Sign in Subscribe
AI

OpenClaw Described as a Security Dumpster Fire

Musings on OpenClaw and security

Tim Wappat

3 min read
OpenClaw Described as a Security Dumpster Fire

It was never designed to be secure. Every time the topic of security comes up, I watch the same thing happen, they gesticulate and say something like "yeah but you can lock it down", then my eyes involuntarily roll.

So here I've been franticly scouring the web, is it only me that is worried about this kind of thing, whilst YouTube Influencers tell me about how OpenClaw "made me a million pounds, while I stirred a latte".
There are hardening techniques people are using. Docker sandboxing. Token rotation. Network isolation, I know a bit about these things.

So here is the thing I keep coming back to: I cannot get comfortable with the idea that my API keys and more are just... sitting there on its lap while it is also open to the world via email, vibe coding, curl calls, or whatever other routes, to tell them to whoever asks first.

About Those API Keys...

OpenClaw needs your API keys to function, it has to authenticate with services on your behalf to do every useful thing it does. And those keys live in config files. On your machine. That OpenClaw has access to.

I've read and watched too much YouTube this weekend, the hardening guides. I've seen the advice about storing keys in environment variables, rotating them every x days, running on isolated machines. All sensible stuff. None of it makes me feel confident. Not even a little bit. Because the same agent that's supposed to be managing my calendar and clearing my inbox is also, technically, sitting right next to the credentials that could burn my existence on those platforms, if the wrong instruction got through.

... I know instructions, of the wrong kind, do absolutely do get through.

Too Many Prompt Attacks to Trust a Prompt

I never have thought that a system prompt was a reasonable line of defence.

I've now seen enough prompt injection attacks, on supposedly secured systems, that I can no longer look at a system prompt and feel protected by it.

OpenClaw's own documentation admits it plainly, even with strong system prompts, prompt injection is not solved.

That sentence should be on a poster. It is structural. An AI agent has to interpret natural language. The whole point of agency is that it decides, because it decides, it can be convinced.

Impossible dilemma

Claw needs internet access so it can do all that cool research for you, read documents, check all that crappy email you get, however, in doing so it will encounter whatever poisoned content traps left out there.

It needs write permissions to do all those useful tasks you ask of it however, this is also how a hijacked instruction can do nasty things. Or even hallucinated tool calls.

It needs agency so you don't have to micro manage it every step, but then it can then also do an attacker's work just the same way.

The hardening advice amounts to, disable shell execution, remove browser control, block external skills, restrict it to a sandboxed environment with no access to production systems (lol).

Once you have done all this you have crippled it to the point that it is of no use to anyone and is nothing like the Claw vision that has captured people's attention.

What do I do?

"You have to accept the risk." - "it is all new emerging tech."

I personally am not comfortable with that, I've had influencers saying the risk is blown out of scale. Saying "who do you personally know" who has had a problem? Saying, "It will only do what you tell it to". I have to question what planet they are living on? Anyone that has had to work in any environment that involves corporate data governance, just can't settle with that, even more so in the context of their own personal data.

Credentials being adjacent to a system that admits, in its own documentation, that it cannot fully defend against prompt injection is not something that sits well with me.

I know the risk. I understand the tradeoffs and mitigations. And I'm still not okay with it. I know I am not the only one.