[deanc]

It's absolute negligence for anyone to be installing anything at this point in this space. There is no oversight, hardly anyone looking at what's published, no automated scanning and there is no security model in place that works that isn't vulnerable to prompt injection.

We need to go back to the drawing board. You might as well just run curl https://example.com/script.sh | sudo bash at this point.

[wat10000]

It's far worse than that. `curl | bash` is at least a one-time thing coming from a single source. An autonomous agent like OpenClaw is more like running `slack | bash` or `mail | bash`.

[cheema33]

> `curl | bash` is at least a one-time thing coming from a single source.

Is it? Are you sure?

[wat10000]

Yes? I assume this is a rhetorical question but I don't know what rhetoric it's intended to convey.

[crumpled]

I'm not the commentor, but you could get different results from the same curl command depending on what the server wants to give you at the time. The bash script can make additional curl calls or set up jobs that occur at other times.

I'm sure both of you understand this. I'm guessing it's just semantics.

[wat10000]

Right. My point is that you only run it once, so there's only that one chance for a compromise. If you got lucky and talked to the right server and it gave you a good script, which is overwhelmingly probable most of the time, you're in the clear. That doesn't mean it's wise, but the danger is limited. Whereas with these agents, every piece of data they're exposed to is potentially interpreted as instructions.

[dullcrisp]

Or bash | bash

[troyvit]

> You might as well just run curl https://example.com/script.sh | sudo bash at this point.

Hey I ran this command and after I gave it my root password nothing happened. WTH man? /s

Point being, yeah, it's a little bit like fire. It seems really cool when you have a nice glowing coal nestled in a fire pit, but people have just started learning what happens when they pick it up with their bare hands or let it out of its containment.

Short-term a lot of nefarious people are going to extract a lot of wealth from naive people. Long term? To me it is another nail in the coffin of general computing:

> The answer is not to stop building agents. The answer is to build the missing trust layer around them. Skills need provenance. Execution needs mediation.

Guess who is going to build those trust layers? The very same orgs that control so much of our lives already. Google gems are already non-transportable to other people in enterprise accounts, and the reasons are the same as above: security. However they also can't be shared outside the Gemini context, which just means more lock-in.

So in the end, instead of teaching our kids how to use fire and showing them the burns we got in learning, we're going teach them to fear it and only let a select few hold the coals and decide what we can do with them.