These examples have been mostly in situations with multiple shared users of a server or other situations where the presence of one or more OpenClaw instances is known. It’s not a likely scenario with one OpenClaw on a private computer with the safeguards I noted.
One possible scenario coming to my mind:
- LLMs are quite good at detecting unknown security vulnerabilities according to a recent study
- OpenClaw requires basically unlimited access and is able to write code
Now a prompt injection might be sufficient to break out of the container or sandbox and to gain higher privileges. And I’m sure that people with sufficient criminal energy investigate or maybe even already use this in much more sophisticated ways.
But of course the most common security concerns are currently just insecure setups or skills.
1 Like
I think that’s a good summary.
The cases we read about are researchers pushing OpenClaw to the extreme - just like there have been stories about ChatGPT recommending someone commit suicide. That is not going to stop me from using ChatGPT or letting my kids use it.
It is clearly true that OpenClaw needs more isolation from your personal filesystem than most apps - just like you childproof a house with young children. But at base OpenClaw is not malevolent software trying to break free and destroy the world. The verified bad outcomes from OpenClaw are almost all from people with clearly unsafe security configurations or who prompt it to do extreme autonomous tasks without reasonable supervision.
Another way to experiment with OpenClaw is a cloud host such as KiloClaw. For basic web research or Reminders independent of any private data this would eliminate most risk.
If you want to use Devonthink to archive its output you could give it access to one specific Dropbox folder and then index that folder in Devonthink.
That’s a pretty low-risk way to get a feel for what it can do before deciding whether to run it on your actual desktop.