OpenClaw isn't fooling me. I remember MS-DOS

· ai security · Source ↗

Article

TL;DR

OpenClaw’s sandbox-the-whole-agent approach repeats MS-DOS’s architectural mistake of no per-tool permission isolation.

Key Takeaways

  • Author proposes tool-layer permission enforcement over process-level sandboxing for agent security
  • Even Docker-wrapped agents with credentials are vulnerable to prompt injection and exfiltration
  • MS-DOS won despite architectural flaws; pragmatic adoption may override security concerns again

Discussion

Top comments:

  • [pantulis]: Even Docker-wrapped OpenClaw is a security timebomb once credentials are stored inside it
  • [jimmypk]: Real argument is ‘sandbox around the whole agent’ vs ‘enforce at the tool layer’ — Unix principle
  • [tomasol]: Codegen must be separated from runtime; each AI task deployed as minimal-privilege app with approvals
  • [GMoromisato]: MS-DOS ultimately won despite being primitive; critics were left holding mainframe resumes

Discuss on HN