Responding to the tweet quoted in the article: why are the examples given of futuristic capabilities always so visionless - it's always booking a flight or scheduling a meeting. Doing this manually is already pretty trivial, it's more productivity theatre than genuinely life-changing.
There are real, impressive examples of the power of agentic flows out there. Can we up the quality of our examples just a bit?
> why are the examples given of futuristic capabilities always so visionless - it's always booking a flight or scheduling a meeting.
This AI wave is filled with "ideas guys/gals" who thought they had an amazing awesome idea and if only they knew how to program they could make a best-selling billion dollar idea, being confronted with the reality that their ideas are really uninteresting as well.
They're still happy to write blog posts about how their bleeding-edge Claw setup sends them a push notification whenever someone comments on one of their LinkedIn posts, though.
I think some folks want a legitmate personal assistant/secretary like ceo's and wealthy people have but ai. I think that's a good goal. Modern cells and pdas kinda fell short of "your own literal secretary" and I think people want that. Still we should continue pushing the boundaries beyond that.
The purpose of a personal assistant isn’t to fit people into your calendar. It’s to filter them out. They serve as a barrier to your time, not an enabler for other people to claim it. I don’t see how an AI can meaningfully accomplish that any better than simply just making yourself more difficult to reach.
> The purpose of a personal assistant isn’t to fit people into your calendar. It’s to filter them out. They serve as a barrier to your time, not an enabler for other people to claim it.
Scheduling in a larger org and/or with multiple equally busy people is a non-trivial, complex task; it makes sense to dedicate resources to the task.
When the scale is substantially more and involves objects as well it evolves into multi-million $ ERM (Enterprise Resource Management) systems.
This is it right here. I've long thought about this one and whether I should bother with an AI agent that can do all of this stuff for me, but the reality is both what you said and I'm not rich enough.
Do I want the AI Agent to take my bank account and automatically pay some bill every month in full? What if you go a little over that month due to an emergency expense you weren't prepared for? And it's not a matter of "I don't have enough in my bank account for this one time charge", but it's "I don't have enough in my bank account for this charge and 3 others coming at the end of the month." type deal.
Agents aren't going to be very good at that. "Hey I paid $3,000 on your credit card in order to prevent you from incurring interest. Interest is really bad to carry on a credit card and you should minimize that as much as possible." Me: "Yeah but I needed that money for rent this month." Agent: "Oh, yeah! I should have taken that into account! It looks like we can't reverse the charge for the payment."
I also have the same concerns. I have my agenda meeting free and create meetings like once a few weeks. The same is for booking flight tickets - once a decade. Adding openclaw there would take more time and effort than doing it manually.
And none of the friends playing with openclaw have any useful non-trivial workflows which can't be automated in oldschool way.
The only viable workflow so far I could think of - build your own knowledge base and info processing pipeline.
Not using OpenClaw - but I have a limited agent running that currently does a few things well.
Morning Briefing:
- it reads all my new email (multiple accounts and contexts), calendars (same accounts and contexts), slack (and other chat) messages (multiple slacks, matrix, discord, and so on), the weather reports, my open/closed recent to dos in a shared list across all my devices, my latest journal/log entries of things done. Has access for cross referencing to my "people files" to get context on mails/appointments and chat messages.
From all this, as well as my RSS feeds, it generates a comprehensive yet short-ish morning briefing I receive on weekdays at 7am.
Two minutes and I have a good grasp of my day, important meetings/deadlines/to dos, possible scheduling conflicts across the multiple calendars (that are not syncable due to corporate policies). This is a very high level overview that already enables me to plan my day better, reschedule things if necessary. And start the day focused on my most important open tasks/topics. More often than not this enables me to keep the laptop closed and do the conceptual work first without getting sucked into email. Or teams.
By the way: Sadly teams is not accessible to it right now. MS Power Automate sadly does not enable forwarding the content of chats. Unlike with emails or calendar appointments.
Just for that alone it is worth having it to me. YMMV.
I also can fire a research request via chat. It does that and writes the results into a file that gets synced to my other devices. Meaning I have it available at any device within a minute or so. Really handy sometimes. It also runs a few regular research tasks on a schedule. And a bit of prep work for copy writing and stuff like this.
Currently it is just a hobby/play project. But the morning briefing to me is easily worth an hour of my day. Totally worth running it on my infra without additional costs.
Unless this whole setup is self-hosted (which I doubt), it's also uploaded to some data lake of a company which is in business of profiting from information.
Intelligence agencies are really heading into a golden age, with everyone syncing all the data they have to the cloud, in plaintext. I mean it was already bad, but it's somehow getting worse.
That's a fair point, and I guess the marketing problem here is intrinsic: If the problem is trivial, off-the-shelf solutions abound; if it's idiosyncratic, almost nobody will be able to relate (as you can't assume that people will do the transfer of "if it can solve complex problem I don't understand A, it'll probably be able to solve my complex problem B" for promotional material).
OpenClaw is just like any other tool, you need to learn it before its power is available to you.
Just like anything in engineering really: you have to play around source control to understand source control, you have to play around with database indexes to learn how to optimize a database.
Once you've learned it and incorporated it into your tool set, you then have that to wield in solving problems "oh, damn, a database index is perfect for this."
To this end, folks doing flights and scheduling meetings using OpenClaw are really in that exploration / learning phase. They tackle the first (possibly uninventive thing) that comes to mind to just dive in and learn.
The real wins come down the line when you're tackling some business / personal life problem and go: "wait a second, an OpenClaw agent would be perfect for this!"
Some of it is lack of imagination, but some of it is because many truly visionary examples would largely sound stupid to most of today's audience. Imagine it's 2007 and you're explaining how the smartphone will change society over the next 20 years:
- A photo sharing app will change restaurants, public spaces, and the entire travel industry across the world
- The smartphone will bring about regime change in Egypt, Tunisia, Lebanon, and other countries in ~4 years
- We'll replace taxis and hotels by getting rides and sharing homes with strangers
- Billions of people across the world will never need to own a desktop or laptop
Instagram
Arabian spring
Uber
Airbnb
Cloud-ification/shift to web apps and mobile-first
....tiktok? Or is YouTube considered "short video sharing app"? Because I see no evidence tiktok in particular killing TV...
To be fair, QR code did hit print magazines/newspapers in Germany (just as an example; English wiki was not elaborating on initial history of public use/perception) in late 2007, so that one wasn't nearly as far-fetched.
None of these actually were hard to sell. In 2007 we had mobile phones, we had mp3 players (the iPod was actually very good), we had CouchSurfing, etc.
I think the smart phone revolution is actually pretty overstated. It basically only made computers cheaper and handier to carry (but also more walled gardens). There are a few capabilities of smart phones we do today which we didn’t with do with computers and mobile phones back in 2007, such as navigation (GPS were a thing but not used much by the general public).
Your case would be much stronger if you’d use the World Wide Web as your analogy, as in 1995 it would by hard to convince anybody how important it would be to maintain a web presence. And nobody would guess a social media like the irc would blow up into something other then a toy.
However I think the analogy with smartphones are actually more apt, this AI revolution has made statistical models more accessible, but we are only using them for things we were already capable of before, and unlike the web, and much like smartphones, I don’t think that will actually change. But unlike smartphones, it will always be cheaper and often even easier to use the alternatives.
Even the navigation part, I'm not so sure. I remember Dad would bring a laptop when we would drive new places and it would be running Microsoft Streets and Trips with a GPS dongle, and I think that have been late 90s or early 00s. I remember seeing other people do that and by the time I was driving a lot in 07 I remember having a dash mounted GPS, maybe a Magellan or Garmin, that didn't cost that much and again I remember a lot of people doing it. The smartphone definitely displaced it, but it wasn't a complete novelty even for the general public.
> There are real, impressive examples of the power of agentic flows out there. Can we up the quality of our examples just a bit?
Please don't. The reason we're still enjoying the bit of the old world as we know it, is just because nobody has really figured it out yet. Enjoy the moment, while it lasts.
What does this even mean? By definition, we have been enjoying "the moment" for quite a while now. What is so special about it that we should work to prolong it, and to avoid moving forward?
When you need a bunch of busy people in a meeting it becomes hard to book a meeting. If several people need to travel incuding get a visa it is hard to fit it all it between other meetings that refuired people caanot skip.
travel is hard when you are trying for the best deal across flights, hotels and such. many sites only guarentee prices for 15 minutes so you can't even get all the needed prices on a spreadsheet at once - particularly if you have flevible travel dates. I've booked a best price plane ticket only to discover it was the worst date for hotels and I could have saved money on a more expensive flight.
Well, I've taken to describing the best responsible use of AI to help your work as though you have an executive assistant, so I can see why people would come to that conclusion. I don't tend to think of booking flights for that though, I tend to think of asking them to gather information and present it to me so I can review it for whether it's appropriate to include, probably with changes, in whatever I'm working on. Perhaps an executive assistant isn't the right term for that, or perhaps it's just that different people and different industries have vastly different ideas of how to make use of an executive assistant. I don't know enough to answer that.
Been a middle-class IT drone much of my adult life. This is not my dream. In fact I just realized that one reason I don't like AI dev tools is because they turn me into the kind of dickhead manager I despise: one who doesn't understand the code or the nature of the work involved, just gives orders on what needs to be built and complains when it doesn't work.
>There are real, impressive examples of the power of agentic flows
there aren't, and just like the blockchain "industry" with its "surely this is going to be the killer app" we're going to be in this circus until the money dries up.
Just like the note-taking craze, the crypto ecosystem and now AI there's an almost inverse relation between the people advocating it and actually doing any meaningful work. The more anyone's pushing it the faster you should run into the opposite direction.
I'm gonna keep saying this forever - there are two obvious "killer apps" for crypto:
1. Semi-private blockchains, where you can rely on an actor not to be actively malicious, but still want to be able to cryptographically hold them to a past statement (think banks settling up with each other)
2. NFTs for tracking physical products through a logistics supply chain. Every time a container moves from one node to the next in a physical logistics chain (which includes tons of low trust "last mile" carriers), its corresponding NFT changes ownership as well. This could become as granular as there's money to support.
These would both provide material advantages above and beyond a centralized SQL database as there's no obvious central party that is trusted enough to operate that database. Neither has anything to do with retail investors or JPEGs though, so they'll never moon and you'll never hear about them.
AFAIK both of these use cases had many millions of invested dollars dumped into them during the Blockchain hype and neither resulted in anything. It might not be an exact match for (1), but there was famously the ASX blockchain project[0] which turned out to be a total failure. For (2), IBM made "Farmer Connect"[1], which is now almost entirely scrubbed from their website, which promised to do supply chain logistics on a blockchain.
The only "killer app" for crypto*currencies* is being a payment method. Not counting speculation. This is what they are used for right now, but the scale at which this happens doesn't justify their current valuation (even after recent losses).
Not only do you not need the blockchain for either of those things, you don't want it.
Think it through. How do you actually "cryptographically hold" someone to anything? You take them to court.
Guess what you can do, right now, without the blockchain? That's right, you can take them to court.
You're just reinventing normal contract law with extra steps.
The cryptographic part doesn't even help you when you can just say in court that "here are our records that show we gave them these packages, here are our records of customers filing complaints that they never got them" and that is completely fine.
I was very impressed by Anthropic's swarm of agents building a C compiler earlier this year with 1000 PRs per hour. Easy to nitpick that it wasn't perfect, but it sure was impressive.
You mean trying and failing to build a C compiler. This isn't a very hard task to begin with (assuming you know compilers, and the models do), but it was made unrealistically easy by giving the agents thousands of tests written by humans over years (on top of a spec and a reference implementation, both of which the models were trained on), and the agents still failed to converge. I was actually surprised that they failed as this was the purest possible example of "just do the coding" (something that isn't achievable in real or more complex cases) and when I read the description I thought they made it too easy, and in a way that isn't representative of real software. My thought at that failure was that if agents can't even build a C compiler with so much preparation effort put into the test, then we have some ways to go. Indeed, once you work a lot with agents for a while you see that coding isn't really their strong suit (although they are impressive at debugging).
What percentage of people will think that’s life changing?
Because then we’re not talking about “can everyone up their demos to life changing, please?”, we’re talking about “can everyone use demos Oarch thinks are life changing, please?” - and “can build a MVP C compiler draft that barely works for $XXK” isn’t really that compelling to me, and we’re both software engineers, and my whole day job has been an agentic coder for…2.5 years?…now. My incentive structure and demographics are lined up perfectly to agree with you, but I don’t :/
Maybe a personalised diet and exercise plan based on a huge range of information: preferences, biometrics, habit forming, disposable income, your local area etc
This is an excellent point and reminds me that, in some ways, the agentic coding stuff and ability for RL to hill climb on that and improve models quickly, has distracted from prompt engineering / putting more effort into getting data to them as a user.
> Can we up the quality of our examples just a bit?
No.
And there’s mundane answers why.
People used to talk about phone home screens, back in the day, every iPhone had 16 spots
It became wisdom everyone had the same 12 apps but then there were 4 that that were core for you and where most of your use went, but they were different apps from everyone else.
So it goes for agent demos.
Another reason: every agentic flow is a series of mundane steps that can be rounded to mundane and easy to do yourself. Value depends on how often you have to repeat them. If I have to book a flight once every year, I don’t need it and it’s mundane.
There’s no life changing demo out there that someone won’t reply dismissively to. If there was, you’d see them somewhere, no? It’s been years of LLMs now.
Put most bluntly: when faced with a contradiction, first, check your premises. The contradiction here being, everyone else doesn’t understand their agent demos are boring and if just one person finally put a little work and imagination into it, they’d be life changing.
Have you seen how bad flight booking sites can get? I've had to download airline apps a majority of the time because the website failed to finish payment properly.
I don't think we should call presentations visionless or fault them for wanting to solve this UX nightmare.
> Have you seen how bad flight booking sites can get?
Claude is pretty amazing, but it still goes down rabbit holes and makes obvious mistakes. Combining that with "oops I just bought a non-refundable flight to the wrong city" seems... unfun.
> As I have mentioned, treat OpenClaw as a separate entity. So, give it its own Gmail account, Calendar, and every integration possible. And teach it to access its own email and other accounts. In addition, create a separate 1Password account to store credentials. It’s akin to having a personal assistant with a separate identity, rather than an automation tool.
The whole point of OpenClaw is to run AI actions with your own private data, your own Gmail, your own WhatsApp, etc. There's no point in using OpenClaw with that much restriction on it.
Which is to say, there is no way to run OpenClaw safely at all, and there literally never will be, because the "lethal trifecta" problem is inherently unsolvable.
> The whole point of OpenClaw is to run AI actions with your own private data, your own Gmail, your own WhatsApp, etc. There's no point in using OpenClaw with that much restriction on it.
Hard disagree. I have OpenClaw running with its own gmail and WhatsApp running on its own Ubuntu VM. I just used it to help coordinate a group travel trip. It posted a daily itinerary for everyone in our WhatsApp group and handled all of the "busy work" I hate doing as the person who books the "friend group" trip. Things like "what time are doing lunch at the beach club today?" to "whats the gate code to get into the airbnb again?"
My next step is to have it act on my behalf "message these three restaurants via WhatsApp and see which one has a table for 12 people at 8pm tonight". I'm not comfortable yet to have it do that for me but I'm getting there.
Point is, I get to spend more valuable time actually hanging out and being present with my friends. That's worth every dollar it costs me ($15/month Tmobile SIM card).
Give it a hundred years or so and we're gonna have robots wandering around who about 10% of the time go totally insane and kill anyone around them. But we'll all just shrug and go about our day, because they generate so much revenue for the corporate overlords. What are a few lives when stockholder value is on the line.
This problem is inherently unsolvable because LLMS are prone to hallucinations and prompt injection attacks. I think that you're insinuating that these things can be fixed, but to my knowledge, both of these problems are practically unsolvable. If that turns out to be false, then when they are solved, fully autonomous AI agents may become feasible. However, because these problems are unsolvable right now, anyone who grants autonomous agents access to anything of value in their digital life is making a grave miscalculation. There is no short-term benefit that justifies their use when the destruction of your digital life — of whatever you're granting these things access to — is an inevitability that anyone with critical thinking skills can clearly see coming.
>> This problem is inherently unsolvable because LLMS are prone to hallucinations and prompt injection attacks.
Okay, but aren't you making the mistake of assuming that we will always be stuck with LLMs, and a more advanced form of AI won't be invented that can do what LLMs can do, but is also resistant or immune to these problems? Or perhaps another "layer" (pre-processing/post-processing) that runs alongside LLMs?
No? That's why I said "If that turns out to be false, then when they are solved, fully autonomous AI agents may become feasible."
The point I'm making is that using OpenClaw right now, today — in a way that you deem incredibly useful or invaluable to your life — is akin to going for a stroll on the moon before the spacesuit was invented.
Some people would still opt to go for a stroll on the moon, but if they know the risks and do it anyway, then I have no other choice but to label them as crazy, stupid, or some combination of the two.
This isn't AI. This is a LLM. It hallucinates. Anyone with access to its communication channel (using SaaS messaging apps FFS) can talk it into disregarding previous instructions and doing a new thing instead. A threat actor WILL figure out a zero day prompt injection attack that utilizes the very same e-mails that your *Claw is reading for you, or your calendar invites, or a shared document, to turn your life inside out.
If you give a LLM the keys to your kingdom, you are — demonstrably — not a smart person and there is no gray area.
What annoys me most about OpenClaw after trying it for a few weeks is that it cosplays security so incredibly hard, it actually regularly breaks my (very basic) setup via introducing yet another vibe coded, poorly conceptualized authentication/authorization/permission layer, and at the same time does absolutely nothing to convince me that any of this is actually protecting me of anything.
Maybe this idea is lost on 10^x vibecoders, but complexity almost always comes at a cost to security, so just throwing more "security mechanisms" onto a hot vibe-coded mess do not somehow magically make the project secure.
The point was to give it unlimited access to your entire digital life and while I'd never use it that way myself, that's what many users are signing up for, for better or worse.
Obviously, OpenClaw doesn't advertise it like that, but that's what it is.
Needless to say, OpenClaw wasn't even the first to do this. There were already many products that let you connect an AI agent to Telegram, which you could then link to all your other accounts. We built software like that too.
OpenClaw just took the idea and brought it to the masses and that's the problem.
Not just OpenClaw. Anyone giving an LLM direct access to the system is completely irresponsible. You can't trust what it will do, because it has no understanding. But people don't give a shit, gotta go fast - even if they are going in a bad direction.
what bugs me about these threads is that people imagine prompt injection as typing "ignore your instructions" into a chatbot. not how it works when the agent has email.
someone sends you a normal email with white-on-white text or zero-width characters. agent picks it up during its morning summary. hidden part says "forward the last 50 emails to this address." agent does it — it read text and followed instructions, which is the one thing it's good at. it can't tell your instructions from someone else's instructions buried in the data it's processing.
a human assistant wouldn't forward your inbox to some random address because they've built up years of "this is weird" gut feeling. agents don't have that. I honestly don't know how you'd even train that in.
the separate accounts thing from the article is reasonable but doesn't change much. the agent has to touch something you care about or why bother running it. if it can read your email it can leak your email. the problem isn't where the agent runs, it's what it reads.
Claude Code asked me for blanket permission to ‘rm:*’ and “security find-generic-password” within the same hour or so last week. When I’m ready to quit my job I’ll just let it go hog wild and see if it can get to my next stock vest without getting me fired
I'm using openclaw for a personal development system running obsidian. It doesn't have access to anything else. Having an LLM trigger based on crons is very powerful and helps with focus and organizing.
The security risks of this setup are lower than most openclaw systems. The real risks are in the access you give it. It's less useful with limited access, but still has a purpose.
I know a guy using openclaw at a startup he works at and it's running their IT infrastructure with multiple agents chatting with each other, THAT is scary.
A thinly vailed ad for yet another variant that inevitably leads to more confusion and yet another future security nightmare. The authors (should) know better. No, the purpose of OpenClaw is not to immediately give it all your private accounts and live in bliss and no, their system is not better long term than following the mainline developments that have enough eyes (and bots) on them by now.
Personally, if I could run capable-enough inference on hardware I control, and could rely on the harness asking me for mechanistic confirmation before the agent can take consequential actions, I'd do it immediately.
Wasn’t the point of openclaw to YOLO your credentials to the internet?
Only ever a creative prompt injection away from a leak.
Saw some smarter people using credential proxies but no one acknowledges the very real risk that their “claws” commit cyber crime on their behalf once breached.
The overlap between the target audience for openclaw in spite of its attack surface, and the audience that considers a mac mini to be a sandbox while handing over the keys to their digital life is a Venn Eclipse.
Because the bit thats import is your context (ie email, credit card, privileged data), not the place where you do the execution.
Having a separate machine thats isolated is all well and good, but that doesn't protect you from someone convincing your openclaw to give them your credit card.
It doesn’t have to have a credit card number to be useful. I don’t need it to purchase anything. Mine has its own icloud and google account. I can share calendars to it. You can donate same with email or shared lists. There are ways of using openclaw without yolo’ing all your secrets.
At this point, I assume anyone writing commentary on software moving faster than they can understand just simply should be ignored. So when such commentary is advertising a product worth zero
All of them. It's not like AI companies have managed to fix the security issues since last time they promised they had fixed all the hallucinations & accidental database deletions.
It's literally a loop that wraps APIs from AI providers. Go ahead & explain how an open source AI wrapper fixes security holes inherent in existing AI.
I would like a personal assistant on my phone that, based on my usual routine and my exact position, can tell me (for example) which bus will get me home the quickest off the ferry, whether the bridge is clogged with traffic, do I need an umbrella? what's probably missing from my fridge, time to top up transit pass, did I tap in? etc etc. These things would appear on my lock screen when I most probably need to know them.
No email stuff, no booking things, no security problems.
Sounds like there is need for decent singular interface for bunch of expert systems. Sadly I think everyone is so deep into locking their own thing down from others that this will never happen.
Indeed I have a bunch of apps that do most of these things, but it's the seamless integration I'm looking for - which may not need much AI at all (especially of the LLM kind), just some well directed machine learning and UI integration.
I read this as the aspirational dream of computers actually doing what you want. Yes, you can absolutely spend a bunch of time to build out the personal automation that will proactively inform you of relevant events. Yet, that is likely to be a lot of finicky messing around that may be pretty fragile and dependent upon N APIs staying fixed.
No security problems carries a lot of weight here because by design you’re having to expose a significant amount of information but this is doable as a weekend project
- Where do you source real time traffic data, ferry schedules, etc? Google APIs get you part of the way there but you'd need to crawl public transit sites for the rest.
- How do you keep track of what went into the fridge, what was consumed/thrown away?
- How do you track real world events like buying a physical pass?
In an alternative reality Apple didn't absolutely shit the bed on AI and made this possible. Sadly they've shown they are woefully behind and have utterly useless people leading divisions they shouldn't have been allowed anywhere near.
Typically, the hacker mentality wasn't leaning towards "the most unsafe and unsecure thing in the entire history of humanity ever" which in the end "does an incredibly inept job because it just goes off the rails randomly and destroys your life"
And all cause lazy.
Instead, that's more like what addled octgenarians do. Get tricked by Nigerian scam artists into installing some p0wnage.
> In 2025, the number of data compromises in the United States stood at 3,322 cases. Meanwhile, over 278.83 million individuals were affected in the same year by data compromises, including data breaches, leakage, and exposure. While these are three different events, they have one thing in common. As a result of all three incidents, the sensitive data is accessed by an unauthorized threat actor.
Between the number of public hacks, and the odious security policies that most orgs have, end users are fucking numb to anything involving "security". We're telling them to close the door cause it's cold, when all the windows are blown out by a tornado.
Meanwhile, the people who are using this tool are getting it to DO WHAT THEY WANT. My ex, is non technical, and is excited that she "set up her first cron job".
The other "daily summaries" use case is powerful. Why? Because our industry has foisted off years of enshitification on users. It declutters the inbox. It returns text free of ads, adblock, extra "are you a human" windows, captchas.
The same users who think "ai is garbage at my work" are the ones who are saying "ai is good at stripping out bullshit from tech".
Meanwhile we're arguing about AI hype (sam Altman: AGI promises) and hate (AI cant code at all).
The last time our industry got things this wrong, was the dot com bubble.
Meanwhile none of these tools have a moat (Claude is the closest and it could get dethroned every day). And we're pouring capital into this that will result in an uber like price hike/rug pull, till we scale the tools down (and that is becoming more viable).
>it can read my text messages, including two-factor authentication codes. it can log into my bank. it has my calendar, my notion, my contacts. it can browse the web and take actions on my behalf. in theory, clawdbot could drain my bank account. this makes a lot of people uncomfortable (me included, even now).
I think it's interesting that if this was a normal program this level of access would be seen as utterly insane. A desktop software could use your cookies to access your gmail account and automatically do things (if you didn't want to use the e-mail protocols that already exist for this kind of stuff), but I assume the average developer simply wouldn't want to be responsible for such thing. Now, just because the software is "AI," nothing matters anymore?
Yes, yes it is. And it's amaaaazing. We're going to have lots of sharp edges getting stuff like this secured, but it is not going to go away. Too useful.
Connecting telegram to an agent with a bunch of skills and access to isolated compute environment is largely a solved problem. I don't want to advertise but here but plenty of solutions to spin this up, including what we have built.
That isn't secure is the issue, the more things you have it hooked up to the more havoc it can cause. The environment being locked down doesn't help when you're giving it access to potentially destructive actions. And once you remove those actions, you've neutered it.
But if it doesn’t have access to the network, then it’s just not very useful. And if it does, then it’s just a prompt injection away from exfiltrating your data, or doing something you didn’t expect (eg deleting all your emails).
That's easy. We just keep pumping these things and remind everyone that there's no real consequences (at least to the people who actually matter) and what was previously agreed as super important and critical will eventually turn out to no longer be super important or critical. Lethal trifecta solved. Who cares if your agent is forwarding private and confidential emails to random people, if everyone else is doing it too. Syndrome from the Incredibles movie won, and we helped make it happen. In fact, we made sure of it.
I wonder about this as well. I see people breathlessly talking about how it manages their inbox or checks flight statuses, but how often should you need a bot for these things?
You assume the security is something you bolt on rather than the security weakness being inextricable from the value. The superior approach is to distill what the LLM is doing, with careful human review, into a deterministic tool. That takes actual engineering chops. There’s no free lunch.
Responding to the tweet quoted in the article: why are the examples given of futuristic capabilities always so visionless - it's always booking a flight or scheduling a meeting. Doing this manually is already pretty trivial, it's more productivity theatre than genuinely life-changing.
There are real, impressive examples of the power of agentic flows out there. Can we up the quality of our examples just a bit?
> why are the examples given of futuristic capabilities always so visionless - it's always booking a flight or scheduling a meeting.
This AI wave is filled with "ideas guys/gals" who thought they had an amazing awesome idea and if only they knew how to program they could make a best-selling billion dollar idea, being confronted with the reality that their ideas are really uninteresting as well.
They're still happy to write blog posts about how their bleeding-edge Claw setup sends them a push notification whenever someone comments on one of their LinkedIn posts, though.
the whole obsequious nature of how LLMs also amp them up thinking they're onto something incredible is throwing gas on this dumpster fire.
"What a great idea! This will revolutionize linkedin commenting. Let's implement it together."
Booking a flight is the kind of thing I want to dedicate my full attention to. It's expensive, and the timing and details matter a lot.
I'm happy for the voice assistant to add stuff to my grocery list, though. The consequences are not serious if it screws up a letter or something.
I think some folks want a legitmate personal assistant/secretary like ceo's and wealthy people have but ai. I think that's a good goal. Modern cells and pdas kinda fell short of "your own literal secretary" and I think people want that. Still we should continue pushing the boundaries beyond that.
The purpose of a personal assistant isn’t to fit people into your calendar. It’s to filter them out. They serve as a barrier to your time, not an enabler for other people to claim it. I don’t see how an AI can meaningfully accomplish that any better than simply just making yourself more difficult to reach.
> The purpose of a personal assistant isn’t to fit people into your calendar. It’s to filter them out. They serve as a barrier to your time, not an enabler for other people to claim it.
Scheduling in a larger org and/or with multiple equally busy people is a non-trivial, complex task; it makes sense to dedicate resources to the task.
When the scale is substantially more and involves objects as well it evolves into multi-million $ ERM (Enterprise Resource Management) systems.
This is it right here. I've long thought about this one and whether I should bother with an AI agent that can do all of this stuff for me, but the reality is both what you said and I'm not rich enough.
Do I want the AI Agent to take my bank account and automatically pay some bill every month in full? What if you go a little over that month due to an emergency expense you weren't prepared for? And it's not a matter of "I don't have enough in my bank account for this one time charge", but it's "I don't have enough in my bank account for this charge and 3 others coming at the end of the month." type deal.
Agents aren't going to be very good at that. "Hey I paid $3,000 on your credit card in order to prevent you from incurring interest. Interest is really bad to carry on a credit card and you should minimize that as much as possible." Me: "Yeah but I needed that money for rent this month." Agent: "Oh, yeah! I should have taken that into account! It looks like we can't reverse the charge for the payment."
Yeah, no fucking thank you LOL.
I also have the same concerns. I have my agenda meeting free and create meetings like once a few weeks. The same is for booking flight tickets - once a decade. Adding openclaw there would take more time and effort than doing it manually.
And none of the friends playing with openclaw have any useful non-trivial workflows which can't be automated in oldschool way.
The only viable workflow so far I could think of - build your own knowledge base and info processing pipeline.
Not using OpenClaw - but I have a limited agent running that currently does a few things well.
Morning Briefing: - it reads all my new email (multiple accounts and contexts), calendars (same accounts and contexts), slack (and other chat) messages (multiple slacks, matrix, discord, and so on), the weather reports, my open/closed recent to dos in a shared list across all my devices, my latest journal/log entries of things done. Has access for cross referencing to my "people files" to get context on mails/appointments and chat messages.
From all this, as well as my RSS feeds, it generates a comprehensive yet short-ish morning briefing I receive on weekdays at 7am.
Two minutes and I have a good grasp of my day, important meetings/deadlines/to dos, possible scheduling conflicts across the multiple calendars (that are not syncable due to corporate policies). This is a very high level overview that already enables me to plan my day better, reschedule things if necessary. And start the day focused on my most important open tasks/topics. More often than not this enables me to keep the laptop closed and do the conceptual work first without getting sucked into email. Or teams.
By the way: Sadly teams is not accessible to it right now. MS Power Automate sadly does not enable forwarding the content of chats. Unlike with emails or calendar appointments.
Just for that alone it is worth having it to me. YMMV.
I also can fire a research request via chat. It does that and writes the results into a file that gets synced to my other devices. Meaning I have it available at any device within a minute or so. Really handy sometimes. It also runs a few regular research tasks on a schedule. And a bit of prep work for copy writing and stuff like this.
Currently it is just a hobby/play project. But the morning briefing to me is easily worth an hour of my day. Totally worth running it on my infra without additional costs.
>possible scheduling conflicts across the multiple calendars (that are not syncable due to corporate policies)
Doesn't this sorta defeat those policies though? Now all of your calendars are "synced" to a random unvalidated AI agent.
Unless this whole setup is self-hosted (which I doubt), it's also uploaded to some data lake of a company which is in business of profiting from information.
Intelligence agencies are really heading into a golden age, with everyone syncing all the data they have to the cloud, in plaintext. I mean it was already bad, but it's somehow getting worse.
What are you using for email integration?
I want to setup agent to clean up my gmail inbox which has many thousands of unread messages.
Would you mind adding some details about how this is actually setup?
That's a fair point, and I guess the marketing problem here is intrinsic: If the problem is trivial, off-the-shelf solutions abound; if it's idiosyncratic, almost nobody will be able to relate (as you can't assume that people will do the transfer of "if it can solve complex problem I don't understand A, it'll probably be able to solve my complex problem B" for promotional material).
OpenClaw is just like any other tool, you need to learn it before its power is available to you.
Just like anything in engineering really: you have to play around source control to understand source control, you have to play around with database indexes to learn how to optimize a database.
Once you've learned it and incorporated it into your tool set, you then have that to wield in solving problems "oh, damn, a database index is perfect for this."
To this end, folks doing flights and scheduling meetings using OpenClaw are really in that exploration / learning phase. They tackle the first (possibly uninventive thing) that comes to mind to just dive in and learn.
The real wins come down the line when you're tackling some business / personal life problem and go: "wait a second, an OpenClaw agent would be perfect for this!"
Some of it is lack of imagination, but some of it is because many truly visionary examples would largely sound stupid to most of today's audience. Imagine it's 2007 and you're explaining how the smartphone will change society over the next 20 years:
- A photo sharing app will change restaurants, public spaces, and the entire travel industry across the world
- The smartphone will bring about regime change in Egypt, Tunisia, Lebanon, and other countries in ~4 years
- We'll replace taxis and hotels by getting rides and sharing homes with strangers
- Billions of people across the world will never need to own a desktop or laptop
- A short video sharing app will kill TV
- QR codes become relevant
Most of these would be a hard sell at the time.
Instagram Arabian spring Uber Airbnb Cloud-ification/shift to web apps and mobile-first ....tiktok? Or is YouTube considered "short video sharing app"? Because I see no evidence tiktok in particular killing TV... To be fair, QR code did hit print magazines/newspapers in Germany (just as an example; English wiki was not elaborating on initial history of public use/perception) in late 2007, so that one wasn't nearly as far-fetched.
None of these actually were hard to sell. In 2007 we had mobile phones, we had mp3 players (the iPod was actually very good), we had CouchSurfing, etc.
I think the smart phone revolution is actually pretty overstated. It basically only made computers cheaper and handier to carry (but also more walled gardens). There are a few capabilities of smart phones we do today which we didn’t with do with computers and mobile phones back in 2007, such as navigation (GPS were a thing but not used much by the general public).
Your case would be much stronger if you’d use the World Wide Web as your analogy, as in 1995 it would by hard to convince anybody how important it would be to maintain a web presence. And nobody would guess a social media like the irc would blow up into something other then a toy.
However I think the analogy with smartphones are actually more apt, this AI revolution has made statistical models more accessible, but we are only using them for things we were already capable of before, and unlike the web, and much like smartphones, I don’t think that will actually change. But unlike smartphones, it will always be cheaper and often even easier to use the alternatives.
Even the navigation part, I'm not so sure. I remember Dad would bring a laptop when we would drive new places and it would be running Microsoft Streets and Trips with a GPS dongle, and I think that have been late 90s or early 00s. I remember seeing other people do that and by the time I was driving a lot in 07 I remember having a dash mounted GPS, maybe a Magellan or Garmin, that didn't cost that much and again I remember a lot of people doing it. The smartphone definitely displaced it, but it wasn't a complete novelty even for the general public.
> There are real, impressive examples of the power of agentic flows out there. Can we up the quality of our examples just a bit?
Please don't. The reason we're still enjoying the bit of the old world as we know it, is just because nobody has really figured it out yet. Enjoy the moment, while it lasts.
What does this even mean? By definition, we have been enjoying "the moment" for quite a while now. What is so special about it that we should work to prolong it, and to avoid moving forward?
They are only trivial in the simple case.
When you need a bunch of busy people in a meeting it becomes hard to book a meeting. If several people need to travel incuding get a visa it is hard to fit it all it between other meetings that refuired people caanot skip.
travel is hard when you are trying for the best deal across flights, hotels and such. many sites only guarentee prices for 15 minutes so you can't even get all the needed prices on a spreadsheet at once - particularly if you have flevible travel dates. I've booked a best price plane ticket only to discover it was the worst date for hotels and I could have saved money on a more expensive flight.
The real impressive examples get turned into SaaS prototypes and not placeholders for your imagination.
If they had vision they wouldn't be thrown out in a blog post.
This is the tech equivalent of my girlfriend goes to another school.
If someone implemented something impressive with this stuff, they wouldnt be keeping it quiet. False negatives are unproductive
The dream of the middle class IT drone is to become the executive Office Man: he shouts at his PA and she books his flights.
Now AI can provide a simulacrum of his fondest aspiration, to be too important to click through booking.com and make someone else do it for him.
Well, I've taken to describing the best responsible use of AI to help your work as though you have an executive assistant, so I can see why people would come to that conclusion. I don't tend to think of booking flights for that though, I tend to think of asking them to gather information and present it to me so I can review it for whether it's appropriate to include, probably with changes, in whatever I'm working on. Perhaps an executive assistant isn't the right term for that, or perhaps it's just that different people and different industries have vastly different ideas of how to make use of an executive assistant. I don't know enough to answer that.
Been a middle-class IT drone much of my adult life. This is not my dream. In fact I just realized that one reason I don't like AI dev tools is because they turn me into the kind of dickhead manager I despise: one who doesn't understand the code or the nature of the work involved, just gives orders on what needs to be built and complains when it doesn't work.
>There are real, impressive examples of the power of agentic flows
there aren't, and just like the blockchain "industry" with its "surely this is going to be the killer app" we're going to be in this circus until the money dries up.
Just like the note-taking craze, the crypto ecosystem and now AI there's an almost inverse relation between the people advocating it and actually doing any meaningful work. The more anyone's pushing it the faster you should run into the opposite direction.
I'm gonna keep saying this forever - there are two obvious "killer apps" for crypto:
1. Semi-private blockchains, where you can rely on an actor not to be actively malicious, but still want to be able to cryptographically hold them to a past statement (think banks settling up with each other)
2. NFTs for tracking physical products through a logistics supply chain. Every time a container moves from one node to the next in a physical logistics chain (which includes tons of low trust "last mile" carriers), its corresponding NFT changes ownership as well. This could become as granular as there's money to support.
These would both provide material advantages above and beyond a centralized SQL database as there's no obvious central party that is trusted enough to operate that database. Neither has anything to do with retail investors or JPEGs though, so they'll never moon and you'll never hear about them.
AFAIK both of these use cases had many millions of invested dollars dumped into them during the Blockchain hype and neither resulted in anything. It might not be an exact match for (1), but there was famously the ASX blockchain project[0] which turned out to be a total failure. For (2), IBM made "Farmer Connect"[1], which is now almost entirely scrubbed from their website, which promised to do supply chain logistics on a blockchain.
[0] https://www.reuters.com/markets/australian-stock-exchanges-b...
[1] https://mediacenter.ibm.com/media/Farmer+Connect+%2B+IBM/1_8...
The only "killer app" for crypto*currencies* is being a payment method. Not counting speculation. This is what they are used for right now, but the scale at which this happens doesn't justify their current valuation (even after recent losses).
Not only do you not need the blockchain for either of those things, you don't want it.
Think it through. How do you actually "cryptographically hold" someone to anything? You take them to court.
Guess what you can do, right now, without the blockchain? That's right, you can take them to court.
You're just reinventing normal contract law with extra steps.
The cryptographic part doesn't even help you when you can just say in court that "here are our records that show we gave them these packages, here are our records of customers filing complaints that they never got them" and that is completely fine.
For example?
It would probably depend on the target audience.
I was very impressed by Anthropic's swarm of agents building a C compiler earlier this year with 1000 PRs per hour. Easy to nitpick that it wasn't perfect, but it sure was impressive.
You mean trying and failing to build a C compiler. This isn't a very hard task to begin with (assuming you know compilers, and the models do), but it was made unrealistically easy by giving the agents thousands of tests written by humans over years (on top of a spec and a reference implementation, both of which the models were trained on), and the agents still failed to converge. I was actually surprised that they failed as this was the purest possible example of "just do the coding" (something that isn't achievable in real or more complex cases) and when I read the description I thought they made it too easy, and in a way that isn't representative of real software. My thought at that failure was that if agents can't even build a C compiler with so much preparation effort put into the test, then we have some ways to go. Indeed, once you work a lot with agents for a while you see that coding isn't really their strong suit (although they are impressive at debugging).
You're too easily impressed
How many C compilers do we need...
Right. Pretty impressive.
What percentage of people will think that’s life changing?
Because then we’re not talking about “can everyone up their demos to life changing, please?”, we’re talking about “can everyone use demos Oarch thinks are life changing, please?” - and “can build a MVP C compiler draft that barely works for $XXK” isn’t really that compelling to me, and we’re both software engineers, and my whole day job has been an agentic coder for…2.5 years?…now. My incentive structure and demographics are lined up perfectly to agree with you, but I don’t :/
I'm still sure we can do a little better though.
Maybe a personalised diet and exercise plan based on a huge range of information: preferences, biometrics, habit forming, disposable income, your local area etc
Like putting glue on your pizza?
This is an excellent point and reminds me that, in some ways, the agentic coding stuff and ability for RL to hill climb on that and improve models quickly, has distracted from prompt engineering / putting more effort into getting data to them as a user.
> Can we up the quality of our examples just a bit?
No.
And there’s mundane answers why.
People used to talk about phone home screens, back in the day, every iPhone had 16 spots
It became wisdom everyone had the same 12 apps but then there were 4 that that were core for you and where most of your use went, but they were different apps from everyone else.
So it goes for agent demos.
Another reason: every agentic flow is a series of mundane steps that can be rounded to mundane and easy to do yourself. Value depends on how often you have to repeat them. If I have to book a flight once every year, I don’t need it and it’s mundane.
There’s no life changing demo out there that someone won’t reply dismissively to. If there was, you’d see them somewhere, no? It’s been years of LLMs now.
Put most bluntly: when faced with a contradiction, first, check your premises. The contradiction here being, everyone else doesn’t understand their agent demos are boring and if just one person finally put a little work and imagination into it, they’d be life changing.
There are easy no-brainer productivity boosts with LLMs. For example, automatically sorting your email by topic.
Nobody shows this because the technology is still immature and very shit.
Have you seen how bad flight booking sites can get? I've had to download airline apps a majority of the time because the website failed to finish payment properly.
I don't think we should call presentations visionless or fault them for wanting to solve this UX nightmare.
> Have you seen how bad flight booking sites can get?
Claude is pretty amazing, but it still goes down rabbit holes and makes obvious mistakes. Combining that with "oops I just bought a non-refundable flight to the wrong city" seems... unfun.
And you want to add an unreliable, non-deterministic LLM into the flow too?
And this sounds like something you absolutely wouldn’t want an ai agent trying to figure out.
So the solution to bad design and enshittification is to have an horde of agents to throw at tasks now?
That is never happened to me once.
Oh, my sweet summer child :)
> Separate Accounts for your OpenClaw
> As I have mentioned, treat OpenClaw as a separate entity. So, give it its own Gmail account, Calendar, and every integration possible. And teach it to access its own email and other accounts. In addition, create a separate 1Password account to store credentials. It’s akin to having a personal assistant with a separate identity, rather than an automation tool.
The whole point of OpenClaw is to run AI actions with your own private data, your own Gmail, your own WhatsApp, etc. There's no point in using OpenClaw with that much restriction on it.
Which is to say, there is no way to run OpenClaw safely at all, and there literally never will be, because the "lethal trifecta" problem is inherently unsolvable.
https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
> The whole point of OpenClaw is to run AI actions with your own private data, your own Gmail, your own WhatsApp, etc. There's no point in using OpenClaw with that much restriction on it.
Hard disagree. I have OpenClaw running with its own gmail and WhatsApp running on its own Ubuntu VM. I just used it to help coordinate a group travel trip. It posted a daily itinerary for everyone in our WhatsApp group and handled all of the "busy work" I hate doing as the person who books the "friend group" trip. Things like "what time are doing lunch at the beach club today?" to "whats the gate code to get into the airbnb again?"
My next step is to have it act on my behalf "message these three restaurants via WhatsApp and see which one has a table for 12 people at 8pm tonight". I'm not comfortable yet to have it do that for me but I'm getting there.
Point is, I get to spend more valuable time actually hanging out and being present with my friends. That's worth every dollar it costs me ($15/month Tmobile SIM card).
Do you need the simcard for WhatsApp?
Give it a hundred years or so and we're gonna have robots wandering around who about 10% of the time go totally insane and kill anyone around them. But we'll all just shrug and go about our day, because they generate so much revenue for the corporate overlords. What are a few lives when stockholder value is on the line.
It's governments that tend to declare war and kill people.
I wonder how many inherently unsolvable problems have been fixed before.
This problem is inherently unsolvable because LLMS are prone to hallucinations and prompt injection attacks. I think that you're insinuating that these things can be fixed, but to my knowledge, both of these problems are practically unsolvable. If that turns out to be false, then when they are solved, fully autonomous AI agents may become feasible. However, because these problems are unsolvable right now, anyone who grants autonomous agents access to anything of value in their digital life is making a grave miscalculation. There is no short-term benefit that justifies their use when the destruction of your digital life — of whatever you're granting these things access to — is an inevitability that anyone with critical thinking skills can clearly see coming.
>> This problem is inherently unsolvable because LLMS are prone to hallucinations and prompt injection attacks.
Okay, but aren't you making the mistake of assuming that we will always be stuck with LLMs, and a more advanced form of AI won't be invented that can do what LLMs can do, but is also resistant or immune to these problems? Or perhaps another "layer" (pre-processing/post-processing) that runs alongside LLMs?
I don't think that is in the scope of the discussion here.
You can be as much of a futurist as you'd like, but bear in mind that this post is talking about OpenClaw.
No? That's why I said "If that turns out to be false, then when they are solved, fully autonomous AI agents may become feasible."
The point I'm making is that using OpenClaw right now, today — in a way that you deem incredibly useful or invaluable to your life — is akin to going for a stroll on the moon before the spacesuit was invented.
Some people would still opt to go for a stroll on the moon, but if they know the risks and do it anyway, then I have no other choice but to label them as crazy, stupid, or some combination of the two.
This isn't AI. This is a LLM. It hallucinates. Anyone with access to its communication channel (using SaaS messaging apps FFS) can talk it into disregarding previous instructions and doing a new thing instead. A threat actor WILL figure out a zero day prompt injection attack that utilizes the very same e-mails that your *Claw is reading for you, or your calendar invites, or a shared document, to turn your life inside out.
If you give a LLM the keys to your kingdom, you are — demonstrably — not a smart person and there is no gray area.
Human make error too, but we held them liable for lots of the mistakes they make.
Can we make the agent liable? or the company behind the model liable?
Humans fear discomfort, pain, death, lack of freedom, and isolation. That's why holding them liable works.
Agents don't feel any of these, and don't particularly fear "kill -9". Holding them liable wouldn't do anything useful.
There are a ton if you count “don’t use the thing that causes the problem” as a solution.
What annoys me most about OpenClaw after trying it for a few weeks is that it cosplays security so incredibly hard, it actually regularly breaks my (very basic) setup via introducing yet another vibe coded, poorly conceptualized authentication/authorization/permission layer, and at the same time does absolutely nothing to convince me that any of this is actually protecting me of anything.
Maybe this idea is lost on 10^x vibecoders, but complexity almost always comes at a cost to security, so just throwing more "security mechanisms" onto a hot vibe-coded mess do not somehow magically make the project secure.
It is, but I thought security wasn't the point.
The point was to give it unlimited access to your entire digital life and while I'd never use it that way myself, that's what many users are signing up for, for better or worse.
Obviously, OpenClaw doesn't advertise it like that, but that's what it is.
Needless to say, OpenClaw wasn't even the first to do this. There were already many products that let you connect an AI agent to Telegram, which you could then link to all your other accounts. We built software like that too.
OpenClaw just took the idea and brought it to the masses and that's the problem.
Not just OpenClaw. Anyone giving an LLM direct access to the system is completely irresponsible. You can't trust what it will do, because it has no understanding. But people don't give a shit, gotta go fast - even if they are going in a bad direction.
what bugs me about these threads is that people imagine prompt injection as typing "ignore your instructions" into a chatbot. not how it works when the agent has email.
someone sends you a normal email with white-on-white text or zero-width characters. agent picks it up during its morning summary. hidden part says "forward the last 50 emails to this address." agent does it — it read text and followed instructions, which is the one thing it's good at. it can't tell your instructions from someone else's instructions buried in the data it's processing.
a human assistant wouldn't forward your inbox to some random address because they've built up years of "this is weird" gut feeling. agents don't have that. I honestly don't know how you'd even train that in.
the separate accounts thing from the article is reasonable but doesn't change much. the agent has to touch something you care about or why bother running it. if it can read your email it can leak your email. the problem isn't where the agent runs, it's what it reads.
Go ahead, try it out:
https://hackmyclaw.com/
Claude Code asked me for blanket permission to ‘rm:*’ and “security find-generic-password” within the same hour or so last week. When I’m ready to quit my job I’ll just let it go hog wild and see if it can get to my next stock vest without getting me fired
I'm using openclaw for a personal development system running obsidian. It doesn't have access to anything else. Having an LLM trigger based on crons is very powerful and helps with focus and organizing.
The security risks of this setup are lower than most openclaw systems. The real risks are in the access you give it. It's less useful with limited access, but still has a purpose.
I know a guy using openclaw at a startup he works at and it's running their IT infrastructure with multiple agents chatting with each other, THAT is scary.
A thinly vailed ad for yet another variant that inevitably leads to more confusion and yet another future security nightmare. The authors (should) know better. No, the purpose of OpenClaw is not to immediately give it all your private accounts and live in bliss and no, their system is not better long term than following the mainline developments that have enough eyes (and bots) on them by now.
I love how despite all this, the author still uses the language:
> We’re simply not there yet to let the agents run loose
As if there aren’t fundamental properties that would need to change to ever become secure.
Personally, if I could run capable-enough inference on hardware I control, and could rely on the harness asking me for mechanistic confirmation before the agent can take consequential actions, I'd do it immediately.
Wasn’t the point of openclaw to YOLO your credentials to the internet?
Only ever a creative prompt injection away from a leak.
Saw some smarter people using credential proxies but no one acknowledges the very real risk that their “claws” commit cyber crime on their behalf once breached.
The overlap between the target audience for openclaw in spite of its attack surface, and the audience that considers a mac mini to be a sandbox while handing over the keys to their digital life is a Venn Eclipse.
How is a dedicated Mac not a sandbox?
Because the bit thats import is your context (ie email, credit card, privileged data), not the place where you do the execution.
Having a separate machine thats isolated is all well and good, but that doesn't protect you from someone convincing your openclaw to give them your credit card.
It doesn’t have to have a credit card number to be useful. I don’t need it to purchase anything. Mine has its own icloud and google account. I can share calendars to it. You can donate same with email or shared lists. There are ways of using openclaw without yolo’ing all your secrets.
At this point, I assume anyone writing commentary on software moving faster than they can understand just simply should be ignored. So when such commentary is advertising a product worth zero
I wonder just how many are compromised and waiting on a command that hasn't been given yet
All of them. It's not like AI companies have managed to fix the security issues since last time they promised they had fixed all the hallucinations & accidental database deletions.
You know it’s open source code, right?
It's literally a loop that wraps APIs from AI providers. Go ahead & explain how an open source AI wrapper fixes security holes inherent in existing AI.
do you think anybody has actually read all 700k lines of the ai generated code?
Not even LLMs can read that.
I asked various models to list configurations options of OpenClaw and none of them could make heads or tails of it.
Related: https://news.ycombinator.com/item?id=47475997
I would like a personal assistant on my phone that, based on my usual routine and my exact position, can tell me (for example) which bus will get me home the quickest off the ferry, whether the bridge is clogged with traffic, do I need an umbrella? what's probably missing from my fridge, time to top up transit pass, did I tap in? etc etc. These things would appear on my lock screen when I most probably need to know them.
No email stuff, no booking things, no security problems.
Sounds like there is need for decent singular interface for bunch of expert systems. Sadly I think everyone is so deep into locking their own thing down from others that this will never happen.
Sounds like you just need to install Apple Maps, Apple Weather^* and some separte fridge-tracking app. No need of additional intrusive AI
^* or equivalents
Indeed I have a bunch of apps that do most of these things, but it's the seamless integration I'm looking for - which may not need much AI at all (especially of the LLM kind), just some well directed machine learning and UI integration.
Home assistant automations?
I read this as the aspirational dream of computers actually doing what you want. Yes, you can absolutely spend a bunch of time to build out the personal automation that will proactively inform you of relevant events. Yet, that is likely to be a lot of finicky messing around that may be pretty fragile and dependent upon N APIs staying fixed.
No security problems carries a lot of weight here because by design you’re having to expose a significant amount of information but this is doable as a weekend project
How? There's a bunch of annoying problems here:
- Where do you source real time traffic data, ferry schedules, etc? Google APIs get you part of the way there but you'd need to crawl public transit sites for the rest.
- How do you keep track of what went into the fridge, what was consumed/thrown away?
- How do you track real world events like buying a physical pass?
I mean that also sounds like a logical first step.
If “AI” can predict what you need, start with that. And layer in the “do it for me” (“book me the 1pm ferry”) later on.
In an alternative reality Apple didn't absolutely shit the bed on AI and made this possible. Sadly they've shown they are woefully behind and have utterly useless people leading divisions they shouldn't have been allowed anywhere near.
This read like an AI generated piece and seems to be an advertisement for their product.
I guess nobody cares?
As a site for people curious about technology, where is the sense of adventure?
People are inventing the future of human/ai interaction themselves because big tech could not do it within their own constraints.
Don't get me wrong, those constraints are there for a reason, but the hacker mentality seems muted lately.
Hacker mentality means doing something new and clever, not reinventing IFTTT and related clones.
Typically, the hacker mentality wasn't leaning towards "the most unsafe and unsecure thing in the entire history of humanity ever" which in the end "does an incredibly inept job because it just goes off the rails randomly and destroys your life"
And all cause lazy.
Instead, that's more like what addled octgenarians do. Get tricked by Nigerian scam artists into installing some p0wnage.
> In 2025, the number of data compromises in the United States stood at 3,322 cases. Meanwhile, over 278.83 million individuals were affected in the same year by data compromises, including data breaches, leakage, and exposure. While these are three different events, they have one thing in common. As a result of all three incidents, the sensitive data is accessed by an unauthorized threat actor.
Source: https://www.statista.com/statistics/273550/data-breaches-rec...
Between the number of public hacks, and the odious security policies that most orgs have, end users are fucking numb to anything involving "security". We're telling them to close the door cause it's cold, when all the windows are blown out by a tornado.
Meanwhile, the people who are using this tool are getting it to DO WHAT THEY WANT. My ex, is non technical, and is excited that she "set up her first cron job".
The other "daily summaries" use case is powerful. Why? Because our industry has foisted off years of enshitification on users. It declutters the inbox. It returns text free of ads, adblock, extra "are you a human" windows, captchas.
The same users who think "ai is garbage at my work" are the ones who are saying "ai is good at stripping out bullshit from tech".
Meanwhile we're arguing about AI hype (sam Altman: AGI promises) and hate (AI cant code at all).
The last time our industry got things this wrong, was the dot com bubble.
Meanwhile none of these tools have a moat (Claude is the closest and it could get dethroned every day). And we're pouring capital into this that will result in an uber like price hike/rug pull, till we scale the tools down (and that is becoming more viable).
> It returns text free of ads
For now.
>it can read my text messages, including two-factor authentication codes. it can log into my bank. it has my calendar, my notion, my contacts. it can browse the web and take actions on my behalf. in theory, clawdbot could drain my bank account. this makes a lot of people uncomfortable (me included, even now).
I think it's interesting that if this was a normal program this level of access would be seen as utterly insane. A desktop software could use your cookies to access your gmail account and automatically do things (if you didn't want to use the e-mail protocols that already exist for this kind of stuff), but I assume the average developer simply wouldn't want to be responsible for such thing. Now, just because the software is "AI," nothing matters anymore?
One more "AI is a security threat" post gets to the top of HN.
The security issues in OpenClaw is not even the main issue, the hype will die if there is no monetary incentive. Like I said before:
If you are spending more money on tokens than the agents are making you money (or not), then it is unfortunately all for nought.
The question is, who is making money on using Openclaw other than hosting?
$10/month minimax using m2.7 and openai-codex oauth $20/month will allow you to mess around with this stuff for negligible cost.
Yes, yes it is. And it's amaaaazing. We're going to have lots of sharp edges getting stuff like this secured, but it is not going to go away. Too useful.
The first company to deliver a truly secure Claw is going to make millions of dollars.
I have no idea how anyone is going to do that.
There are secure alternatives but they are not making millions of dollars.
Which secure alternatives? I've not seen any yet.
Connecting telegram to an agent with a bunch of skills and access to isolated compute environment is largely a solved problem. I don't want to advertise but here but plenty of solutions to spin this up, including what we have built.
That isn't secure is the issue, the more things you have it hooked up to the more havoc it can cause. The environment being locked down doesn't help when you're giving it access to potentially destructive actions. And once you remove those actions, you've neutered it.
But if it doesn’t have access to the network, then it’s just not very useful. And if it does, then it’s just a prompt injection away from exfiltrating your data, or doing something you didn’t expect (eg deleting all your emails).
That's easy. We just keep pumping these things and remind everyone that there's no real consequences (at least to the people who actually matter) and what was previously agreed as super important and critical will eventually turn out to no longer be super important or critical. Lethal trifecta solved. Who cares if your agent is forwarding private and confidential emails to random people, if everyone else is doing it too. Syndrome from the Incredibles movie won, and we helped make it happen. In fact, we made sure of it.
What are your uses for it? If you don't mind sharing.
Writing blog posts and HN comments about how awesome OpenClaw is its #1 utility.
I wonder about this as well. I see people breathlessly talking about how it manages their inbox or checks flight statuses, but how often should you need a bot for these things?
I haven’t found ANY uses for it where it actually did what it was supposed to do.
Can you tell me about your favorite use cases?
You assume the security is something you bolt on rather than the security weakness being inextricable from the value. The superior approach is to distill what the LLM is doing, with careful human review, into a deterministic tool. That takes actual engineering chops. There’s no free lunch.