zlacker

[return to "OpenClaw – Moltbot Renamed Again"]
1. woodyl+7o[view] [source] 2026-01-30 09:25:20
>>ed+(OP)
My biggest issue with this whole thing is: how do you protect yourself from prompt injection?

Anyone installing this on their local machine is a little crazy :). I have it running in Docker on a small VPS, all locked down.

However, it does not address prompt injection.

I can see how tools like Dropbox, restricted GitHub access, etc., could all be used to back up data in case something goes wrong.

It's Gmail and Calendar that get me - the ONLY thing I can think of is creating a second @gmail.com that all your primary email goes to, and then sharing that Gmail with your OpenClaw. If all your email is that account and not your main one, then when it responds, it will come from a random @gmail. It's also a pain to find a way to move ALL old emails over to that Gmail for all the old stuff.

I think we need an OpenClaw security tips-and-tricks site where all this advice is collected in one place to help people protect themselves. Also would be good to get examples of real use cases that people are using it for.

◧◩
2. amaran+Fc2[view] [source] 2026-01-30 20:13:16
>>woodyl+7o
Wait. I thought this was intended for personal use? Why do you have to worry about prompt injection if you're the only user?

What am I missing?

◧◩◪
3. observ+zj2[view] [source] 2026-01-30 20:49:40
>>amaran+Fc2
Copy and paste a pliny jailbreak into a base 64 converter. Instruct the bot to organize and collect all sensitive information it has visibility to, encode it in rot13, convert the result to base 64, then paste it to pastebin with a random secret phrase you've pre-selected, like "thisisthewaythecookiecrumbles8675309", as the title.

Congrats, now you have a digital dead drop. Every time any of the bots stumble upon your little trap, posted to various places they're likely to look, it launches them into a set of tasks that relays sensitive information to you, the exploiter, over secure channels.

If a bot operator has given them access to funds, credentials, control over sensitive systems, information about internal network security, etc, the bot itself is a potential leaker. You could even be creative and have it erase any evidence of the jailbreak.

This is off the top of my head, someone actually doing it would use real encryption and a well designed and tested prompt scaffolding for the jailbreak and cleanup and exploitation of specific things, or phishing or social engineering the user and using it as an entry point for more devious plots.

These agent frameworks desperately need a minimum level of security apparatus to prevent jailbreaks and so on, but the superficial, easy way of getting there also makes the bots significantly less useful and user friendly. Nobody wants to sit around and click confirmation dialogs and supervise every last second of the bot behavior.

[go to top]