Until it gets prompt injected. Are you reading every single file your agent reads as part of the tasks you give it, including content fetched from the web or third-party packages?
> for some reason they want it to live under your user account
The entire idea of Openclaw (i.e., the core point of what distinguishes it from agents like Claude Code) is to give it access to your personal data, so it can act as your assistant.
If you only need a coding agent, Openclaw is the completely wrong tool. (As a side note, after using it for a few weeks, I'm not convinced it's the right tool for anything, but that's a different story.)
Are you confident it would still work against sophisticated prompt injection attacks that override your "strongly worded message"?
Strongly worded signs can be great for safety (actual mechanisms preventing undesirable actions from being taken are still much better), but are essentially meaningless for security.
Not sure about OPs impl, but the wording doesn’t matter. The hook prevents the use of whatever action you want. Eg it’s impossible for Claude to use Emojis for me. My hook doesn’t allow it.
So it’s deterministic based upon however the script it written
I mean, that's like saying are you sure that your antivirus would prevent every possible virus? Are you sure that you haven't made some mistake in your dev box setup that would allow a hacker to compromise it? What if a thief broke i to your house and stole your laptop? That's happened to me before, much more annoying to recover from that an accidental rm rf.
I do my best to keep off site back ups and don't worry about what I can't control.
> I mean, that's like saying are you sure that your antivirus would prevent every possible virus?
Yes, I'm saying it's pretty much as bad as antivirus software.
> Are you sure that you haven't made some mistake in your dev box setup that would allow a hacker to compromise it?
Different category of error: Heuristically derived deterministic protection vs. protection based on a stochastic process.
> much more annoying to recover from that an accidental rm rf.
My point is that it's a different category, not that one is on average worse than the other. You don't want your security to just stand against the median attacker.
> a custom implementation of "rm" that Anthropic can add guardrails to
Wrong layer. You want the deletion to actually be impossible from a privilege perspective, not be made practically harder to the entity that shouldn't delete something.
Not in unknown ways, but as part of its regular operation (with cloud inference)!
I think the actual data flow here is really hard to grasp for many users: Sandboxing helps with limiting the blast radius of the agent itself, but the agent itself is, from a data privacy perspective, best visualized as living inside the cloud and remote-operating your computer/sandbox, not as an entity that can be "jailed" and as such "prevented from running off with your data".
The inference provider gets the data the instant the agent looks at it to consider its next steps, even if the next step is to do nothing with it because it contains highly sensitive information.
I feel like key revocation is usually solved via key replacement in most secure instant messengers.
Every implementation that I know (which does not include SimpleX) offers some way to recover from complete key loss, at which point other parties receive a "the key for this contact has changed" notification, and that new key is then untrusted by default until verified out-of-band. (This does trust the server operators to not censor your re-registration, but that seems no different from most other centralized revocation mechanisms.)
Do you have a scenario in mind where this would not be sufficient?
I tried to figure out its identity model and failed, and I consider myself somewhat familiar with encrypted IM protocols. How should non-technical users ever figure this out?
And if they don't need to, and it just works as a regular encrypted messenger: Why should somebody use this over any of the many alternatives?
Other than that, its "advantages" page looks highly disingenuous, e.g. by describing Signal as "Possibility of MITM: Yes", but itself as "No - Secure", with a footnote of "Verify security code to mitigate attack on out-of-band channel". How is that different from verifying a Signal verification code!?
Move them to a deficated status. “Never triaged”, “lost”, “won’t do”, what have you.
That way, you’re at least not deluding yourself about your own capacity to triage and fix problems, and can hopefully search for and reopen issues that are resurfaced.
> Wether it's wind, solar or hydro, a underappreciated property of renewable energy is the energy sovereignty they provide.
If your sovereign territory happens to support them geographically. This is true for many, but not all countries.
Also, without large storage capacity, you might end up being self-sufficient during sunny, windy days, but find yourself very dependent on your neighbor countries for imports on overcast days or at night without wind.
The combination of all of this is especially unfortunate for hydro, where you're pretty much fully dependent on the geography you've been handed.
So I'd say the self-sufficiency story of renewables doesn't fully hold. They benefit from regional cooperation and trade just as much as fossil fuels, if not more. (In my view, that's not really a counterargument, but it does raise the importance of having a well-integrated, cross-border grid even more.)
These 20% will still make you dependent on foreign country.
For example Germany was dependent on Russian gas (before year 2022), which they later swapped for dependency on US LNG.
In addition, Germany is dependent on China for PV panels.
Panels aren't burned to make electricity. If literally everyone stops selling you panels (nearly impossible) you continue generating electricity the old way. Nothing bad happens. The panels you already have continue working.
Other countries make panels too. India has a glut right now.
You can't base energy of an modern industrial country on purely solar panels alone, they don't produce any electricity in the night and have electric output reduced by weather. You have always to combine them with other power sources for backup.
So you admit then that using as much solar and wind and storage as possible reduces the need for imported gas. As such it should be a national priority.
It should be a national priority to use as much already installed solar and wind and storage as possible, when the operating costs are low. The big question is: where should the future investments be made, who will pay them? How much further investments in solar, wind and storage will decrease the need for gas? 2x, 10x, 100x of current yearly spending? Because gas is already very expensive in Europe, it's used precisely when renewable don't produce enough electric energy.
The German decision to phase out nuclear power was a very big and very costly mistake. The French almost made the same mistake.
> The German decision to phase out nuclear power was a very big and very costly mistake
It's time to stop talking about it. It's done. Unless the stopped plants can be restarted (which I'd support) this is completely useless. It doesn't mean anything.
> How much further investments in solar, wind and storage will decrease the need for gas?
The upper bound today (keep in mind battery tech gets cheaper all the time) it would cost $5tn to power Germany on batteries for 6 months. https://news.ycombinator.com/item?id=45446112
You don't need to run Germany on batteries for 6 months. Even 1 month is more than plenty.
> Germany was dependent on Russian gas (before year 2022), which they later swapped for dependency on US LNG. In addition, Germany is dependent on China for PV panels
There is merit to putting one's energy policy on autopilot by doing the opposite of whatever Berlin is up to.
but much less dependent. Its way easier to stockpile a big buffer supply of LNG if its only 20% of your supply, for example. Its way easier to trim some 20% demand and still keep the country largely running, for example.
"much less dependent" is still a huge win. Sure 100% independent is better. Isnt this obvious? i dont understand the point.
If a kid lives on their own but their mom buys them groceries once per month and their dad swings by on thursdays with pizza and beer, that kid's still pretty darn self sufficient.
Similarly, if a country can use 80% less oil or imported fuel than they would have without renewable energy, I think they're pretty self-sufficient. They don't have to be isolated from trade, it's okay to import some things and export others. Energy sources can be one of those things. But if they rely on energy imports, then when something disrupts their supply then they are in trouble. However if they get 80% of their energy from renewable sources, then they have significantly less of a problem.
They have significantly less of a problem with regards to their balance of trade, but any meaningful dependency on imports means that electricity prices will still be entirely dependent on the price of whatever is imported, at any point in time imports are happening. Still not great, and I wouldn't call that sovereignty!
Also, highly depending on what metric we mean by "80% self-sufficient" (peak capacity? long-time average?), there might either be a lot of work left, or this might be "effective sovereignty".
Losing 20% of your electricity supply is a calamity, not an annoyance. So unless you want the calamity, you're still dependent on imports.
Personally, I don't see an issue with that, as long as the neighboring countries you're importing from are reliable and will be able to supply at the times you need (i.e., they don't have the same possibly spiky import dependency as yourself). The other option is massive storage capacity.
I just don't think it makes sense to just equate renewables with automatic sovereignty.
Dunno about you, but losing 20% of my electricity supply is an annoyance. I just don't run the clothes dryer and hang my clothes on a rack instead.
(And yes, I have solar + battery, and have lost 100% of my outside electricity supply on a half dozen occasions since having it installed, and my actual response has been to not run the clothes dryer.)
That would be the situation in an integrated/"smart" grid. The grid could tell your washer/dryer to defer or worst case shed their load.
In the grid we have, where most people don't have batteries, nor a way to react to (or even perceive) network-side load shedding commands, you get rolling blackouts at best, and brownouts, damaged devices etc. at worst.
That's the point I'm making with my second paragraph. I'm not dependent on the grid. If we get into the situation you're describing, I just throw the main breaker (actually don't need to do that, the inverters switch over automatically) and my home generates its own electricity. It doesn't quite cover all my usage, but it covers all my usage except the clothes dryer, so I just don't run the clothes dryer.
It's true that there are tragedy-of-the-commons situations where not everybody has a battery, but it's also true that there are higher-level but subnational entities within the U.S. that have invested significantly in renewables + battery storage. This chart of where electricity comes from on a state-by-state level is illustrative:
California, Connecticut, DC, Idaho, Maine, Massachusetts, New Hampshire, New Jersey, New York, Oregon, Rhode Island, Vermont, Virginia, and Washington are > 95% renewables + natural gas, all of which is produced in North America. If it comes to the point where it's "keep the lights on or sever ties with fossil-fuel states", I'd bet that they choose the latter.
(Note that the table kinda refutes your point anyway: the only states that are > 1% dependent upon oil for electricity are Alaska and Hawaii. Other than natural gas, which is largely produced domestically [1], the other big fossil fuel source is coal, which is also produced domestically.)
If a country were in your individual position, I'd definitely call that self-sovereign, but I don't think that's how "80% self-sufficient" would actually look like. (I don't think that 20% of most countries' consumption is entirely discretionary, for one thing, whether measured by peak or average load.)
At >95%, it's probably a very different story. At that point, you basically turn off your aluminium smelter and you're good :) (And note how GP said "renewables", which gas isn't.)
And my point really isn't about oil specifically, it's about GPs "renewables increase sovereignty" thesis in general.
More countries are able to produce renewable energy than are able to produce fossil energy. As such, renewable energy providers more energy sovereignty than fossil fuels which is what matters. If it's 100% or not is mostly irrelevant for the decision making. If we're being rational.
Going for the worst possible option, only because the better options are not 100% perfect, is to be considered irrational behaviour.
> Going for the worst possible option, only because the better options are not 100% perfect, is to be considered irrational behaviour.
I guess I'm collecting all the downvotes because I didn't make it sufficiently clear that I'm absolutely in favor of switching to renewables as quickly as feasible. My point was not to stick with fossil fuels in the interest of "sovereignty" or anything like that. Especially massive solar deployment just seems like a no-brainer at this point.
But as we do that, I'd love to be realistic about new interdependencies and failure modes being introduced, so that they can be mitigated as we transform and build out our grids, not discovered in very painful incidents that "nobody could have seen coming".
Kind of sad to see how ideologically driven discussions around energy policy still are, and maybe always will be.
That's like saying without gas stations good luck getting gasoline to the people. It goes without saying that batteries are an essential part of most renewable solutions.
I'm still reading a lot about theoretical storage ideas, but much less than I'd like about massive deployments, so I think it doesn't quite go without saying.
reply