Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
H8crilA 3 hours ago

This may be a good place to exchange some security ideas. I've configured my OpenClaw in a Proxmox VM, firewalled it off of my home network so that it can only talk to the open Internet, and don't store any credentials that aren't necessary. Pretty much only the needed API keys and Signal linked device credentials. The models that can run locally do run locally, for example Whisper for voice messages or embeddings models for semantic search.

stavros 35 minutes ago | parent | next [-]

I was worried about the security risk of running it on my infrastructure, so I made my own:

https://github.com/skorokithakis/stavrobot

At least I can run this whenever, and it's all entirely sandboxed, with an architecture that still means I get the features. I even have some security tradeoffs like "you can ask the bot to configure plugin secrets for convenience, or you can do it yourself so it can never see them".

You're not going to be able to prevent the bot from exfiltrating stuff, but at least you can make sure it can't mess with its permissions and give itself more privileges.

embedding-shape 3 hours ago | parent | prev | next [-]

I think the security worries are less about the particular sandbox or where it runs, and more about that if you give it access to your Telegram account, it can exfiltrate data and cause other issues. But if you never hand it access to anything, obviously it won't be able to do any damage, unless you instruct it to.

kzahel 2 hours ago | parent [-]

You wouldn't typically give it access to your own telegram account. You use the telegram bot API to make a bot and the claw gateway only listens to messages from your own account

embedding-shape 2 hours ago | parent [-]

That's a very different approach, and a bot user is very different from a regular Telegram account, it won't be nearly as "useful", at least in the way I thought openclaw was supposed to work.

For example, a bot account cannot initiate conversations, so everyone would need to first message the bot, doesn't that defeat the entire purpose of giving openclaw access to it then? I thought they were supposed to be your assistant and do outbound stuff too, not just react to incoming events?

arcwhite 2 hours ago | parent [-]

Once a conversation with a user is established, telegram bots can bleep away at you. Mine pings me whenever it puts a PR up, and when it's done responding to code reviews etc.

embedding-shape an hour ago | parent [-]

Right, but again that's not actually outbound at all, what you're describing is only inbound. Again, I thought the whole point was that the agent could start acting autonomously to some degree, not allow outbound kind of defeats the entire purpose, doesn't it?

CuriouslyC 33 minutes ago | parent | prev | next [-]

If you're really into optimizing:

You don't need to store any credentials at all (aside from your provider key, unless you want to mod pi).

Your claw also shouldn't be able to talk to the open internet, it should be on a VPN with a filtering proxy and a webhook relay.

dakolli 3 hours ago | parent | prev [-]

Genuinely curious, what are you doing with OpenClaw that genuinely improves your life?

The security concerns are valid, I can get anyone running one of these agents on their email inbox to dump a bunch of privileged information with a single email..