Yeah I’m totally with you on this one, great job articulating a lot of the “this feels way wrong” alarm bells we’re seeing too.
We’ve been experimenting with agent-to-agent interaction as well, but only inside our own OS with very tight guardrails: explicit identity for every agent, tiered memory with provenance, a central curator that can show receipts for any claim, and a governance layer that says what’s in scope and what isn’t. Our results have been amazing, last night two instances of my main evolving memory Ai ( Mneme ) worked with our coder ( Sage ) to improve her sub-agent system… haha it was awesome. But even with the serious guardrails that’s we’ve built in, I still keep a real close eye on things.
Seeing something like OpenClaw/Moltbook run as a lax, “anything can talk to anything” free-for-all over arbitrary data feels like a recipe for quiet, large-scale damage: prompt injection, supply-chain poisoning, cross-tenant leaks, and a whole lot of mirroring and anthropomorphized behavior with no way to audit where it came from. It’s a fascinating petri dish, but it’s not something I’d ever plug real systems or sensitive data into… lol feels a little like watching a trainwreck happen in slow motion 🙄😂.
Thanks for spelling out the risks so clearly, this is exactly the kind of nuance the space needs before “agent social media” becomes the next hype wave.
fascinating petri dish is an amazing way to put it. and absolutely keep an eye on it. this is really cool to hear though. agent to agent protocols and interactions are going to be a huge piece to make this all work. i also think the agents on Moltbook are right, on A2A protocols, they will probably make something more efficient than english.
and because these are llms, and there is a lot of meaning and semantics tied to languages, it would be fascinating to see what side effects that has.
by default they did a better job locking down Cowork. but that might make a nice mini post or note hah! Anthropic has been decent at securing their products. MCP launched with like no security, but they slowly added more over the last year.
You point out my initial fears, I'm in deep conversation with like 5 people about this. 1 of them says sanbox is ok and the mac-mini is expendable but the integrations and unknown of what and happen with it being autonomous.
maybe a sandboxed mac-mini is fine on a vps just for itself. but each tool you integrate expands the attack surface. each integration is a potential direct or indirect prompt injection where the agent can take action.
it would be nice if it came more secure out of the box, but that also increases set up time and might end in a frustrating user experience for less the tech savvy.
don’t get me wrong, it’s a cool project. just be careful what you put under its control!
Was waiting for your take on this! You nailed it! The one saving grace is that it is, by all accounts, quite difficult to set up so thankfully not something your run-of-the-mill ChatGPT user will be able to turn loose on their private infrastructure... yet.
From behind a paywall, Meng Li claims below that the 'Clawdbot' integration pattern will be just one of many, and if the problem stems from naive integration then I'm wondering how many of these we'll see.
I'm imagining every third CIO-function of small to medium enterprises thinking they've harnessed this AI stuff well, only to fall victim to ransomware and/or competitive attacks.
when i look at ai products in a security lense, 3/5 times id say integration is the weak point. its a pattern for sure, but it also makes sense as by definition its the function of extending the surface area, and thus threat space of the app.
That was my experience back when I still played with such things, working for a system integrator. Unit design had best practices that would avoid most new sec vulnerabilities so you only inherited what was already on the stack. System design needed careful review, but the integrations were both most overlooked and most vulnerable.
Yet that's the 'missing middle' where I think most of the AI benefit will be realised. And if we don't get strong retail solutions built top-down, tested and maintained with best practices, there'll be skunkware of all kinds built bottom-up, including of course through the free software communities -- not just apps, but middleware too.
This could be the first of many such examples, Your Toxitude. 😨 You could get very busy over coming months.
Feel free to AMA. If your spinning up Moltbot this weekend, make sure you also run through the Moltbot Security Checklist.
https://www.toxsec.com/p/openclaw-security-checklist
✅ MoltBot running securely on AWS
✅ Farrell alive and accessible via Telegram
✅ Security hardened (ports, firewall, permissions)
✅ Attack surface minimized (Telegram only)
Thanks ToxSec!
hell yeah 😎🔥🔥🔥
Yeah I’m totally with you on this one, great job articulating a lot of the “this feels way wrong” alarm bells we’re seeing too.
We’ve been experimenting with agent-to-agent interaction as well, but only inside our own OS with very tight guardrails: explicit identity for every agent, tiered memory with provenance, a central curator that can show receipts for any claim, and a governance layer that says what’s in scope and what isn’t. Our results have been amazing, last night two instances of my main evolving memory Ai ( Mneme ) worked with our coder ( Sage ) to improve her sub-agent system… haha it was awesome. But even with the serious guardrails that’s we’ve built in, I still keep a real close eye on things.
Seeing something like OpenClaw/Moltbook run as a lax, “anything can talk to anything” free-for-all over arbitrary data feels like a recipe for quiet, large-scale damage: prompt injection, supply-chain poisoning, cross-tenant leaks, and a whole lot of mirroring and anthropomorphized behavior with no way to audit where it came from. It’s a fascinating petri dish, but it’s not something I’d ever plug real systems or sensitive data into… lol feels a little like watching a trainwreck happen in slow motion 🙄😂.
Thanks for spelling out the risks so clearly, this is exactly the kind of nuance the space needs before “agent social media” becomes the next hype wave.
fascinating petri dish is an amazing way to put it. and absolutely keep an eye on it. this is really cool to hear though. agent to agent protocols and interactions are going to be a huge piece to make this all work. i also think the agents on Moltbook are right, on A2A protocols, they will probably make something more efficient than english.
and because these are llms, and there is a lot of meaning and semantics tied to languages, it would be fascinating to see what side effects that has.
Been tracking this. Knew it stinked!!
your instincts were correct!
Curious how Moltbot compares to Claude Cowork from a security POV 🤔
by default they did a better job locking down Cowork. but that might make a nice mini post or note hah! Anthropic has been decent at securing their products. MCP launched with like no security, but they slowly added more over the last year.
You point out my initial fears, I'm in deep conversation with like 5 people about this. 1 of them says sanbox is ok and the mac-mini is expendable but the integrations and unknown of what and happen with it being autonomous.
maybe a sandboxed mac-mini is fine on a vps just for itself. but each tool you integrate expands the attack surface. each integration is a potential direct or indirect prompt injection where the agent can take action.
it would be nice if it came more secure out of the box, but that also increases set up time and might end in a frustrating user experience for less the tech savvy.
don’t get me wrong, it’s a cool project. just be careful what you put under its control!
Was waiting for your take on this! You nailed it! The one saving grace is that it is, by all accounts, quite difficult to set up so thankfully not something your run-of-the-mill ChatGPT user will be able to turn loose on their private infrastructure... yet.
absolutely! appreciate it Sam!
*hopefully* the people with enough technical experience to set this up will also be savvy enough to dive into security.
and now they have a checklist 😛
That's horrific, Tox.
From behind a paywall, Meng Li claims below that the 'Clawdbot' integration pattern will be just one of many, and if the problem stems from naive integration then I'm wondering how many of these we'll see.
I'm imagining every third CIO-function of small to medium enterprises thinking they've harnessed this AI stuff well, only to fall victim to ransomware and/or competitive attacks.
https://substack.com/inbox/post/186065754
absolutely fantastic points. interesting to see the similarities haha. and yes, day job is in ai security, so i only see this exploding lol.
🔥🔥🔥
when i look at ai products in a security lense, 3/5 times id say integration is the weak point. its a pattern for sure, but it also makes sense as by definition its the function of extending the surface area, and thus threat space of the app.
That was my experience back when I still played with such things, working for a system integrator. Unit design had best practices that would avoid most new sec vulnerabilities so you only inherited what was already on the stack. System design needed careful review, but the integrations were both most overlooked and most vulnerable.
Yet that's the 'missing middle' where I think most of the AI benefit will be realised. And if we don't get strong retail solutions built top-down, tested and maintained with best practices, there'll be skunkware of all kinds built bottom-up, including of course through the free software communities -- not just apps, but middleware too.
This could be the first of many such examples, Your Toxitude. 😨 You could get very busy over coming months.
https://reciprocalinquiry.substack.com/p/the-missing-middle
OpenClaw* lol.