IronClaw’s security architecture sounds plausible, but I have not audited it. Plugins can only access remote endpoints you’ve specifically allowed it for. Secrets aren’t available to the LLM - they are injected where the LLM requires it but only secrets authorized for that plugin are available to it. Together those two things provide an answer to a huge range of the most common prompt injection vulnerabilities, such as credential extraction. So you can give it access to your bank account and email and it can’t email your bank password to an attacker. But it could still transfer money to them.
replyThe only secure way to use any of these tools is to give them very limited access - if they need a credit card give them a virtual card with a low limit, or even its own bank account. They can send email but only from their own account; like a human personal assistant. But of course this requires careful thought and adds friction to every new task, so people won’t be doing it.
Everything supports WA, Telegram, etc. I wish it wasn't so hard to hook up Signal to anything.
replyI'm using the signal-cli-rest-api but the whole setup feels kinda wonky.
Which would you say has the best cron and heartbeat implementation?
replyHaven't tried them in enough depth to compare.
replyNanobot's was not great (cron + a HEARTBEAT.md meant two ways to do things, which would confuse the AI). But because the implementation is so simple, I could improve it in a few minutes in my own fork!