You could easily make human approval workflows for this stuff, where humans need to take any interesting action at the recommendation of the bot.
I do tend to think this risk is somewhat mitigated if you have a whitelist of allowed domains that the claw can make HTTP requests to. But I haven't seen many people doing this.
From my limited understanding it seems like writing a little MCP server that defines domains and abilities might work as an additive filter.
I'd also point out this a place where 2FA/MFA might be super helpful. Your phone or whatever is already going to alert you. There's a little bit of a challenge in being confident your bot isn't being tricked, in ascertaining even if the bot tells you that it really is safe to approve. But it's still a deliberation layer to go through. Our valuable things do often have these additional layers of defense to go through that would require somewhat more advanced systems to bot through, that I don't think are common at all.
Overall I think the will here to reject & deny, the fear uncertainty and doubt is both valid and true, but that people are trying way way way too hard, and it saddens me to see such a strong manifestation of fear. I realize the techies know enough to be horrified strongly by it all, but also, I really want us to be an excited forward looking group, that is interested in tackling challenges, rather than being interested only in critiques & teardowns. This feels like an incredible adventure & I wish to en Courage everyone.
You can take whatever risks you feel are acceptable for your personal usage - probably nobody cares enough to target an effective prompt-injection attack against you. But corporations? I would bet a large sum of money that within the next few years we will be hearing multiple stories about data breaches caused by this exact vulnerability, due to employees being lazy about limiting the claw's ability to browse the web.
1) don't give it access to your bank
2) if you do give it access don't give it direct access (have direct access blocked off and indirect access 2FA to something physical you control and the bot does not have access to)
---
agreed or not?
---
think of it like this -- if you gave a human power to drain you bank balance but put in no provision to stop them doing just that would that personal advisor of yours be to blame or you?
By contrast with a claw, it's really you who performed the action and authorized it. The fact that it happened via claw is not particularly different from it happening via phone or via web browser. It's still you doing it. And so it's not really the bank's problem that you bought an expensive diamond necklace and had it shipped to Russia, and now regret doing so.
Imagine the alternative, where anyone who pays for something with a claw can demand their money back by claiming that their claw was tricked. No, sir, you were tricked.
These things are insecure. Simply having access to the information would be sufficient to enable an attacker to construct a social engineering attack against your bank, you or someone you trust.