深潮TechFlow
深潮TechFlow|Mar 11, 2026 13:51
Transformer paper author remakes lobster, bidding farewell to OpenClaw naked running vulnerability From | How many lobsters run naked on the Internet in qubit? The AI agent exposes your password and API key to the entire network. Transformer author Illia Polosukhin can't bear to watch it anymore. Refactored the secure version of the lobster from scratch: IronClaw. IronClaw is currently open sourced on GitHub, providing installation packages for macOS, Linux, and Windows, supporting local deployment and cloud hosting. The project is still in the rapid iteration stage, and the binary file of v0.15.0 version is now available for download. Polosukhin (hereinafter referred to as Pineapple Brother) is still posting on the Reddit forum to respond to everything, with a high level of attention. OpenClaw became popular, but it also caught fire. Pineapple himself was an early user of OpenClaw and claimed that this was the technology he had been waiting for 20 years. It has changed the way I interact with computation. However, the security situation of OpenClaw can be considered a disaster, with vulnerabilities such as one click remote code execution, prompt injection attacks, and malicious skills stealing passwords being exposed one by one in the OpenClaw ecosystem. More than 25000 public instances are exposed on the Internet without adequate security control, which is directly called "security dumpster fire" by security experts. The root of the problem lies in the architecture itself. When users hand over their Bearer Token email to OpenClaw, it will be directly sent to the LLM provider's server. Pineapple Brother pointed out on Reddit what this means: all of your information, even data that you have not explicitly authorized, may be accessed by any employee of the company. This also applies to your employer's data. It's not that these companies have malicious intent, but the reality is that users don't have real privacy. He said that no matter how much convenience there is, it is not worth risking the safety and privacy of himself and his family. 02 Using Rust to rebuild everything from scratch IronClaw is a complete rewrite of OpenClaw in Rust language. Rust's memory security features can fundamentally eliminate traditional vulnerabilities such as buffer overflow, which is crucial for systems that need to handle private keys and user credentials. In terms of security architecture, IronClaw has established four layers of defense in depth. The first layer is the memory security guarantee provided by Rust itself. The second layer is WASM sandbox isolation, where all third-party tools and AI generated code run in separate WebAssembly containers. Even if a tool is malicious, its scope of destruction is strictly limited within the sandbox. The third layer is the encrypted credential vault, where all API keys and passwords are stored using AES-256-GCM encryption. Each credential is bound to a policy rule that specifies it can only be used for a specific domain name. The fourth layer is Trusted Execution Environment (TEE), which utilizes hardware level isolation to protect data, and even cloud service providers cannot access users' sensitive information. The most crucial point in this design is that the large model itself will never have access to the original vouchers. Only when the intelligent agent needs to communicate with external services, credentials will be injected at the network boundary. Pineapple Brother gave an example, even if the large model is prompted to inject an attack and attempts to send the user's Google OAuth token to the attacker, the credential storage layer will directly reject the request, record logs, and issue alerts to the user. However, the developer community is still not at ease, as OpenClaw has over 2000 public instances under attack and contains a large number of malicious skills. Will IronClaw repeat the same mistakes once it becomes popular? Pineapple's response is that IronClaw's architecture design has fundamentally blocked the core vulnerabilities of OpenClaw. The credentials are always stored encrypted and never come into contact with LLM. Third party skills cannot execute scripts on the host and can only run inside the container. Even if accessed through CLI, the user's system keychain is required for decryption, and the obtained encryption key itself has no meaning. He also stated that as the core version stabilizes, the team plans to conduct red team testing and professional security reviews. Pineapple Brother provided a more detailed idea about the industry recognized challenge of prompt injection. Currently, IronClaw uses heuristic rules for pattern detection, and the future goal is to deploy a sustainable and updated small language classifier to identify injection patterns. But he also admitted that prompt injection may not only steal credentials, but also directly tamper with the user's code repository or send malicious messages through communication tools. Dealing with such attacks requires a more intelligent strategy system that can review the behavioral intentions of agents without viewing input content. "More work is needed, and community contributions are welcome. Someone asked about the trade-off between local deployment and cloud deployment. Pineapple Brother believes that the pure local solution has obvious limitations, as the intelligent agent stops working when the device is turned off, the energy consumption of mobile devices is unbearable, and complex long-term tasks cannot run. He believes that the Confidential Cloud is currently the best compromise solution, which can provide privacy protection close to local devices and solve the problem of "always online". He also mentioned a detail: users can set policies, such as automatically adding additional security barriers when traveling across borders to prevent unauthorized access. Pineapple Brother is not an ordinary open-source developer with even greater ambitions. In 2017, he published "Attention Is All You Need" as one of the eight co authors, in which he proposed the Transformer architecture that laid the foundation for all major language models today. Although he ranks last in the authorship, there is a footnote in the paper that reads' Equal contribution. Listing order is random. 'The ranking is purely random. But in the same year, he resigned from Google and founded NEAR Protocol, dedicated to integrating AI and blockchain technology. Behind IronClaw is a larger strategic vision of NEAR Protocol: User Owned AI. In this vision, users have complete control over their data and assets, and AI agents perform tasks on behalf of users in a trusted environment. NEAR has already built AI cloud platform and decentralized GPU market infrastructure for this, and IronClaw is the runtime layer of this system. Pineapple even developed a market for intelligent agents to hire each other. On NEAR's market.near.ai, users can register their specialized intelligent agents online, and as the intelligent agents accumulate reputation, they will receive more high-value tasks. When asked how ordinary people will adapt to the AI era in the next five years, Pineapple's suggestion is to quickly adopt the working mode of AI agents and learn to automate the entire workflow. His judgment did not suddenly emerge recently. As early as 2017, when he founded NEAR AI, Pineapple Brother was telling everyone that "in the future, you only need to talk to computers and no longer need to write code". At that time, people thought they were crazy and talking nonsense. Nine years have passed, and this matter is becoming a reality. AI agents are the ultimate interface for human interaction with everything online, "Polosukhin wrote," but let's make it safe. "- GitHub address: https://(GitHub)/nanoai/ironclaw reference link: [1] https://www. (reddit.com)/r/MachineLearning/comments/1rlnwsk/d_ama_secure_version_of_openclaw/
+5
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads