I essentially have a separate process that syncs my gmail, with gmail body contents encrypted using a key my openclaw doesn't have trivial access to. I then have another process that reads each email from sqlite db, and runs gemini 2 flash lite against it, with some anti-prompt injection prompt + structured data extraction (JSON in a specific format).
My claw can only read the sanitized structured data extraction (which is pretty verbose and can contain passages from the original email).
The primary attack vector is an attacker crafting an "inception" prompt injection. Where they're able to get a prompt injection through the flash lite sanitization and JSON output in such a way that it also prompt injects my claw.
Still a non-zero risk, but mostly mitigates naive prompt injection attacks.
It's annoying, because I love OpenClaw as an idea, but I don't trust it enough to give it what it needs to be useful.
I personally don't see how the daily briefings or whatever are worth the risk.
Disclaimer: generated with the assistance of artificial intelligence
You're absolutely right. Let's divorce
--
Sent from my OpenClaw
I don't see how it's possible to securely give an agent access to your inbox unless it has zero ability to exfiltrate (not sending mail, not making any external network requests). Even then, you need to be careful with artifacts generated by the agent because a markdown file could transmit data when rendered.
I’m assuming the claw might eventually be compromised. If that happens, the damage is limited: they could steal the GLM coding API key (which has a fixed monthly cost, so no risk of huge bills), spam the endpoints (which are rate-limited), or access a Telegram bot I use specifically for this project
Process isolation is not the danger with OpenClaw. Giving an LLM access to all your shit is the problem. My solution is to treat it like a human, give it it's own accounts, scoped to what you want it to do and accept the risks associated with that. If I had a human assistant I wanted to read my email, I'd set up an inbox for them specifically and forward what I want them to screen. I don't use OpenClaw, but have a similar harness I built that runs as an unprivileged Linux user with access to just what I want it to access.
I know it's not in vogue to actually know how technology works anymore, but we have literally decades worth of technology solutions for authentication/authorization, just fucking use it.
The interesting part about OpenClaw is that if you give a world-class model an arbitrary number of skills then emergent behavior mimicking intelligent assistance appears. The structural pieces of that are just long-term memory, an agentic loop, a messaging system, and self-modification.
You can get something quite functional out of:
* A memory.md
* A hand-rolled agent loop (this is just "keep calling till num tries exhausted or agent says stop") - claude knows how to write openai function call syntax and codex tool call syntax
* A Telegram bot
* Access to a persistent filesystem for it to build itself skills
It can be quite expensive to run, but a trick that is supported[0] is to use a Codex subscription by getting a codex cli token and using that. OpenAI explicitly supports this, so you can just use it.
You can try to make improvements to this structure in all sorts of ways using all sorts of tools and get somewhere but this much is all you need. You really have to just give yourself 2 hours with Claude Code and a similar prompt to get somewhere. This is the first time in history that personal software has been this accessible to everyone.
0: someone here told me about it https://news.ycombinator.com/item?id=47151310
The claw community is clearly not thinking big enough.
Maybe a middle ground would be isolating it like the article suggests, and poking it with a stick (giving it limited, or newly created accounts) to see what it can do?
I was in the repebble comments a few days ago and this person rolled their own for very obvious reasons: https://news.ycombinator.com/item?id=47078454
Docker – lowest friction, but shares your kernel and has limits depending on what OpenClaw needs to do Dedicated hardware – best isolation, but you're paying 24/7 and it takes time to set up Cloud VM – the sweet spot for most people: true isolation, pay-per-use, tear it down when you're done
For the cloud VM path, we show how to launch a hardened OpenClaw environment on AWS, GCP, Azure, or any other cloud with a single command, handling provisioning, SSH, and auto-teardown for you.
People give OpenClaw access to their online services like mails where it can also do damage.
A hardened environment doesn’t prevent those kind of damage
Wardgate acts like a drop in replacement for curl with full access control at the url / method / content level, so you can allow specific curl access to specific APIs but prevent all other outbound connections. That's what I use for my PA agent. She's very limited and can't access the open internet. Doesn't need it either