IMO the security pitchforking on OpenClaw is just so overdone. People without consideration for the implications will inevitably get burned, as we saw with the reddit posts "Agentic Coding tool X wiped my hard drive and apologized profusely".
I work at a FAANG and every time you try something innovative the "policy people" will climb out of their holes and put random roadblocks in your way, not for the sake of actual security (that would be fine but would require actual engagement) but just to feel important, it reminds me of that.
> every time you try something innovative the "policy people" will climb out of their holes and put random roadblocks in your way
This is so relatable. I remember trying to set up an LLM gateway back in 2023. There were at least 3 different teams that blocked our rollout for months until they worked through their backlog. "We're blocking you, but you’ll have to chase and nag us for us to even consider unblocking you"
At the end of all that waiting, nothing changed. Each of those teams wrote a document saying they had a look and were presumably just happy to be involved somehow?
This may be a good place to exchange some security ideas. I've configured my OpenClaw in a Proxmox VM, firewalled it off of my home network so that it can only talk to the open Internet, and don't store any credentials that aren't necessary. Pretty much only the needed API keys and Signal linked device credentials. The models that can run locally do run locally, for example Whisper for voice messages or embeddings models for semantic search.
Genuinely curious, what are you doing with OpenClaw that genuinely improves your life?
The security concerns are valid, I can get anyone running one of these agents on their email inbox to dump a bunch of privileged information with a single email..
I think the security worries are less about the particular sandbox or where it runs, and more about that if you give it access to your Telegram account, it can exfiltrate data and cause other issues. But if you never hand it access to anything, obviously it won't be able to do any damage, unless you instruct it to.
Work expands to fill the allocated resources in literally everything. This same effect can be seen in software engineering complexity more generally, but also government regulators, etc. No department ever downsizes its own influence or budget.
I wonder how long it'll take (if it hasn't already) until the messaging around this inevitably moves on to "Do not self-host this, are you crazy? This requires console commands, don't be silly! Our team of industry-veteran security professionals works on your digital safety 24/7, you would never be able to keep up with the demands of today's cybersecurity attack spectrum. Any sane person would host their claw with us!"
Next flood of (likely heavily YC-backed) Clawbase (Coinbase but for Claws) hosting startups incoming?
What exactly are they self hosting here? Probably not the model, right? So just the harness?
That does sound like the worst of both worlds: You get the dependency and data protection issues of a cloud solution, but you also have to maintain a home server to keep the agent running on?
I think for me it is an agent that runs on some schedule, checks some sort of inbox (or not) and does things based on that. Optionally it has all of your credentials for email, PayPal, whatever so that it can do things on your behalf.
Basically cron-for-agents.
Before we had to go prompt an agent to do something right now but this allows them to be async, with more of a YOLO-outlook on permissions to use your creds, and a more permissive SI.
Cron would be for a polling model. You can also have an interrupts/events model that triggers it on incoming information (eg. new email, WhatsApp, incoming bank payments etc).
I still don't see a way this wouldn't end up with my bank balance being sent to somewhere I didn't want.
You could run them in a container and put access to highly sensitive personal data behind a "function" that requires a human-in-the-loop for every subsequent interaction. E.g. the access might happen in a "subagent" whose context gets wiped out afterwards, except for a sanitized response that the human can verify.
There might be similar safeguards for posting to external services, which might require direct confirmation or be performed by fresh subagents with sanitized, human-checked prompts and contexts.
"Claw" captures what the existing terminology missed, these aren't agents with more tools (maybe even the opposite), they're persistent processes with scheduling and inter-agent communication that happen to use LLMs for reasoning.
Why do we always have to come up with the stupidest names for things. Claw was a play on Claude, is all. Granted, I don’t have a better one at hand, but that it has to be Claw of all things…
The real-world cyberpunk dystopia won’t come with cool company names like Arasaka, Sense/Net, or Ono-Sendai. Instead we get childlike names with lots of vowels and alliteration.
Because the author of the blog is paid to post daily about nothing but AI and needs to link farm for clicks and engagement on a daily basis.
Most of the time, users (or the author himself) submit this blog as the source, when in fact it is just content that ultimately just links to the original source for the goal of engagement. Unfortunately, this actually breaks two guidelines: "promotional spam" and "original sourcing".
From [0]
"Please don't use HN primarily for promotion. It's ok to post your own stuff part of the time, but the primary use of the site should be for curiosity."
and
"Please submit the original source. If a post reports on something found on another site, submit the latter."
The moderators won't do anything because they are allowing it [1] only for this blog.
The author didn't submit this to HN. I read his blog but I'm not on X so I do like when he covers things there. He's submitted 10 times in last 62 days.
Some users are moving to local models, I think, because they want to avoid the agent's cost, or they think it'll be more secure (not). The mac mini has unified memory and can dynamically allocate memory to the GPU by stealing from the general RAM pool so you can run large local LLMs without buying a massive (and expensive) GPU.
You can take any AI agent (Codex, Gemini, Claude Code, ollama), run it on a loop with some delay and connect to a messaging platform using Pantalk (https://github.com/pantalk/pantalk). In fact, you can use Pantalk buffer to automatically start your agent. You don't need OpenClaw for that.
What OpenClaw did is to show the messages that this is in fact possible to do. IMHO nobody is using it yet for meaningful things, but the direction is right.
Yeah I think this is gonna have to be the approach. But I don't like the fact that it has all the complexity of a baked in sandboxing solution and a big plugin architecture and blah blah blah.
While I appreciate an appeal to authority is a logical fallacy, you can't really use that to ignore everyone's experience and expertise. Sometimes people who have a huge amount of experience and knowledge on a subject do actually make a valid point, and their authority on the subject is enough to make them worth listening to.
Naming things in the context of AI, by someone who is already responsible for naming other things in the context of AI, when they have a lot of valid experience in the field of AI. It's not entirely unreasonable.
Not claiming anything to be false, just a reminder that you should question ones opinion a bit more and not claim they "know what they are talking about" because they worked with Fei-Fei Li. You are outsourcing your thinking to someone else which is lazy and a good way of getting conned.
A quick Google might’ve saved you from the embarrassment of not knowing who one of the most significant AI pioneers in history is, and in a thread about AI too.
I bet they feel so, so silly. A quick bit of reflection might reveal sarcasm.
I'll live up to my username and be terribly brave with a silly rhetorical question: why are we hearing about him through Simon? Don't answer, remember. Rhetorical. All the way up and down.
AI pollution is "clawing" into every corner of human life. Big guys boast it as catching up with the trend, but not really thinking about where this is all going.
IMO the security pitchforking on OpenClaw is just so overdone. People without consideration for the implications will inevitably get burned, as we saw with the reddit posts "Agentic Coding tool X wiped my hard drive and apologized profusely". I work at a FAANG and every time you try something innovative the "policy people" will climb out of their holes and put random roadblocks in your way, not for the sake of actual security (that would be fine but would require actual engagement) but just to feel important, it reminds me of that.
> every time you try something innovative the "policy people" will climb out of their holes and put random roadblocks in your way
This is so relatable. I remember trying to set up an LLM gateway back in 2023. There were at least 3 different teams that blocked our rollout for months until they worked through their backlog. "We're blocking you, but you’ll have to chase and nag us for us to even consider unblocking you"
At the end of all that waiting, nothing changed. Each of those teams wrote a document saying they had a look and were presumably just happy to be involved somehow?
This may be a good place to exchange some security ideas. I've configured my OpenClaw in a Proxmox VM, firewalled it off of my home network so that it can only talk to the open Internet, and don't store any credentials that aren't necessary. Pretty much only the needed API keys and Signal linked device credentials. The models that can run locally do run locally, for example Whisper for voice messages or embeddings models for semantic search.
Genuinely curious, what are you doing with OpenClaw that genuinely improves your life?
The security concerns are valid, I can get anyone running one of these agents on their email inbox to dump a bunch of privileged information with a single email..
I think the security worries are less about the particular sandbox or where it runs, and more about that if you give it access to your Telegram account, it can exfiltrate data and cause other issues. But if you never hand it access to anything, obviously it won't be able to do any damage, unless you instruct it to.
Work expands to fill the allocated resources in literally everything. This same effect can be seen in software engineering complexity more generally, but also government regulators, etc. No department ever downsizes its own influence or budget.
The actual content: https://xcancel.com/karpathy/status/2024987174077432126
He also talks about picoclaw (a IoT solution) and nanoclaw (running on your phone in termux) and has a tiny code base.
I wonder how long it'll take (if it hasn't already) until the messaging around this inevitably moves on to "Do not self-host this, are you crazy? This requires console commands, don't be silly! Our team of industry-veteran security professionals works on your digital safety 24/7, you would never be able to keep up with the demands of today's cybersecurity attack spectrum. Any sane person would host their claw with us!"
Next flood of (likely heavily YC-backed) Clawbase (Coinbase but for Claws) hosting startups incoming?
What exactly are they self hosting here? Probably not the model, right? So just the harness?
That does sound like the worst of both worlds: You get the dependency and data protection issues of a cloud solution, but you also have to maintain a home server to keep the agent running on?
In a sense, self-hosting it ( and I would argue for a personal rewrite ) is the only way to limit some of the damage.
So what is a "claw" exactly?
An ai that you let loose on your email etc?
And we run it in a container and use a local llm for "safety" but it has access to all our data and the web?
I think for me it is an agent that runs on some schedule, checks some sort of inbox (or not) and does things based on that. Optionally it has all of your credentials for email, PayPal, whatever so that it can do things on your behalf.
Basically cron-for-agents.
Before we had to go prompt an agent to do something right now but this allows them to be async, with more of a YOLO-outlook on permissions to use your creds, and a more permissive SI.
Not rocket science, but interesting.
Cron would be for a polling model. You can also have an interrupts/events model that triggers it on incoming information (eg. new email, WhatsApp, incoming bank payments etc).
I still don't see a way this wouldn't end up with my bank balance being sent to somewhere I didn't want.
Definitely interesting but i mean giving it all my credentials feels not right. Is there a safe way to do so?
In a VM or a separate host with access to specific credentials in a very limited purpose.
In any case, the data that will be provided to the agent must be considered compromised and/or having been leaked.
My 2 cents.
Ideally workflow would be some kind of Oauth with token expirations and some kind of mobile notification for refresh
A claw is an orchestrator for agents with its own memory, multiprocessing, job queue and access to instant messengers.
That's it basically. I do not think running the tool in a container really solves the fundamental danger these tools pose to your personal data.
You could run them in a container and put access to highly sensitive personal data behind a "function" that requires a human-in-the-loop for every subsequent interaction. E.g. the access might happen in a "subagent" whose context gets wiped out afterwards, except for a sanitized response that the human can verify.
There might be similar safeguards for posting to external services, which might require direct confirmation or be performed by fresh subagents with sanitized, human-checked prompts and contexts.
Karpathy has a good ear for naming things.
"Claw" captures what the existing terminology missed, these aren't agents with more tools (maybe even the opposite), they're persistent processes with scheduling and inter-agent communication that happen to use LLMs for reasoning.
He didn't name it though, Peter Steinberger did. (Kinda.)
Why do we always have to come up with the stupidest names for things. Claw was a play on Claude, is all. Granted, I don’t have a better one at hand, but that it has to be Claw of all things…
> I don’t have a better one at hand
Perfect is the enemy of good. Claw is good enough. And perhaps there is utility to neologisms being silly. It conveys that the namespace is vacant.
The real-world cyberpunk dystopia won’t come with cool company names like Arasaka, Sense/Net, or Ono-Sendai. Instead we get childlike names with lots of vowels and alliteration.
The name still kinda reminds me of the self replicating murder drones from Screemers that would leep out from the ground and chop your head off. ;-)
He also talks about picoclaw which even runs on $10 hardware and is a fork by sipeed, a chinese company who does IoT.
https://github.com/sipeed/picoclaw
another chinese coompany m5stack provides local LLMs like Qwen2.5-1.5B running on a local IoT device.
https://shop.m5stack.com/products/m5stack-llm-large-language...
Imagine the possibilities. Soon we will see claw-in-a-box for less than $50.
There's a gap in the market here - not me but somebody needs to build an e-commerce bot and call it Santa Claws
Why is this linking to a blog post of what someone said, instead of directly linking to what they said?
[1] https://x.com/karpathy/status/2024987174077432126
Because the author of the blog is paid to post daily about nothing but AI and needs to link farm for clicks and engagement on a daily basis.
Most of the time, users (or the author himself) submit this blog as the source, when in fact it is just content that ultimately just links to the original source for the goal of engagement. Unfortunately, this actually breaks two guidelines: "promotional spam" and "original sourcing".
From [0]
"Please don't use HN primarily for promotion. It's ok to post your own stuff part of the time, but the primary use of the site should be for curiosity."
and
"Please submit the original source. If a post reports on something found on another site, submit the latter."
The moderators won't do anything because they are allowing it [1] only for this blog.
[0] https://news.ycombinator.com/newsguidelines.html
[1] https://news.ycombinator.com/item?id=46450908
Hah i didn’t see who submitted it but as soon as I read your message i thought it was simonw, and behold, tada!
HN really needs a way to block or hide posts from some users.
Yeah it's really quite annoying. Is there a way to just block his site source from showing up on here without using external tools?
The author didn't submit this to HN. I read his blog but I'm not on X so I do like when he covers things there. He's submitted 10 times in last 62 days.
Simon's work is always appreciated. He thinks through things well, and his writing is excellent.
Just because something is popular doesn't make it bad.
I've been warned for calling this out, but I'm glad others are privy to the obvious
Thank you for calling this out. The individual in question is massively overhyped.
So everyone has to waste their time to visit a link on a blog first instead of being able to go directly to the source?
and why would anyone down vote you for calling this out? Like who wants to see more low effort traffic-grab posts like this?
Because he didn't submit it.
Because Simon says.
Why mac mini instead of something like a raspberry pi? Aren't thede claw things delegating inference to OpenAI, Antropic etc.?
Some users are moving to local models, I think, because they want to avoid the agent's cost, or they think it'll be more secure (not). The mac mini has unified memory and can dynamically allocate memory to the GPU by stealing from the general RAM pool so you can run large local LLMs without buying a massive (and expensive) GPU.
A Mac allows it to send iMessage and access the Apple ecosystem.
Really? That's it?
You can take any AI agent (Codex, Gemini, Claude Code, ollama), run it on a loop with some delay and connect to a messaging platform using Pantalk (https://github.com/pantalk/pantalk). In fact, you can use Pantalk buffer to automatically start your agent. You don't need OpenClaw for that.
What OpenClaw did is to show the messages that this is in fact possible to do. IMHO nobody is using it yet for meaningful things, but the direction is right.
Does anyone know a Claw-like that:
- doesnt do its own sandboxing (I'll set that up myself)
- just has a web UI instead of wanting to use some weird proprietary messaging app as its interface?
Openclaw!
You can sandbox anything yourself. Use a VM.
It has a web ui.
Yeah I think this is gonna have to be the approach. But I don't like the fact that it has all the complexity of a baked in sandboxing solution and a big plugin architecture and blah blah blah.
TBH maybe I should just vibe code my own...
I read [and comment on] two influencers maintaining their circles
lemme guess there is going to be inter claw protocol now
i am thinking 2 steps (48 hours in ai land) ahead and conclude we need a linkedin and fiverr for these claws.
What is the benefit of a Mac mini for something like this?
Apple fans paying apple tax to have an isolated device accessing their profile.
Who is Andrej Karpathy?
https://karpathy.ai/
PHD in neural networks under Fei-Fei Li, founder of OpenAI, director of AI at Tesla, etc. He knows what he's talking about.
>He knows what he's talking about.
https://en.wikipedia.org/wiki/Argument_from_authority
While I appreciate an appeal to authority is a logical fallacy, you can't really use that to ignore everyone's experience and expertise. Sometimes people who have a huge amount of experience and knowledge on a subject do actually make a valid point, and their authority on the subject is enough to make them worth listening to.
But we're talking about authority of naming things being justified by a tech resume.
It's as irrelevant as George Foreman naming the grill.
Naming things in the context of AI, by someone who is already responsible for naming other things in the context of AI, when they have a lot of valid experience in the field of AI. It's not entirely unreasonable.
https://en.wikipedia.org/wiki/Argument_from_fallacy
Not claiming anything to be false, just a reminder that you should question ones opinion a bit more and not claim they "know what they are talking about" because they worked with Fei-Fei Li. You are outsourcing your thinking to someone else which is lazy and a good way of getting conned.
What even happened to https://eurekalabs.ai/?
At one point he did. Cognitive atrophy has led him to decline just like everyone else.
Ex cathedra.
Someone who uses status to appeal to the tech masses / tech influencer / AI hype man.
Really smart AI guy ex Tesla, cum educator now cum vibe coder (he coined the term vibe coder)
The person that made the svmjs library I used for a blue monday.
A quick Google might’ve saved you from the embarrassment of not knowing who one of the most significant AI pioneers in history is, and in a thread about AI too.
I bet they feel so, so silly. A quick bit of reflection might reveal sarcasm.
I'll live up to my username and be terribly brave with a silly rhetorical question: why are we hearing about him through Simon? Don't answer, remember. Rhetorical. All the way up and down.
AI pollution is "clawing" into every corner of human life. Big guys boast it as catching up with the trend, but not really thinking about where this is all going.