Hacker News: feigewalnuss

New comment by feigewalnuss in "OpenClaw isn't fooling me. I remember MS-DOS"

feigewalnuss — Tue, 21 Apr 2026 04:28:30 +0000

Right, we have to see credentials and personal data as different problems. Wirken addresses the first directly and only partially the second. Session scoping keeps injection damage inside one channel's scope so a poisoned email cannot reach into your Telegram credentials. The model still reads the email content during that session, and any prompt injection in that content can still act within what just that session can reach.

The layer that addresses content-level flow is information-flow enforcement above identity. TriOnyx (https://github.com/tri-onyx/tri-onyx) looks at that exact problem: taint and sensitivity tracking, gateway kills on threshold breach.

It complements Wirken. You need identity before you can meaningfully ask what agent A has been exposed to.

On the agent-gets-its-own-machine approach, that is fine as a blast-radius strategy and I have no quarrel with it. It trades isolation between channels for isolation between the agent and the host. If you only have one channel and disposable keys, it works. It stops working as soon as the agent holds something you cannot cheaply rotate, which for most people ends up being their messaging identities.

New comment by feigewalnuss in "OpenClaw isn't fooling me. I remember MS-DOS"

feigewalnuss — Mon, 20 Apr 2026 14:38:36 +0000

Disclosure: I wrote the linked post.

The "gave it my Gmail password" problem has a better answer than "don't do that." Security kicks itself out of the room when it only says no. Reserve the no for the worst days. The rest of the time, ship a better way.

That's why I built the platform to make credential leaks hard. It takes more than a single prompt. The credential vault is encrypted. Typed secret wrappers prevent accidental logging and serialization. Per-channel process isolation means a compromise in one adapter does not hand an attacker live sessions in the others.

"Don't do that" fails even for users trying their hardest. Good engineering makes mistakes hard and the right answer easy. Architecture carries the weight so the user does not have to.

On the trifecta being "sorta-kinda solved" by newer models, no. Model mitigations are a layer, not a substitute. Prompt injection has the shape of a confused-deputy problem and the answer to confused deputies has always been capabilities and isolation, not asking the already confused deputy to try harder.

You want the injection to fail EVEN when the model does not catch it.

New comment by feigewalnuss in "OpenClaw isn't fooling me. I remember MS-DOS"

feigewalnuss — Mon, 20 Apr 2026 14:29:52 +0000

Disclosure: I wrote the linked post.

Heartbeat cron and naive memory are the right thread to pull. Agree.

The problem is the data/trust boundary. One agent process, one credential store, all channels sharing both. Whenever we scale the memory up, which we all want to do, we scale the disaster radius of every prompt injection with it.

Wirken accounted for this in the first design step. Per-channel process isolation. Handshakes between adapters and the core. Compile-time type constraints so a Discord adapter cannot construct a Telegram session handle. Encrypted credential vault. Hash-chained audit log of every action. All, remaining model-agnostic, so local models and confidential-compute providers are drop-in.

Your memory point is still unsolved at this layer. When memory does get solved, you want the solver running where it cannot leak the wrong credentials to the wrong channel. Otherwise the smarter it gets, the worse the breach.

OpenClaw isn't fooling me. I remember MS-DOS

feigewalnuss — Mon, 20 Apr 2026 07:49:48 +0000

Article URL: https://www.flyingpenguin.com/build-an-openclaw-free-secure-always-on-local-ai-agent/

Comments URL: https://news.ycombinator.com/item?id=47831437

Points: 307

# Comments: 331