upvote

points

by zmmmmm15 hours ago |
comments
upvoteby andybak14 hours ago|
next
[-]
> solved

Have you considered that it's unsolvable? Or - at least - there is an irreconcilable tension between capability and safety. And people will always choose the former if given the choice.

reply
upvoteby zmmmmm9 hours ago|
parent|
next
[-]
in a pure sense no, it's probably not solvable completely. But in a practical sense, yes, I think it's solvable enough to support broad use cases of significant value.

The most unsolvable part is prompt injection. For that you need full tracking of the trust level of content the agent is exposed to and a method of linking that to what actions it has accessible to it. I actually think this needs to be fully integrated to the sandboxing solution. Once an agent is "tainted" its sandbox should inherently shrink down to the radius where risk is balanced with value. For example, my fully trusted agent might have a balance of $1000 in my AWS account, while a tainted one might have that reduced to $50.

So another aspect of sanboxing is to make the security model dynamic.

reply
upvoteby skybrian11 hours ago|
parent|
prev|
[-]
I don't know about solved, but I've seen some interesting ideas for making it safer, so I think it could be improved.

One idea is to have the coding agent write a security policy in plan mode before reading any untrusted files:

https://dystopiabreaker.xyz/fsm-prompt-injection

reply
upvoteby silverstream14 hours ago|
prev|
[-]
File-level sandboxing is table stakes at this point — the harder problem is credentials and network. An agent inside sandbox-exec still has your AWS keys, GitHub token, whatever's in the environment. I've been running a setup where a local daemon issues scoped short-lived JWTs to agent processes instead of passing raw credentials through, so a confused agent can't escalate beyond what you explicitly granted. Works well for API access. But like you said, nothing at the filesystem level stops an agent from spinning up 50 EC2 instances on your account.
reply
upvoteby e1g14 hours ago|
parent|
next
[-]
> An agent inside sandbox-exec still has your AWS keys, GitHub token, whatever's in the environment.

That's not the case with Agent Safehouse - you can give your agent access to select ~/.dotfiles and env, but by default it gets nothing (outside of CWD)

reply
upvoteby ericlevine13 hours ago|
parent|
prev|
next
[-]
Completely agree. As soon as I had OpenClaw working, I realized actually giving it access to anything was a complete nonstarter after all of the stories about going off the rails due to context limitations [1]. I've been building a self-hosted open sourced tool to try to address this by using an LLM to police the activity of the agent. Having the inmates run the asylum (by having an LLM police the other LLM) seemed like an odd idea, but I've been surprised how effective it's been. You can check it out here if you're curious: https://github.com/clawvisor/clawvisor clawvisor.com

[1] https://www.tomshardware.com/tech-industry/artificial-intell...

reply
upvoteby zmmmmm6 hours ago|
parent|
prev|
[-]
Every post from this two day old account starts with about 8 words and then an em-dash. And it happens to self-identify a startup building infra for OpenClaw.
reply