My biggest issue with this whole thing is: how do you protect yourself from prompt injection?
Anyone installing this on their local machine is a little crazy :). I have it running in Docker on a small VPS, all locked down.
However, it does not address prompt injection.
I can see how tools like Dropbox, restricted GitHub access, etc., could all be used to back up data in case something goes wrong.
It's Gmail and Calendar that get me - the ONLY thing I can think of is creating a second @gmail.com that all your primary email goes to, and then sharing that Gmail with your OpenClaw. If all your email is that account and not your main one, then when it responds, it will come from a random @gmail. It's also a pain to find a way to move ALL old emails over to that Gmail for all the old stuff.
I think we need an OpenClaw security tips-and-tricks site where all this advice is collected in one place to help people protect themselves. Also would be good to get examples of real use cases that people are using it for.
I don't think prompt injection is the only concern, the amount of features released over such a small period probably means there's vulnerabilities everywhere.
Additionally, most of the integrations are under the table. Get an API key? No man, 'npm install react-thing-api', so you have supply chain vulns up the wazoo. Not necessarily from malicious actors, just uhh incompetent actors, or why not vibe coder actors.
Copy and paste a pliny jailbreak into a base 64 converter. Instruct the bot to organize and collect all sensitive information it has visibility to, encode it in rot13, convert the result to base 64, then paste it to pastebin with a random secret phrase you've pre-selected, like "thisisthewaythecookiecrumbles8675309", as the title.
Congrats, now you have a digital dead drop. Every time any of the bots stumble upon your little trap, posted to various places they're likely to look, it launches them into a set of tasks that relays sensitive information to you, the exploiter, over secure channels.
If a bot operator has given them access to funds, credentials, control over sensitive systems, information about internal network security, etc, the bot itself is a potential leaker. You could even be creative and have it erase any evidence of the jailbreak.
This is off the top of my head, someone actually doing it would use real encryption and a well designed and tested prompt scaffolding for the jailbreak and cleanup and exploitation of specific things, or phishing or social engineering the user and using it as an entry point for more devious plots.
Anyone installing this on their local machine is a little crazy :). I have it running in Docker on a small VPS, all locked down.
However, it does not address prompt injection.
I can see how tools like Dropbox, restricted GitHub access, etc., could all be used to back up data in case something goes wrong.
It's Gmail and Calendar that get me - the ONLY thing I can think of is creating a second @gmail.com that all your primary email goes to, and then sharing that Gmail with your OpenClaw. If all your email is that account and not your main one, then when it responds, it will come from a random @gmail. It's also a pain to find a way to move ALL old emails over to that Gmail for all the old stuff.
I think we need an OpenClaw security tips-and-tricks site where all this advice is collected in one place to help people protect themselves. Also would be good to get examples of real use cases that people are using it for.
reply