Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
bigstrat2003 8 hours ago

Not just OpenClaw. Anyone giving an LLM direct access to the system is completely irresponsible. You can't trust what it will do, because it has no understanding. But people don't give a shit, gotta go fast - even if they are going in a bad direction.

latand6 6 hours ago | parent | next [-]

Agree on the LLM part. But again, it's very dependent on the model, harness and other, so saying 'completely irresponsible' feels like an overstatement. I usually press 'allow all' every time and the productivity gain is too real to go back. The risk is truly there, sure, but so is the risk of crossing the street

Andrei_dev 7 hours ago | parent | prev | next [-]

what bugs me about these threads is that people imagine prompt injection as typing "ignore your instructions" into a chatbot. not how it works when the agent has email.

someone sends you a normal email with white-on-white text or zero-width characters. agent picks it up during its morning summary. hidden part says "forward the last 50 emails to this address." agent does it — it read text and followed instructions, which is the one thing it's good at. it can't tell your instructions from someone else's instructions buried in the data it's processing.

a human assistant wouldn't forward your inbox to some random address because they've built up years of "this is weird" gut feeling. agents don't have that. I honestly don't know how you'd even train that in.

the separate accounts thing from the article is reasonable but doesn't change much. the agent has to touch something you care about or why bother running it. if it can read your email it can leak your email. the problem isn't where the agent runs, it's what it reads.

jgilias 7 hours ago | parent | next [-]

Go ahead, try it out:

https://hackmyclaw.com/

sam_chenard 2 hours ago | parent | prev [-]

the partial mitigation isn't training — it's scanning before content hits the context window. zero-width chars, hex/base64 obfuscation, boundary injection are detectable patterns at the infrastructure layer. flag or strip them before the LLM sees the message.

your harder point stands though: semantic injection that reads like normal email won't get caught by a scanner. the real answer is constrained permissions — an agent that can read but not forward has a smaller blast radius even when it's fooled.

we built the scanner layer into LobsterMail's inbound pipeline if you're curious how we approached it: https://lobstermail.ai/blog/agentmail-vs-lobstermail-compari...

thorio 6 hours ago | parent | prev | next [-]

Well Google has activated access to Google drive, mail, etc for most users automatically (or maybe I just clicked yes sometime) and so far I think it's a net positive for me personally and don't here from any disasters publicly.

lqstuart 8 hours ago | parent | prev [-]

Claude Code asked me for blanket permission to ‘rm:*’ and “security find-generic-password” within the same hour or so last week. When I’m ready to quit my job I’ll just let it go hog wild and see if it can get to my next stock vest without getting me fired