More like giving your access to a PA service company where you don’t know the actual PA.
But you know those PAs have done some terrible mistake, are quite stupid sometimes and fall for tricks like prompt injection.
If you give a stranger access to your credit card it doesn’t get less risky just because you rent them a apartment in a different town.
The problem isn’t the deleted data but that AI "thought" it’s the right thing to do.
Defining the security boundary is more secure than not defining it. This is a meaningful difference between what my bot does (has access to what you give it access to) vs what OpenClaw does (has access to everything, whether you want it to or not).
If you want perfectly secure computing, never connect your computer to the network and make sure you live in a vault. For everyone else, there's a tradeoff to be made, and saying "there's always a risk" is so obvious that it's not even worth saying.
Has anyone implemented a system of Pi for a team? Basically consolidate all shared knowledge and skills, and work on things that the team together is working on through this?
Basically a pi with SSO frontend, and data separation.
If no one has - I have a good mind to go after this over a weekend.
And others pull regularly from the pool? how are knowledge and skills continuously updated? I was thinking these necessarily need to be server side (like the main project under discussion) for it to be non-clunky for many users, but potentially git could work?
Like, let's take a company example - gitlab. If an agent had the whole gitlab handbook, then it'll be very useful to just ask the agent what and how to do in a situation. The modern pi agents can help build such a handbook with data fed in all across the company.
Can you do so with SQLite? Doesn’t seem possible. Agent is capable of writing code so is capable of interacting with file. Cannot remove write from agent because needs to put message.
Realistically, once you are using agent team you cannot have human in the loop so you must accept stochastic control of process not deterministic. It’s like earthquake or wind engineering for building. You cannot guarantee that building is immune to all - but you operate within area where benefit greater than risk.
Even if you use user access control on message etc. agent can miscommunicate and mislead other agent. Burn tokens for no outcome. We have to yoke the beast and move it forward but sometimes it pulls cart sideways.
Your agent harness shouldn't place that file anywhere that code executed by the agent can write to.
This is why good agents need a robust sandboxing mechanism.
Mine called openwalrus is local-llm first written in rust:
builtin metasearch engine, graph based memory system, editing configs with commands (never need to edit the config files manually)...
we indeed need to focus on sort of real "use cases" first, since I just realized when I'm talking with others about it, the conversions are always meaningless, ends with no response, or sth like cool
Maybe this is a dumb question, but none of these *Claw setups are actually local, right? They are all calling out to OpenAI/Anthropic APIs and the models are running in some hyperscale cloud?
Models are not local most of the time, no, but all commands execute on "the mac mini" so I wouldn't exactly call it a prop. LLMs accept and respond just with text what stuff to execute. They have no h̶a̶n̶d̶s̶ claws.
I wonder if we really need agents to have control of a full computer.
Maybe a browser plugin that lets the agent use websites is enough?
What would be a task that an agent cannot do on the web?
I did the same, except my focus is security:
https://github.com/skorokithakis/stavrobot
I guess everyone is doing one of these, each with different considerations.
Security is quite impossible because they need access to your data which makes it insecure by default.
Sandboxing fixes only one security issue.
That's like saying you shouldn't vet your PA because they'll have access to your email anyway. Yeah, but I still don't give them my house keys.
More like giving your access to a PA service company where you don’t know the actual PA. But you know those PAs have done some terrible mistake, are quite stupid sometimes and fall for tricks like prompt injection.
If you give a stranger access to your credit card it doesn’t get less risky just because you rent them a apartment in a different town.
The problem isn’t the deleted data but that AI "thought" it’s the right thing to do.
Defining the security boundary is more secure than not defining it. This is a meaningful difference between what my bot does (has access to what you give it access to) vs what OpenClaw does (has access to everything, whether you want it to or not).
If you want perfectly secure computing, never connect your computer to the network and make sure you live in a vault. For everyone else, there's a tradeoff to be made, and saying "there's always a risk" is so obvious that it's not even worth saying.
Of course it‘s more secure but it doesn’t mean it’s secure.
Has anyone implemented a system of Pi for a team? Basically consolidate all shared knowledge and skills, and work on things that the team together is working on through this?
Basically a pi with SSO frontend, and data separation.
If no one has - I have a good mind to go after this over a weekend.
I have created a separate knowledge base in Markdown synced to git repo. Agents can read and write using MCP. Works fine!
And others pull regularly from the pool? how are knowledge and skills continuously updated? I was thinking these necessarily need to be server side (like the main project under discussion) for it to be non-clunky for many users, but potentially git could work?
Like, let's take a company example - gitlab. If an agent had the whole gitlab handbook, then it'll be very useful to just ask the agent what and how to do in a situation. The modern pi agents can help build such a handbook with data fed in all across the company.
Quick question is this enforced somewhere or are you just asking the agent nicely? In Agents.md
“””
Data Integrity
The SQLite database at /workspace/.piclaw/store/messages.db must never be deleted. Only repair/migrate it when needed; preserve data.
“””
Best hope your agent never runs into text like this:
My timbers are shivering.
Can you do so with SQLite? Doesn’t seem possible. Agent is capable of writing code so is capable of interacting with file. Cannot remove write from agent because needs to put message.
Realistically, once you are using agent team you cannot have human in the loop so you must accept stochastic control of process not deterministic. It’s like earthquake or wind engineering for building. You cannot guarantee that building is immune to all - but you operate within area where benefit greater than risk.
Even if you use user access control on message etc. agent can miscommunicate and mislead other agent. Burn tokens for no outcome. We have to yoke the beast and move it forward but sometimes it pulls cart sideways.
Your agent harness shouldn't place that file anywhere that code executed by the agent can write to. This is why good agents need a robust sandboxing mechanism.
You only need to accept stochastic control of some processes. In others you can ensure, for example, privileges and authorization.
Mine called openwalrus is local-llm first written in rust:
builtin metasearch engine, graph based memory system, editing configs with commands (never need to edit the config files manually)...
we indeed need to focus on sort of real "use cases" first, since I just realized when I'm talking with others about it, the conversions are always meaningless, ends with no response, or sth like cool
I used to want to call it freeclaw, but there is already one, and actually myself started feeling bored about xxxclaw
opentusk?
haha used to think about this! but walrus is from wasm + rust and the song of beatles, and this cute thing is in the zoo!
Maybe this is a dumb question, but none of these *Claw setups are actually local, right? They are all calling out to OpenAI/Anthropic APIs and the models are running in some hyperscale cloud?
The "mac mini" you install it on is a prop?
Models are not local most of the time, no, but all commands execute on "the mac mini" so I wouldn't exactly call it a prop. LLMs accept and respond just with text what stuff to execute. They have no h̶a̶n̶d̶s̶ claws.
Claude Agent SDK support?
Cool project. Good luck!
interested, keep us posted!
In fact forget the claw!
Eh screw the whole thing.