It's conceptually amazing. If you can isolate it and segment its access to mitigate its damage. The issue with it is that, as an LLM, the content it's generating is extremely vulnerable to context drift and injection.
The average user, even the average engineer, isn't going to have a mature mental model or the time and energy to go about subjecting the agent to zero trust. Like it should, ideally, be on its own system. Within that system it should be restricted to acting only through user accounts that have been given explicit permission to read/write/delete/execute specific parts of the file system as needed. The program environments you've configured for it should likewise be "jailed".
What it comes down to is that you should assume breach and work backwards when granting access to your OpenClaw. Because OpenClaw can ingest poisoned inputs and could even create them if it drifts too far or takes on too much from its initial directives. It can only focus on so much at a time and the superposition of its learning can lead to unexpected outcomes when the roll of the dice grabs the wrong learning and attaches it to the next token and the next token and so on.
Also, importantly, adversaries have already released many malicious packages for it that will weaponize it against you after you blindly install them to grant new abilities to your robot concierge. God help you if you've given it access to your core accounts, credit card, and personal information.
It's conceptually amazing. If you can isolate it and segment its access to mitigate its damage. The issue with it is that, as an LLM, the content it's generating is extremely vulnerable to context drift and injection.
The average user, even the average engineer, isn't going to have a mature mental model or the time and energy to go about subjecting the agent to zero trust. Like it should, ideally, be on its own system. Within that system it should be restricted to acting only through user accounts that have been given explicit permission to read/write/delete/execute specific parts of the file system as needed. The program environments you've configured for it should likewise be "jailed".
What it comes down to is that you should assume breach and work backwards when granting access to your OpenClaw. Because OpenClaw can ingest poisoned inputs and could even create them if it drifts too far or takes on too much from its initial directives. It can only focus on so much at a time and the superposition of its learning can lead to unexpected outcomes when the roll of the dice grabs the wrong learning and attaches it to the next token and the next token and so on.
Also, importantly, adversaries have already released many malicious packages for it that will weaponize it against you after you blindly install them to grant new abilities to your robot concierge. God help you if you've given it access to your core accounts, credit card, and personal information.