Egregoros · Phoenix Framework

Post

Remote status

Context

⚡⛥ Wight Power ⛦⚡

About 75% of Schneier's articles lately have been about LLMs being pwned and/or doing the pwning.

https://www.schneier.com/blog/archives/2026/02/the-promptware-kill-chain.html

Blurry Moon

@sun@shitposter.world remote

@toiletpaper openclaw is going to be the vector for unbelievably devastating attacks in the near future, it's such a pile of shit

⚡⛥ Wight Power ⛦⚡

@toiletpaper@shitposter.world remote

@sun

I use some LLMs etc on my machine, both local and cloud based, but if they have any agentic functionality whatsoever it only happens in an isolated VM. Based on experience there's zero chance I'm ever letting any of these things touch my main system.

Blurry Moon

@sun@shitposter.world remote

@toiletpaper if you want your agent to do almost anything you have to give it api keys or auth tokens. that's the premise of openclaw, you give it a shitload of access to your life and it manages things for you. so you give it your email, chat, calendar, everything, all glommed together on a box with no privilege separation and the llm has complete access to it all

Blurry Moon

@sun@shitposter.world remote

@toiletpaper I am currently thinking through a way to give llm power to do things like this but limit its ability to leak keys. it's a hard problem.

⚡⛥ Wight Power ⛦⚡

@toiletpaper@shitposter.world remote

@sun

I think this depends somewhat on the service provider providing robust enough pki, or otherwise having some kind of middleware similar to openrouter to handle api keys and provide a very limited local api for the things the llm legitimately needs access to.

Blurry Moon

@sun@shitposter.world remote

@toiletpaper I am writing middleware yes that negotiates connections using isolated key enclave and then hands off an abstracted api access to the core. the core just has to use this middleware instead of handling the api directly. for almost all purposes there is no problem with this and it eliminates risk of a prompt hack leaking your entire fucking life. also I can do proper OS compartmentalization of the processes so if you manage to hack the LLM to read the filesystem or whatever it still cannot steal keys.

Replying to @sun@shitposter.world

Blurry Moon

@sun@shitposter.world remote

@toiletpaper I said it was hard but it's just an addition layer of indirection, and basic system administration. but that is way beyond what the majority of openclaw people are capable of, they don't really understand anything at all

Replies

Replying to @sun@shitposter.world

⚡⛥ Wight Power ⛦⚡

@toiletpaper@shitposter.world remote

@sun

The majority of LLM users period. Based on my overwhelming experience, most people are completely clueless about the pitfalls of their relationship with any given technology, and even when they do know, usually have a litany of excuses as to why they don't care. So it's hardly surprising to me that so-called AI is no exception.