | |
| ▲ | mh2266 4 hours ago | parent [-] | | I'm not saying that "well we stated that our tool is designed as an RCE exploit" is, uh, better | | |
| ▲ | vulnwrecker5000 3 hours ago | parent [-] | | haha fair "we've designed a fully exploitable agent and we can't wait to share it with the world" :') |
|
|
|
|
| ▲ | chrisjj 5 hours ago | parent | prev | next [-] |
| We need more Windows' "Are you sure you want XXX to make changes to your computer? (no I can't tell you what changes, but trust me.)" /i |
| |
| ▲ | vulnwrecker5000 4 hours ago | parent [-] | | haha yea “are you sure?” doesn’t work when the agent’s action space is huge and incredibly opaque | | |
| ▲ | chrisjj 4 hours ago | parent [-] | | The true "AI" agent fan probably is sure, though. | | |
| ▲ | vulnwrecker5000 3 hours ago | parent [-] | | maybe personal AI agents are just a massive psyop to get the massive population of true fans' data then lol - or we just get new security tools that can keep up with this pace of AI innovation. who knows |
|
|
|
|
| ▲ | 5 hours ago | parent | prev [-] |
| [deleted] |
