Responding to the tweet quoted in the article: why are the examples given of futuristic capabilities always so visionless - it's always booking a flight or scheduling a meeting. Doing this manually is already pretty trivial, it's more productivity theatre than genuinely life-changing.

There are real, impressive examples of the power of agentic flows out there. Can we up the quality of our examples just a bit?

> Separate Accounts for your OpenClaw

> As I have mentioned, treat OpenClaw as a separate entity. So, give it its own Gmail account, Calendar, and every integration possible. And teach it to access its own email and other accounts. In addition, create a separate 1Password account to store credentials. It’s akin to having a personal assistant with a separate identity, rather than an automation tool.

The whole point of OpenClaw is to run AI actions with your own private data, your own Gmail, your own WhatsApp, etc. There's no point in using OpenClaw with that much restriction on it.

Which is to say, there is no way to run OpenClaw safely at all, and there literally never will be, because the "lethal trifecta" problem is inherently unsolvable.

https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

Not just OpenClaw. Anyone giving an LLM direct access to the system is completely irresponsible. You can't trust what it will do, because it has no understanding. But people don't give a shit, gotta go fast - even if they are going in a bad direction.

My prediction is that OpenClaw will eventually die. But it has provided a small glimpse of the future.The way the average consumers interact with computers will drastically change.

I can envision someone sitting in a park bench with a small set of earphones planning a family trip with their AI. They get home and see the details of it on their fridge. They check with their partner, and then just tell the AI to book it. And it all works.

I probably won’t use it and hate it. I’ll stick to my old ways of booking the trip with my fingers. But those born into it will look at me crazy.

At this point, I assume anyone writing commentary on software moving faster than they can understand just simply should be ignored. So when such commentary is advertising a product worth zero

I have been building a similar concept into my custom NixOS distribution, Keystone, where agents operate within their own user accounts with dedicated emails and SSH access. > It utilizes the Claude, Gemini, and Ollama CLIs. Because it is built directly into the OS, it seamlessly integrates with native notes and records calls. Furthermore, an AI agent can access Immich to deduce my context by analyzing image metadata and tagged faces. It features dedicated calendars for task scheduling and native PDF extraction capabilities. The entire system is declarative via NixOS, allowing it to provision itself almost entirely automatically.

https://github.com/ncrmro/keystone

Didn't Nvidia create the safer version basically?

It is, but I thought security wasn't the point.

The point was to give it unlimited access to your entire digital life and while I'd never use it that way myself, that's what many users are signing up for, for better or worse.

Obviously, OpenClaw doesn't advertise it like that, but that's what it is.

Needless to say, OpenClaw wasn't even the first to do this. There were already many products that let you connect an AI agent to Telegram, which you could then link to all your other accounts. We built software like that too.

OpenClaw just took the idea and brought it to the masses and that's the problem.

I'm using openclaw for a personal development system running obsidian. It doesn't have access to anything else. Having an LLM trigger based on crons is very powerful and helps with focus and organizing.

The security risks of this setup are lower than most openclaw systems. The real risks are in the access you give it. It's less useful with limited access, but still has a purpose.

I know a guy using openclaw at a startup he works at and it's running their IT infrastructure with multiple agents chatting with each other, THAT is scary.

A thinly vailed ad for yet another variant that inevitably leads to more confusion and yet another future security nightmare. The authors (should) know better. No, the purpose of OpenClaw is not to immediately give it all your private accounts and live in bliss and no, their system is not better long term than following the mainline developments that have enough eyes (and bots) on them by now.

I'd argue there's really no way to make OpenClaw truly safe, no matter what you do. The only place it really makes sense is within trusted environments, like B2B coordination or tightly controlled processes between systems that share the same assumptions.

The moment it steps outside that boundary, you're sending the bot into unpredictable territory. At that point, things can get ambiguous pretty quickly, and in some cases even adversarial.

Wasn’t the point of openclaw to YOLO your credentials to the internet?

Only ever a creative prompt injection away from a leak.

Saw some smarter people using credential proxies but no one acknowledges the very real risk that their “claws” commit cyber crime on their behalf once breached.

I wonder just how many are compromised and waiting on a command that hasn't been given yet

The overlap between the target audience for openclaw in spite of its attack surface, and the audience that considers a mac mini to be a sandbox while handing over the keys to their digital life is a Venn Eclipse.

I'm a heavy OpenClaw user and I've been testing it in many different scenarios — the profundity of what I can do with it now is crazy. It's literally automating my life. Being AuDHD, OpenClaw feels like a big relief. The positive sides are amazing. The downsides... well, as with any security and any LLM, they're all prone to the same problems discussed here. Having Claude Code on yolo mode exposes you to the exact same risks

What are the pros of using openclaw?

Using telegram? Being able to automatically create calendar events based on emails?

Agreed! Made my own OpenClaw variant based on many of the same principles. It takes Simon Willies lethal trifecta and implements it to an OpenClaw like architecture.

https://www.tri-onyx.com/

What annoys me most about OpenClaw after trying it for a few weeks is that it cosplays security so incredibly hard, it actually regularly breaks my (very basic) setup via introducing yet another vibe coded, poorly conceptualized authentication/authorization/permission layer, and at the same time does absolutely nothing to convince me that any of this is actually protecting me of anything.

Maybe this idea is lost on 10^x vibecoders, but complexity almost always comes at a cost to security, so just throwing more "security mechanisms" onto a hot vibe-coded mess do not somehow magically make the project secure.

Have you tried NemoClaw? Not endorsing it; just enquiring. Nvidia is claiming to provide guardrails with that.

I love how despite all this, the author still uses the language:

> We’re simply not there yet to let the agents run loose

As if there aren’t fundamental properties that would need to change to ever become secure.

One thing I'd like to critisize - although I can agree that skill security is a real problem, but the solution is not to restrict yourself from using them, but to rely on the community: reviews, likes/dislikes, maybe having the skills curated. We need some trust signals. Also, since markdown files are auditable by design - your agent might actually verify them before running - provided you're using something like GPT-5.4 on high reasoning.

Related: https://news.ycombinator.com/item?id=47475997

I would like a personal assistant on my phone that, based on my usual routine and my exact position, can tell me (for example) which bus will get me home the quickest off the ferry, whether the bridge is clogged with traffic, do I need an umbrella? what's probably missing from my fridge, time to top up transit pass, did I tap in? etc etc. These things would appear on my lock screen when I most probably need to know them.

No email stuff, no booking things, no security problems.

Should have said this was a fear to promote a b2b sass "TrustClaw"

This read like an AI generated piece and seems to be an advertisement for their product.

As a site for people curious about technology, where is the sense of adventure?

People are inventing the future of human/ai interaction themselves because big tech could not do it within their own constraints.

Don't get me wrong, those constraints are there for a reason, but the hacker mentality seems muted lately.

undefined

One more "AI is a security threat" post gets to the top of HN.

>it can read my text messages, including two-factor authentication codes. it can log into my bank. it has my calendar, my notion, my contacts. it can browse the web and take actions on my behalf. in theory, clawdbot could drain my bank account. this makes a lot of people uncomfortable (me included, even now).

I think it's interesting that if this was a normal program this level of access would be seen as utterly insane. A desktop software could use your cookies to access your gmail account and automatically do things (if you didn't want to use the e-mail protocols that already exist for this kind of stuff), but I assume the average developer simply wouldn't want to be responsible for such thing. Now, just because the software is "AI," nothing matters anymore?

The security issues in OpenClaw is not even the main issue, the hype will die if there is no monetary incentive. Like I said before:

If you are spending more money on tokens than the agents are making you money (or not), then it is unfortunately all for nought.

The question is, who is making money on using Openclaw other than hosting?

> In 2025, the number of data compromises in the United States stood at 3,322 cases. Meanwhile, over 278.83 million individuals were affected in the same year by data compromises, including data breaches, leakage, and exposure. While these are three different events, they have one thing in common. As a result of all three incidents, the sensitive data is accessed by an unauthorized threat actor.

Source: https://www.statista.com/statistics/273550/data-breaches-rec...

Between the number of public hacks, and the odious security policies that most orgs have, end users are fucking numb to anything involving "security". We're telling them to close the door cause it's cold, when all the windows are blown out by a tornado.

Meanwhile, the people who are using this tool are getting it to DO WHAT THEY WANT. My ex, is non technical, and is excited that she "set up her first cron job".

The other "daily summaries" use case is powerful. Why? Because our industry has foisted off years of enshitification on users. It declutters the inbox. It returns text free of ads, adblock, extra "are you a human" windows, captchas.

The same users who think "ai is garbage at my work" are the ones who are saying "ai is good at stripping out bullshit from tech".

Meanwhile we're arguing about AI hype (sam Altman: AGI promises) and hate (AI cant code at all).

The last time our industry got things this wrong, was the dot com bubble.

Meanwhile none of these tools have a moat (Claude is the closest and it could get dethroned every day). And we're pouring capital into this that will result in an uber like price hike/rug pull, till we scale the tools down (and that is becoming more viable).

I guess nobody cares?

[dead]

undefined

[flagged]

[flagged]

Yes, yes it is. And it's amaaaazing. We're going to have lots of sharp edges getting stuff like this secured, but it is not going to go away. Too useful.