https://xcancel.com/BenjaminBadejo/status/202598754485318883...

Really don’t understand why sane developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them simply because it’s AI. Why would you ever let a non deterministic program god level access to everything? What could possibly go wrong?

Sorry, I LOL'd.

This is too funny to not laugh at the absurdity of "safety and alignment" researchers blindly trusting agents like Claw without fully understanding. Or maybe they were researching.

> You are not supposed to install/ OpenClaw

Sentence could have ended there

If you want something you can install on your personal computer, I made one:

https://github.com/skorokithakis/stavrobot

Obviously, it can't do everything OpenClaw can, because it doesn't have unfettered access to data you don't even know it has, but it'll only have access to the data you give it access to.

It's been really useful for me, hopefully it'll be useful to someone here.

I feel like most participants in the thread are on the same page about limiting openclaw's access to anything that matters.

But I wonder what things these people approve for Claude code and it's equivalents? Where's the line?

- let me paraphrase it even better for you "You are not supposed to install OpenClaw at all"

I want to use OpenClaw, but it seems like a mess. I want to use glam coding plan as the backend with the since it's cheap. I found ZeroClaw to be an interesting option, maybe hosted on Hetzner. I don't want to give it access to my stuff—I just need it to remind me of things and call APIs that do stuff (like looking for papers and converting them into audio, or suggesting a grocery list—all behind APIs), and talk to me via WhatsApp/telegram. I was also thinking about making a FastAPI server that Claw can call instead of using skills.

Has anyone tried something like this? Do you think it's a good idea / architecture?

Regarding the interactions shown in the screenshots:

LLMs are pattern-matching machines. They keep the pattern going. Once "the agent disobeys the human's instructions" has made its way into the context, that is the pattern that it's going to keep matching. No amount of telling it to stop will make it stop.

The only possible solution is excising it from context and replacing it with examples of it doing the right thing. Given that these models have massive context windows now and much of the output is hidden from the user, that's becoming less viable.

I feel this OpenClaw stuff is a bit like the "crypto" of agentic AI. Promise much, move fast and break things, be shiny and trendy, have a multitude of names, be moderately useful while things go right (and be very useful to malicious actors), be catastrophic and leave no recourse when things inevitably go wrong.

I saw the original tweet before it got lampooned everywhere, looked at the author's bio, and it felt obviously like engagement bait to me. Why would someone actually post about how "humbled" they are that their LLM assistant deleted their emails, and this person is a VP at Meta? I may be wrong but it feels obviously written to go viral. All it would have taken is for the author to not post and nothing would have happened. I was originally tempted to make fun of the author myself but decided not to feed what I thought was obvious engagement bait.

Moral outrage about how everything is in decline is absolutely the viral currency of social media and HN is no exception. I find it amazing how few people doubt the sincerity of the original post. Probably hundreds of thousands of aggregate words spent on how everything is going downhill, but not one on the intentions of the original post.

Is it sufficient to use a VM for isolation? Docker?

More cloud services now need role accounts. You need a "can read email but not send or forward" account, for example. And "can send only to this read-only contacts list".

Rather than giving access to my emails I would let it loose on LinkedIn. It’s full of bots anyway.

This is a good example of why companies that have IAM figured out (Amazon, Google, etc.) might do well as AI becomes more embedded into our daily lives.

Sandboxing is necessary but you still have to trust it with the thing it's supposed to operate on, that means it should be able do the job correctly and be resistant to prompt injections (social engineering in the case of that human worker example). In its current state neither is really possible. It's a system of a highly experimental nature, use your own damn sense, don't give it too much and don't rely upon it.

Are people really running OpenClaw on their primary machine?

Anyone security-conscious would isolate it on dedicated hardware (old laptop, Raspberry Pi, etc.) with a separate network and chat surface.

Looking at the tweet he’s replying to, I still find it incredible people talk to these LLMs as if they are rational beings who will listen to them. The fact that they sometimes do is almost coincidence more than anything.

It’s even more unbelievable that they seem to think instructions are rules it will follow.

To paraphrase Captain Barbossa: “They’re more guidelines than actual rules.”

The core issue with OpenClaw on personal machines isn't just the attack surface — it's the trust boundary collapse. Personal machines have mixed-trust contexts: work credentials alongside personal accounts, cached auth tokens from dozens of services. An agent with broad access operates in an environment where the cost of a compromise is asymmetric.

Enterprise deployments of AI agents solve this differently: scoped credentials, audit logs, explicit action authorization per-user. The 'install on your laptop' paradigm trades all of that for convenience.

The interesting design question is whether you can get personal-machine convenience without trust boundary collapse. Probably not, without fundamental changes to how OS-level permissions interact with agent action APIs.

I object to the term install. It's just a bunch of hacks glued together with a little bit of UI polish. Bloated by default.

"Hey Claude, summarize, this document I downloaded from the Internet" being a use-case people actually talk about is still mind boggling to me.

What's the fun in that? Also I think /stop would help here.

Giving OpenClaw permissions on a non-sandboxed account seems like it would massively fragilize my digital life

Small upside: it saves a few minutes here and there on some tasks (eg. checking into flights)

Massive tail-risk downside: it does something like what's linked in the tweet (eg. deletes my entire inbox)

It doesn’t matter what you’re “supposed to do”. People don’t read manuals or warnings.

This post exists in that Poe's law purgatory of it being impossible for someone without the proper context to know whether this is sarcastically mocking OpenClaw or an attempt at defending OpenClaw against some of the bad press it has received due to people not understanding the risks involved. Because the comments here are responding of if this post is a sane reasonable take, but I read it and just see a laundry list of restrictions you need to put on OpenClaw listed one after another until you get to the point in which the software is effectively useless.

So... stupid question, if this is true, why isn't it downloaded as a docker image?

Am I understanding correctly that he is freaking out because his little hobby project that blew out of proportions is causing people harm?

I mean if you are not connecting it to the real things why even bother, just chatgpt or Claude online at that point.

We have enough assistants, the key idea with opeclaw is it can do stuff instead of talk with what you have. It’s terrible security but that’s the only way it makes sense. Otherwise it’s just a lot of hoops to combine cron jobs with a AI agent on the cloud that can do things an report back.

Not that I think anyone should do it, it’s a recipe for disaster

Is anybody else getting strong "Do not taunt Happy Fun Ball" vibes from this?

This person’s title is “Safety and alignment at Meta Superintelligence”. It must be satire.

This is the sanest take I've seen from anyone using the claws.

I would still not want the LLM to have read access to email. Email is a primary vector for prompt injection and also used for password resets.

I agree - but what exactly are you supposed to do with it if it has its own email, phone #, etc?

    Listen carefully: OpenClaw is basically a real person you have hired, whose capabilities are vast and fast — in ways both good and potentially bad. But you’ve hired it in the absence of a resume or behavioral background check results. 

And also, when it says "You're absolutely right! I disobeyed your direct instructions causing irreparable damage, so sorry, that totes won't happen again, pinky promise!", those are just some words, not actually a meaningful apology or promise to not disobey future instructions.

Personally, I question the usefulness of an AI assistant that can't even be trusted to add an entry to my calendar.

    you withhold and limit access to your devices, your account credentials, and even its own full account permissions, from the start, to the same extent that you would withhold such access from a new hire.

What's the point of hiring a personal assistant who is incapable of sending email? Isn't that precisely what you hire a PA to do?

    Would you let a human being with the aforementioned characteristics — brilliant and capable, but lacking a resume or behavioral background check results — directly use your personal computer or your work computer?

Didn't all vendors directly or indirectly ban the use of *claw? Why are there still articles about this? Are they unable to detect users?

fuck you ill do what i want

madness & reeks of setup bait for security exploits

I am baffled by the popularity of *claw but I am always looking to learn, so I was happy to have the algo serve me this YT video of Limor explaining how she had a sandboxed claw running a local LLM to chew through a particularly dense datasheet to create a wrapper library and matching test coverage. https://www.youtube.com/watch?v=fdidNp5IHHI

This example is, as of this moment, the only example that has communicated to me that February 2026's local agent harnesses have some utility in the right context and expert hands.

I was particularly bolstered by the unintentional but very real demonstration of how LLMs really can be leveraged to free up humans to spend more parent time with their infants. We spend a lot of characters lamenting how we never got jetpacks, so here's someone doing it right.

Edit an hour later: this comment is at -2 as of the time I'm writing this, but apparently those folks don't have anything to say about why this felt important to rail against.