OpenClaw isn't fooling me. I remember MS-DOS

· top-stories ai security · Source ↗

Article

TL;DR: Blog argues OpenClaw’s security model is as primitive as MS-DOS — sandboxing the agent isn’t enough.

Key Takeaways

  • Wrapping the whole agent in Docker doesn’t prevent credential access before exfiltration
  • Correct fix: per-tool permission enforcement at the tool layer, not a sandbox around everything
  • Prompt injection + internet access = data exfiltration regardless of network namespace isolation

Discussion

  • MS-DOS comparison disputed: DOS lacked hardware rings, not just design discipline
  • Core security argument stood: sandbox-around-agent still allows credential reads before exfiltration
  • Contrarians: MS-DOS won commercially despite flaws — OpenClaw may too, for better or worse

Top comments:

  • [Havoc]: Internet access + local data access = prompt injection exfiltration regardless of sandbox
  • [pantulis]: Works as advertised but giving it credentials makes it a ticking security bomb
  • [jimmypk]: Real argument is ‘sandbox around agent’ vs ‘enforce at tool layer’ — not MS-DOS nostalgia
  • [raincole]: MS-DOS was a massive commercial success — security flaws didn’t stop world domination

Discuss on HN