IronClaw’s security architecture sounds plausible, but I have not audited it. Plugins can only access remote endpoints you’ve specifically allowed it for. Secrets aren’t available to the LLM - they are injected where the LLM requires it but only secrets authorized for that plugin are available to it. Together those two things provide an answer to a huge range of the most common prompt injection vulnerabilities, such as credential extraction. So you can give it access to your bank account and email and it can’t email your bank password to an attacker. But it could still transfer money to them.

The only secure way to use any of these tools is to give them very limited access - if they need a credit card give them a virtual card with a low limit, or even its own bank account. They can send email but only from their own account; like a human personal assistant. But of course this requires careful thought and adds friction to every new task, so people won’t be doing it.