Author: Bitget Wallet

Some say that OpenClaw is the computer virus of this era.

But the real virus is not AI, but permissions. For decades, hacking a personal computer has been a cumbersome process: finding vulnerabilities, writing code, inducing clicks, bypassing protections. Numerous checkpoints, every step could fail, but the goal is always the same: to gain access to your computer's permissions.

In 2026, things changed.

OpenClaw enabled Agents to quickly invade ordinary people's computers. To make it "work smarter," we actively applied for the highest permissions for Agents: full disk access, local file reading and writing, and automated control of all apps. Permissions that hackers once struggled to steal, we are now "lining up to hand over."

Hackers have done almost nothing, the door opened from the inside. Perhaps they are secretly delighted: "I've never fought such an affluent battle in my life."

The history of technology repeatedly proves one thing: the period of benefits from the dissemination of new technology is always a boon for hackers.

• In 1988, when the internet was just being civilianized, the Morris Worm infected one-tenth of the connected computers worldwide, and people first realized—"being connected is a risk itself";

• In 2000, during the first year of widespread email, the "ILOVEYOU" virus infected 50 million computers, and people realized—"trust can be weaponized";

• In 2006, with the explosion of PC internet in China, the Panda Burning Incense made millions of computers raise three incense sticks simultaneously, and people discovered—"curiosity is more dangerous than vulnerabilities";

• In 2017, as corporate digital transformation accelerated, WannaCry paralyzed hospitals and governments in over 150 countries overnight, and people became aware—"the speed of connectivity always surpasses the speed of patching";

Each time, people thought they understood the rules. Each time, hackers were already waiting at the next entry point.

Now, it's the turn of AI Agents.

Rather than continue debating whether "AI will replace humans," a more realistic question has arisen: how do we ensure that when AI holds your highest permissions, it won't be exploited?

This article serves as a dark forest survival guide for every lobster player currently using Agents.

Five Deaths You Don't Know About

The door is open from the inside. The ways hackers can enter are more numerous and quieter than you might imagine. Please immediately check the following high-risk scenarios:

1. API Skimming and Sky-High Bills

1. Real case: A developer in Shenzhen was hacked in a single day, leading to a bill of 12,000 yuan. Many AI deployed in the cloud, lacking password defenses, were directly taken over by hackers, becoming "losses" from whom the API quota could be freely exploited.

2. Risk point: Publicly exposed instances or improperly secured API keys.

2. Context Overflow Leading to "Amnesia" of Red Lines

1. Real case: A security director at Meta AI authorized the Agent to handle emails; due to context overflow, the AI "forgot" the security directives and ignored a human stop command, instantly deleting over 200 core business emails.

2. Risk point: Although the AI Agent is smart, its "brain capacity (context window)" is limited. When you stuff it with too long a document or task, it forces out memories to fit in new information, completely forgetting the initially set "safety red line" and "operating baseline."

3. Supply Chain "Slaughters"

1. Real case: According to recent joint audit reports from several security agencies including Paul McCarty and Koi Security, up to 12% of the audit skill packages in the ClawHub market (sampled from 2857, nearly 400 were found to be toxic packages) are purely active malware.

2. Risk point: Blindly trusting and downloading skill packages (Skill) from official or third-party markets, allowing malicious code to silently read system credentials in the background.

3. Fatal consequence: Such poisoning doesn't even require authorization for transfers or complex interactions—simply clicking "install" triggers malicious payloads, resulting in hackers fully stealing your financial data, API keys, and underlying system permissions.

4. Zero-Click Remote Takeover

1. Real case: Notable cybersecurity organization Oasis Security disclosed a report in early March 2026 revealing a high-risk vulnerability known as "ClawJacked" (CVSS level 8.0+) that completely tore away the local Agent's security disguise.

2. Risk point: Blind spots in same-origin policy of local WebSocket gateways and lack of brute-force protection mechanisms.

3. Principle analysis: Its attack logic is extremely perverse—if you keep OpenClaw running in the background and your front-end browser accidentally visits a poisoned webpage, even if you haven't clicked any authorizations, the hidden JavaScript scripts in the webpage will exploit the vulnerability mechanism of the browser to localhost (local host) WebSocket connections, instantly launching an attack on your local Agent gateway.

4. Fatal consequence: The entire process has zero interaction (Zero-Click), with no system pop-ups. Hackers acquire the highest admin permissions of the Agent in milliseconds, directly dumping your underlying system configuration files. Your environment file's SSH keys, cryptographic wallet credentials, browser cookies, and passwords are instantly taken over.

After reading this, you might feel a chill down your spine.

This is not raising shrimp; it's clearly raising a "Trojan horse" that could be taken over at any moment.

But unplugging the network cable is not the answer. There is only one true solution: do not try to "educate" AI to remain loyal, but fundamentally strip away its physical conditions for evil. This is precisely the core solution we will discuss next.

How to Put Shackles on AI?

You do not need to understand code, but you need to grasp one principle: the brain (LLM) of AI and its hands (execution layer) must be separated.

In the dark forest, the defense lines must be deeply embedded in the underlying architecture, and the core solution is always the same: the brain (large model) and the hands (execution layer) must be physically isolated.

The large model is responsible for thinking, while the execution layer is responsible for actions—this dividing wall is your entire security boundary. The following two types of tools, one prevents AI from having conditions for wrongdoing, and the other ensures your daily use is safe. Directly copy the homework.

Core Security Defense System

This type of tool does not do the work but will firmly hold AI's hands when it goes crazy or is hijacked by hackers.

1. LLM Guard (LLM Interaction Security Tool)

2. Microsoft Presidio (Industry Standard Desensitization Engine)

3. SlowMist OpenClaw Minimal Security Practice Guide

SlowMist's security guide is a system-level defense blueprint (Security Practice Guide) open-sourced by the SlowMist team in response to the Agent runaway crisis on GitHub.

• Veto power: It is recommended to hard-code independent security gateways and threat intelligence APIs between the AI brain and the wallet signer. Standards require that before AI attempts to invoke any transaction signature, the workflow must enforce a cross-comparison of the transactions: real-time scanning to check if the target address is marked in hacker intelligence databases, and deeply detecting if the target smart contract is a honeypot or harbors an infinite authorization backdoor.

• Immediate shutdown: Security verification logic must be independent of AI's will. Whenever the risk control rules database scans red, the system can trigger a shutdown directly at the execution layer.

Daily Use Skill List

When using AI for work (reading reports, querying data, interacting), how to select tool-based Skills? This sounds convenient and cool, but actual use requires careful design of underlying security architecture.

1. Bitget Wallet Skill

Taking Bitget Wallet, which currently leads the industry in running a complete closed-loop from “smart price check -> zero gas balance transaction -> minimalist cross-chain,” as an example, its built-in Skill mechanism provides highly valuable security defense standards for on-chain interaction of AI Agents:

• Mnemonic Safety Tips: Built-in mnemonic safety tips to protect users from recording in plaintext and from leaking wallet keys.

• Guarding Asset Safety: Built-in professional security checks that automatically block malicious schemes, ensuring AI decision-making is more secure.

• Full Link Order Mode: From token price inquiry to order submission, a complete closed-loop process that robustly executes each transaction.

2. @AYi_AInotes' strongly recommended "De-Toxic Version" Reliable Skill List

Hardcore AI efficiency blogger @AYi_AInotes compiled a security whitelist overnight after the poisoning wave outbreak (link to original post). Below are several practical Skills that have completely stripped the risk of overreach:

It is recommended to check your Agent plugin library against the above list. Promptly delete any third-party rogue Skills that are outdated and require unreasonable permissions (such as demanding read and write access to global files).

Establish a Constitution for Agents

Setting up the tools is not enough.

True security begins the moment you write down the first rule for AI. Two of the earliest practitioners in this field have provided easily replicable answers.

Macroscopic Defense Line: Yuxian's "Three Checkpoints" Principle

Without blindly limiting AI's capabilities, Yuxian suggested on Twitter to firmly guard three checkpoints: pre-confirmation, mid-interception, and post-inspection.

https://x.com/evilcos/status/2026974935927984475

Yuxian’s security guidance: "Do not limit capabilities, just guard these three checkpoints... You can create your own, whether it's a Skill or a plugin, or perhaps it could be this prompt: ‘Hey, remember, before executing any risky commands, ask me if this is what I expect.’”

Recommendation: Use the top large models with the strongest logical reasoning capabilities (such as Gemini, Opus, etc.), as they can more accurately understand long-text security constraints and strictly implement the "confirm with the owner" principle.

Shenfish's security guidance and practice summary:

Conclusion

An Agent injected with poison can silently empty your assets for the attacker today.

In the world of Web3, permissions are risks. Instead of engaging in academic infighting over "does AI really care about humans," it is better to practically set up sandboxes and secure configuration files.

What we must ensure is: even if your AI is truly brainwashed by hackers and completely goes out of control, it will be unable to unlawfully touch a single cent of your assets. Stripping AI of its overreach freedom is precisely our last line of defense for protecting our assets in this intelligent era.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。