- OpenClaw is the fastest-growing open-source AI project, but its rapid expansion has led to significant security challenges, including a high volume of advisories and attacks.
- The project faces a "lethal trifactor" risk common to any agentic system with data access, untrusted content, and communication abilities, which is often exacerbated by user configurations that bypass security recommendations.
- OpenClaw is transitioning to an independent foundation to ensure its continued open-source nature, support growth, and enable hiring full-time staff to manage its complex security and development demands.
State of the Claw — Peter Steinberger
- OpenClaw is GitHub's fastest-growing project, with 30,000 commits and nearly 2,000 contributors in five months.
- The project receives an extremely high volume of security advisories (1,142 so far, averaging 16.6 per day), with 99 classified as critical, more than double that of projects like the Linux kernel or CurlSify.
- Many reported security incidents, even those rated CVSS 10, are often "slop" or non-impactful in practical use cases due to misconfigurations by users or the nature of agentic systems.
- The "lethal trifactor" for agentic systems involves access to your data, untrusted content, and the ability to communicate, posing inherent risks not unique to OpenClaw.
- The speaker's personal coding workflow involves running multiple AI sessions concurrently (up to 10 at times) to compensate for token speed, aiming for an iterative development approach rather than a "dark factory" model.
- OpenClaw emphasizes the importance of a chatbot's "soul" or personality, arguing that AI agents need character and taste, especially for personal and conversational interfaces.
- The project is establishing the OpenClaw Foundation, inspired by projects like Gosti, to hire full-time staff and manage its growth independently, despite the founder joining OpenAI.
- OpenClaw's security recommendations include not putting personal agents in group chats and enabling sandboxing if an agent interacts with untrusted content.
- Local and open models are crucial for OpenClaw's vision, enabling users to maintain control over their data and circumvent corporate data silos.
OpenClaw — A fast-growing open-source AI project, likely an agentic system, focused on making AI more accessible.
AI agents — Autonomous software programs that can perceive their environment, make decisions, and take actions to achieve specific goals, often interacting with other systems or data.
GitHub stars — A metric on GitHub indicating the popularity of a repository, often used to gauge community interest and adoption.
Bus factor — A measurement of the risk that knowledge or capability is concentrated in a few individuals, such that if they were to leave, the project would be severely impacted.
Security advisories — Formal notifications or warnings about security vulnerabilities or issues discovered in software.
CVSS — Common Vulnerability Scoring System, a free and open industry standard for assessing the severity of computer system security vulnerabilities. A score of 10 indicates the most critical vulnerability.
Remote Code Execution (RCE) — A type of software vulnerability that allows an attacker to execute arbitrary code on a remote system.
Supply chain attacks — Cyberattacks that target less secure elements in a software supply chain, such as dependencies, to compromise the final product.
Fee mongering — The act of generating or spreading fear, especially for financial gain or to create sensational stories.
Sandboxing — An isolation mechanism for running untrusted programs in a restricted environment, preventing them from accessing or damaging the host system.
Pseudomode — A non-standard or altered operational mode, possibly implying elevated privileges or a relaxed security posture, often requiring code changes to enable.
Lethal trifactor — A term used to describe a dangerous combination of three elements in agentic systems: access to user data, interaction with untrusted content, and communication capabilities.
Prompt injection — A security vulnerability in large language models where malicious input (a "prompt") manipulates the model into ignoring its intended instructions or performing unintended actions.
Dual LL approach — A proposed solution for prompt injection involving two LLMs, where one (the "jailbreak detector") analyzes prompts for malicious intent before passing them to the main LLM.
Our next presenter is the creator of OpenClaw, the world's fastest growing open-source AI. He recently joined OpenAI to work on bringing agents to everyone. Please join me in welcoming to the stage Peter Steinberger. Good morning everyone, so Swiss asked me to do a state of the claw. Who here is running OpenClaw? Give me some hands. I was like 30% or 40%. Very good. Yeah, it's been quite a few months. The project is now five months old. I think it's fair to say that we are the fastest growing project in GitHub's history. If you've seen the graph, some projects look like a hockey stick, but I was just like a straight line, an event called it Stryper Pole, gross. And that comes with its own challenges. So we have, I think now we have the largest number on GitHub stars. There's a few that are bigger, but the basic educational target, no other software project is that big. It's around 30,000 commits. It, we're closing in 2,000 contributors soon to be 30,000 PRs. And we're not slowing down. So you see that it's a ramp, but we only have April 9th. So velocity keeps being good. And at the same time, it hasn't been easy. I had two roads when I decided what I wanted to do. And I did the whole company thing, and I was like, I don't want to do this again. And then I joined OpenAI, but then we also created the OpenCloth Foundation. And now I kind of have two jobs. And running the foundation is like running the company on hard mode, because you're like all the, all the things that you need to take care of, but now so you have a lot of volunteers that you can really direct. So one of my goals has been working on the bus vector, like who does commits. And you see that it's slowly improving. Vincent's actually talking after me. But he's still not there. In the last months, I talked to a lot of companies. So we now have people from NVIDIA on board. We have someone from Microsoft on board to help with MS Teams, with a Windows app. We have someone from Red Hat, who's really helping us with security and documentation. We work with a lot of Chinese companies. We have people from Tencent and ByteDance. They actually much larger users than any other continent. And people from pretty much around the world. But the main thing I want to talk a little bit about is about OpenCloth, so insecure. You know, you've seen the memes. So OpenCloth invites the bad guys. And you probably have seen companies like NVIDIA doing NEMO-Claw and everyone has their lobsters. So you also noticed that in the last two or three months, there's been a lot of releases where things broke. I've basically been deduced by security advisories. So that's what I did and what I focused on. So far we got 1,142 advisories. That's around 16.6 a day. 99 are critical. We published around 469 and we closed 60% of them. So these numbers sound like absolutely terrifying. If you compare it, for example, to other large projects, like the Linux kernel gets like eight or nine a day. We get twice as much. CurlSify has 600 reports. We have twice as much as curl. So every time I get a security incident, the rule is to hire the higher they are screaming how critical they are, they're more likely it's slop. Like we're probably also seen the news, like we are very fast moving into a world where we have to change how people software because all these AI tools are getting so good at identifying even the most weird multi-chained exploits and like we're going to break all the software that exists. I'll give you an example like Nvidia, they launched NemoClaw and NemoClaw is a plugin and a security layer for open-claw is put in a sandbox. The keynote was on Monday, they invited me on Sunday to work with them. I hooked it up to code security. It's found like five different ways to break out of their secure sandbox within half an hour. That's because if you use that product, you get access to the under-off model that is quite a bit smarter in terms of cyber than what the public has access exactly because it's dangerous. But yeah, also this whole industry, those people for them it's like credits, right? The more issues they find, the more they are seen, so like open-claw was like the insecure product that everybody tried to break. So literally like hundreds of people firing up their clankers trying to break open-claw. The typical attack surface is like remote code execution, bypass approval, code injection, password, so again, sounds all very dangerous. And I give you one concrete example. GSH4GP, this is about a, this is a CVSS of 10, so it's like the scariest thing that you can possibly do. It is an issue where if you sync, for example, the iPhone app that we haven't even shipped yet, but is in progress, and you give it only read permission, then you could like break the system to also get right permission. So this one was so critical that the, I don't know, this one was actually different in all practical ways. It is not even an incident because the typical use cases you install it on your machine, either in a Claude or if you have to on a Mac Mini, I stopped fighting this, I'm just letting people have fun now. But in 99%, 99% of cases, you'll either have access to your gateway or you'll have not access to the gateway. In my defense, this was my mistake that I tried to create a more permissive model. For example, if you have devices that would target speech, and then we'd only like read certain things, there's like some use case where you could like have a reduced permission system would make sense. But nobody's even using that. But this doesn't matter because the rules of the, of those, how you create the CVSS numbers, they don't contribute to that at all. And I try to play by the rules. So it is a 10 out of 10 and the world's going crazy over incidents that in all practical ways, they're not effect people. There's some other stuff that does effect people. We have nation states trying to like hack people. There was like GhostClaw, which is like from, likely from North Korea, which is basically confusing people with a different NBN package. And if you go to a wrong website and you try to download it, you get like a root kit. That's outside of our control. That happens for other people as well. Also, there's the Axios thing, which fun enough, we are not using Axios. But we are using MS teams, or Slack as a dependency. And they're using Axios and they did the pinners. And of course, because that's how supply chain attacks work. We were also affected. How do you survive? 1,142, I'm sure, in our 2050. For a while, I try to handle a loop by myself, which is absolutely impossible. So the fastest way to get help was getting help from companies. And then video has been really amazing to give us some people that basically work full time, going through the slop and hardening the code base. Oh, there's also one that is... Okay. This is one of the anglers. The other angler is like, there's a lot of companies that do fee mongering. And it's not just companies, also universities. I don't know if you've seen it, there was like this paper who made the rounds, agents of chaos. And they say, it's about agents in general, but then there's four pages that explain the open-cloth architecture in utmost detail. But you know which page they didn't even mention? That's a security page where we explain how you should install it. Because then it wouldn't be fun, then it wouldn't be... It would be hard to make a good story. So what they instead did is they ignored all of the recommendations we do on security. Recommendation is it's your personal agent. Don't put it in a group chat. If you put it in a group chat, turn on sandboxing. Because if anyone can talk to your agent, they can expel to it anything that the agent can do. So if it's a team agent, it should only know what the team can know and not any secret data. And you probably want to have it restricted. If it's your personal agent, you should be the only one being able to talk to you. But if you don't play by the rules, you can get some really fun interactions. Like, hey, I can talk to your agent and it can break your system. And then because I was grilling them a little bit because I had some questions, how do you do things? They told me, oh yeah, no, we run it in pseudomode because we run it the agent to be like maximum powerful. So they actually thought they set up... It's actually not easy to run it in pseudomode, you have to change code. But they didn't mention it in the report because again, that wouldn't give them Claude. So yeah, my current frustration is like, there's like a whole industry that tried to put the protein negative light. It's a nightmare. It's insecure by default. It's unacceptable. And meanwhile, a lot of people love it. And people who actually read the security docs understand it. Can you just just find? One example that I found particularly great is we had one remote... One RCE that panicked Belgium. So the Belgium cybersecurity did a release about the remote execution environment. And the whole bug was a feature where a malicious website could create a link that would trigger the gateway and then forward your gateway token. Now, if you use the setup that is the default and that is recommended, the gateway token is local only. Or if you have to, it's in your private network. No external website can actually access it. If you actively fight the setup, for example, you use Claude Code to set it up without reading, you might be able to get the setup working. But again, that's not anything but set on the website. So to be very honest, yes, there's absolutely a risk. The big risk is the, basically the lethal trifactor. Any agentic system that has access to your data has access to untrusted content and the ability to communicate is something that's potentially at risk. That's not anything special to OpenClaw. It's like any agent, any proficiency system has a problem. The more powerful you make it, the more it can do for you. But the more you also have to understand what it does. So this is like the main issue. But people are not talking about it. Yeah, and then also some part about maintaining. So the problem is like if you get all those security advisories, you know that most of them are created with agents. But you still have to use your brain to actually read it because we're not at the point where you can fully trust. Or I'm not at the point where I can just fully trust that the agent will figure it out. So it is a huge burden on time. Sometimes you can often guess. Anytime, the Reaper is too nice or like someone apologizes, it's very likely AI, because usually people are insecure to don't apologize. But it is a huge problem. And it's something that I see more and more OpenClaw projects complaining about, like, breaking. Some are very public about it, like FFAMPAK. Usually you get the report. It's very rare to actually get a report and a fix. If you get a report and a fix, it's usually a very bad fix. If you rush it, as I sometimes did in the beginning, because I was overlooked, you will very certainly break a product. So this is something that's just very difficult to pull up only with volunteers. So what are we working on? Number one is, my people say like OpenAI bought OpenClaw. That's not the truth. They might bought my solder indeed. But they very much understand that in order for what the world needs, it's like more people that play with AI to understand what the AI can do, to both understand the risk and also the possibilities. They understand that if you, or someone who never played with, never used AI, suddenly is at home and uses OpenClaw, they'll come to work. And they will ask, why don't we have AI at work? So they very much understand that supporting this project is very useful. And in order for that project to be successful, it cannot be under one company. Therefore, I'm building Switzerland with the OpenClaw Foundation. And I have Davis helping me visit. It's almost done. The last thing that's keeping us going is like the American bank system, which is a little bit slow and very confused when you're not American. It's inspired by what Gosti did. And this will actually then help us to hire full-time people to both keep up the pace, improve the quality. And free up some of my time that I can work on cool stuff again. And get some a little update on state of the claw. I'll be around later for a Q&A. Thank you for listening. OK. Great. Thank you for the whoop. Love the whoop. So Exam, OK, you've chosen the claw track to get started on for our breakouts. And it's going to be great, I think. It's going to be a good session. We are going to be hearing about a bunch of different things related to open claw and just personal AI assistance in general. There's some open claw contributors, open claw maintainers, open claw competitors, and open claw creators going to be here on the stage. We're actually going to be taking this through until the lunch break. Oh, there we go. We can see up there. So it's about an hour and a half of sessions, slightly shorter sessions than earlier. I think, but we're going to be starting with an AMA. I mean, you saw Peter earlier on, but you're going to get a chance to ask questions, and there's going to be a bit of a conversation with Peter and Swix. So I think to get us started, I will simply invite Swix up who will kick things off. So please welcome him to the stage. Swix, come on up. Swix, you can come out together. But there's no secret Peter. Welcome everybody. OK. OK. So the deal for this is meant to be an AME. The main idea is that I've run six of these AI engineers. And whenever we have some big maintainer, big VIP, we only give them a talk. But actually, you guys have questions that you want to ask. So we wanted to create that opportunity. So you can submit there. I'm going to moderate and all that. The spicy one I'm just going to start off with, Peter just quoted me and saying, send all your questions about close claw. Right? What's up? I think people have a lot of questions about the future of OpenClaw at OpenAI. And I want to just give you the space. What are people saying about close claw, and then what is your response? I didn't even think about it. It came up when I decided to go to OpenAI. And I think people have a point that OpenAI wasn't always amazing with OpenSource. And I think a lot changed. Like, Cortex is OpenSource now. They released Symphony, which is a really cool orchestration layer. So like, they are really leaning in and understanding OpenSource now. They understand that OpenClaw needs to stay open, work with any model, be it one of the big companies or being a local model. Everybody in the industry wins if more people spend time with AI. You know, if I think AI is something scary, and then suddenly I play this OpenClaw, and suddenly it's like fun and weird. And then I come to work. And there's no, like, I don't know if AI tools at work. I'm going to get to my boss and say, why the F? Do we not have AI at work? And then those companies would probably not run OpenClaw, but we want something that's hosted and managed. And then somebody can make a sale. So they are very much on board. They provide me with resources. Actually, it's me. I could get a lot more people from OpenAI to help with the project. But that would just make a picture that they could have taken over the project. And I don't want that. So I brought in people from NVIDIA. We have from Microsoft, from Telegram, someone who's sales force of all the companies. So shout out. Actually, there's cool people at Slack. So we have someone that maintains the Slack plugin now. I brought a 10 cent on board bite dance. We talked to Alibaba, Minimax, Kimi, all the model providers. They're very much on board. NVIDIA has been immensely helpful. They, I think I wanted to cool this company as in terms of, here's some engineers who actually just hire agency and just do things. And now that I have all the other companies, I'm also bringing a few people in from OpenAI to help maintain the project. I mean, software is just like changing the pace of which this project operates is insane. You kind of like, you need an army. And I'm working on that. You have an army. But even the contributor chart that you showed shows that it's hard to get quality contributors to stick around. People keep hiring your maintainers. And then you have to find new ones. So there's a lot of questions about local models and open models. Not every part of the stack is open. There's many models where you don't have access to the models. And this sort of weird restrictions. How important is open and local models to the future of OpenClore? I mean, part of what motivated me to build OpenClore is, you see all these large companies. And then they have connectors to my Gmail. And then my email is hosted somewhere. Then this company has full access to my email. And then I can get a little bit down there. Much more exciting to me if I have all my data actually on the my control. And I, and like a little bit of it, goes up there if I need the top tier token. Yeah. And like a second kind of hierarchy of far back models. Yeah, you want to, I mean, I'm European at heart. You want to own your data. And the way you built it. So for me, that was very attractive. And also the fact that, you know, if you're a startup, and you want to connect to Gmail, it takes a coffee year. And it's like a very, very difficult process. But if I'm a consumer, my client can click on any website. And happily clicks on, I'm not a bot. If you have to give me the data somehow, if you can, if you give me the data, my agent is able to get the data. So you can walk around a lot of those silos, those big companies are building. And ultimately, you can do much cooler automation use cases that large companies can never do. So it's like, it's a little bit the heck of a way. Yeah. And any indications from the OpenIT on GBT OSS is that continuing to be a stream of work that will be aligned with OpenClaw? Or is that separate? I'm not in a position to give you insights on that. Just that part of an OpenClaw trigger is that more people in the company are getting excited about OpenSource. And I love that OpenAI is moving more into the OpenDirection again. If you compare it to some other top tier labs that start with an A, that very much will sue you if you leak any of their source or block you if you are too successful, I think OpenAI is an adequate direction. Yeah. OK, I want to highlight this question. People love hearing about your coding workflow. I think by now, your idea of the prompt requests rather than the pull requests is very well socialized. And also, you've been shocking people with just how you're spending tokens at OpenAI. So basically, people want to know how you ship and what you do about agent waiting times. Like, why is your spinning out so many agents? I know. I never imagined that this one picture of me would blow up so much. Yeah. Actually, it gives us numbers just to align people. I think there's times where I was running almost 10 sessions at the same time, especially when I used Codex with 5.0, 5.1. It was quite slow. I think now I have to say, we, it's so weird. We made improvements. The burst make it faster, and then it's also fast mode. So by now, my typical workflow is maybe half of that, maybe five, six windows instead of double, just because each loop is faster, and the area of work I think in and workers is pretty much the same. So I don't have to use split-screen so much anymore. And I think we're going to move into a future where token will be faster and faster. At some point, this is not natural that you work on six things at the same time. But it's basically a workaround until token's fast. Yeah. One of my interesting things of putting you next to Ryan was to see how the two of you approach token maxing, basically. I'm curious what you think about the complete dark factory approach that you don't even review code that goes in. I think that's more and more doable. But also, you know, when I, dark factory in a way also means I come up with everything I want to build in the beginning. And I just don't think you can build good software in that way. Like, the way to the mountain is usually never straight line. It is very curved. Sometimes you go a little bit off track. And then you see something new that inspires you. You find short cuts. Once you're at the top, you can find the optimal paths but you never work like this. So at the same time, the first idea that you have about your project is very unlikely going to be the final project. But if I suddenly use the waterfall model again, that will be the final project. For me, that doesn't work for me. I build steps. I play with it. I see how it feels. I get new ideas. My prompts change. So to me, it's a very iterative approach. So I don't see how you could fully automate that. You can definitely build pipelines for certain things. But even for PRs, you don't just want to build a pipeline that's just merges PRs. Because a lot of them just don't make sense. People will pull your product into all kinds of directions. But if you automate that, I will very unlike you know what's the right direction. You can guide it. I have a vision document that I tried some of that. But the bottleneck is still sinking. And like having taste. Yeah, taste is very important. How do you define taste? This is something that in my conversations with people, everyone understands taste is the most. But nobody agrees on what taste good taste is. So I'm just curious to hear yours. I think in this day and age, the very low level of taste is if it doesn't stink like AI. And you know exactly what I mean. If something is just writing style, personality, also UI. But now you've seen so much a genteque built UI that you immediately know if it's AI. If it has the color border on the left. Yeah, I mean, for a while it was like the public gradient. But much more so I feel it's like a feeling. The same as you can identify AI written slop right away. That's why I say it's a smell. Even if you can pinpoint it, you will know. So that's probably the lowest characterization of taste. And then going higher up, because now so much of software is automedable, there's actually much more time you can spend on the little details. I know, you know, just when you run open-close, you get a little message that sometimes roast people. And also like the delightful details, I think, that you'll just not get if you prompt in a high level. Yeah. One of my favorite two of yours is how you really put a lot of work into your soul, soul MD. And you open source your approach. And I don't think people worked on enough soul until you came along. So I think that's really interesting. I have a podcast that I haven't done yet. I haven't released yet with Mikhail Parakin, who is the CEO of Shopify now. He was the guy leading Bing, where Sydney was the original sort of unaligned chatbot that emerged. But I think people really have fun when your soul, your chatbot has personality. Your clinker has different obsessions. Well, it's also because the world changed, right? We had chat CBD in 2023 and 2004. And it was basically us having AI without understanding what AI can do. So we rebuilt the Google. So you have like a search field and like you get a response. And you don't expect Google to have a personality. But now that we moved more towards agents, if I didn't think about in the beginning about WhatsApp relay and I just hooked it up to Claude Code. And then when I was on WhatsApp, I noticed that it doesn't feel quite right. Like even though Claude Code already has some personality, it didn't really fit how people would write to you on WhatsApp. So that's how my whole iteration started. It was like, oh, again, it's about taste. It doesn't feel quite right. It's like too wordy. It uses too many dots. My friends text different. And that's how I started working. They say, no, this isn't like try to write more like a human. Yeah, I actually run a writing like a lobster. Yes. One of my favorite quotes of yours is madness with a touch of science fiction. This is how you run AI projects. And I think not all AI projects, but specifically, something like OpenClaw would have never been able to, it would not have come out of an American company just because it would have been killed in legal long before it would have been released. Because it just has some problems that we haven't really solved as an industry yet. But now we have some mitigations when it's getting better. The models are getting a lot better. But I don't see how any of the big labs could have released that. It would be too much pushback, not enough market proof that this is what people want. So it had to be done with someone outside. Yeah. Literally, when I built it in the very beginning, I was like, oh, it's the worst that can happen. Like it could exploit my token, my emails, nothing seems like that would completely kill me. It could upload some of my pictures. I was like, I guess the worst already online, if you use grind. So it was like, I can live with that risk. It would be uncomfortable, but it's manageable. If your company is very different, it requires a little different approach. Yeah. By the way, here's Instagram account. Good follow. Under followed. It's also has some good stuff. OK, you were talking about WhatsApp, talking about Telegram, a lot of these tech apps. Text apps are good. People are also looking for the next form factor. People want the glasses, the earbuds. What is your wish list in terms of having agents in your life? I started on that actually already, but then I was just getting bogged down by all the people using it and just like the daily grind. But if you're at home, I want to be in any room. And it's Star Trek, when you say computer, green. I want to talk to my agent wherever I am. And it should just be able to respond to me. It should know where I am. I have little iPads in every room. And my agent can use the canvas feature and project stuff on those iPads. So if I ask a question that is easier to be answered by also showing me something, like it could use the nearest display because it's aware of where I am. So the phone is just a very convenient input point, but I kind of want to talk to it from anywhere. If I'm around and I have glasses, I should just be able to listen in and project something on me. But just ubiquitous. Follow you. Yeah, once we have a least smart home, agents on your phone, but really want ubiquitous agents. And then you want maybe you will have your your upper case open claw, your private agent at work, you might have your lower case opening eye claw. And then that claw should be able to like talk to your personal claw in a way that both your company and you are comfortable with. So that's kind of like the future where you need to work out. Yeah. I just did a podcast with Mark and Jason, was a huge fan and also have conversations on Jay Karpathi. Both of these guys are running open claw to run their house. And I think open claw for homes is like a kind of underrated, but like people are really discovering it. And my funniest sort of irony is that it's only possible because the internet of shit means that most smart devices are terrible in security, which means open claw can run them. It's going to be much much better in a few months even the models are getting really bad. Yeah, they're very good. OK, one security question about prompt injection. How do you want to solve prompt injection? Or what ways in which have you been thinking about the prompt injection problem? Probably not enough yet. On the other hand, like the the front model is a really quite good at detecting all the cases where like just stuff randomly comes in from a website or an email is usually not a problem anymore. Your mark is untrusted content. Very hard to x-fix trade you from that. If I have unlimited access to your claw and can bombard it with stuff, then there is still a chance. Then there's still a chance. But like for one of things, it's no longer the biggest problem. If you use that's also why, you know that this is probably the angle where like some people say, oh, Peter doesn't like local models. But then I see like people running like a 20 billion per month model that just does whatever you tell it and it's not trained to have any defenses at all. That's still problematic. If you run that and then you use a web browser or email would worry me. That's why open claw warns you if you use a small model. And then people spin a whole thing like I love that it would support everything. But like you have to steer the regular user a little bit into a direction to make it harder for them to shoot themselves in the foot. Yeah, there are some ideas for prompt checksion. It's still a little bit away. I have more than answer. I think Simon Willister has been working a lot on this. He coined the term prompt injection and the sort of dual LL approach seems smart. And I'm not smart enough to figure out all the ways that which it can be attacked. At some point trust has to be a thing. Something interesting I found out from talking with Vincent who is speaking next is that you guys had to implement the same trust system that Toby had to implement, which is you build reputation over time and things with more trust gets more privileged access. I think that makes sense. That's part of the story. Okay. So, there's some more broader questions. What cool projects would you like to work on once you have more free time? I mean I wanted to work on dreaming. And I like my maintenance worked on dreaming while I'm there like for dreaming. How you were dreaming. So like that. You just hit it right? Yeah. What is dreaming? It's like a way to reconcile memories and I kind of create a little bit like a dream lock. It goes through your session locks. We found out from the Anthopic source code leak that they also were working on dreaming. I mean there's more companies working on that. But think a little bit like how do we learn as humans? You experience a lot of things during the day and then you sleep. In sleep your brain is like a garbage collect. Convert some local store memories into long time storage and drop others. And that's similar ideas that I think could also be very useful for agents. And then what we should do dreaming is a first little step in that direction. It's related to the wiki thing that Andre has been talking about where you collect everything into a... This is more memory but like everything kind of blends together. The beauty of open clothes that we can just dry stuff. Like everything we worked on for the last months or so is that in the beginning it was a big spaghetti code base mess. And now like everything is an extension, a plugin. So you can replace memory, you can add the wiki, you can add dreaming, you can add I don't know, whatever crazy idea you have and just make it your own. You don't have to send everything to a pull request because we are still completely overloaded on this. But it's more like Linux where you can just install your own parts. Yeah. And you are building what a lot of people think is the most cost sequential open source since Linux. Which I don't know how do you deal with that. What do you do with the fame, what is the day in your life as the BDFL effectively of something like this? Well, there's still a lot of coding. There's also a lot of... By the way, in between sessions he was coding. Like there. Yeah, they get token excited. You have to like something else to be able to push the agents, right? Yeah. We're chipped a little bit now. It's a lot more talking and steering people in the right direction. Because there's a lot of things that we already learned at OpenClaw. So part of my role at OpenClaw is to help and not make the same mistakes again. And at OpenClaw it's like trying out new things that seem exciting and some might work and some might not work. We enable companies to build their own claw without having to fork away, but making everything more customizable. Yeah, sometimes I sleep. Sometimes you sleep. Okay, great. I think maybe this is the last good closing questions. What skills do you want humans and engineers in particular to focus on developing in the H.O.V.I.? The case was a big one, but I already mentioned that. System design is still very important. Yes, we talked about this in terms of... Yeah, if I just go. Yeah. If you don't think about that, you will eventually slide yourself into a corner. Just by defining the boundaries. The funny thing is, everything is in the clenker, but you still need to ask the right questions. Otherwise, that makes this a difference of like go to code that comes out or really bad code that comes out. And that's still where all the knowledge you have, like how you build software, you can apply to steer the agent into something that is not sloped. And I think a skill that is becoming more and more important is saying no. And that's something I had to learn as well, because even the wildest idea is just to prompt away. And usually this one idea is never a problem, but like this idea and this idea and this idea and then how all of that fits together, that's the problem. So like... I think we still bottlenecked on thinking and about like big picture thinking. Yeah. Because imagine the world from your clenker. Like you're being thrown into code base, you might have an outdated agent's.deafel, but you basically don't know what DF is. And you like, then like, you tell me, hey, add user profiles. And you like, somehow add user profiles are connected to the two things you see, but you didn't see the whole system, right? And that's where a lot of those localized solutions comes. Where like the project has like words and it's our job to like help the agent do its best work, but like providing them with like hints. Hey, you want to consider this? You want to look there? How would this interplay with this? And then ultimately you get like a much assistant that actually is maintainable. Yeah. Well, thank you for maintaining one of the most important software of all time, and thank you for spending time with us. Thanks for having me. Yeah. Hopefully you stick around and ask questions. Thank you.
TL;DR
- OpenClaw is the fastest-growing open-source AI project, but its rapid expansion has led to significant security challenges, including a high volume of advisories and attacks.
- The project faces a "lethal trifactor" risk common to any agentic system with data access, untrusted content, and communication abilities, which is often exacerbated by user configurations that bypass security recommendations.
- OpenClaw is transitioning to an independent foundation to ensure its continued open-source nature, support growth, and enable hiring full-time staff to manage its complex security and development demands.
Takeaways
- OpenClaw is GitHub's fastest-growing project, with 30,000 commits and nearly 2,000 contributors in five months.
- The project receives an extremely high volume of security advisories (1,142 so far, averaging 16.6 per day), with 99 classified as critical, more than double that of projects like the Linux kernel or CurlSify.
- Many reported security incidents, even those rated CVSS 10, are often "slop" or non-impactful in practical use cases due to misconfigurations by users or the nature of agentic systems.
- The "lethal trifactor" for agentic systems involves access to your data, untrusted content, and the ability to communicate, posing inherent risks not unique to OpenClaw.
- The speaker's personal coding workflow involves running multiple AI sessions concurrently (up to 10 at times) to compensate for token speed, aiming for an iterative development approach rather than a "dark factory" model.
- OpenClaw emphasizes the importance of a chatbot's "soul" or personality, arguing that AI agents need character and taste, especially for personal and conversational interfaces.
- The project is establishing the OpenClaw Foundation, inspired by projects like Gosti, to hire full-time staff and manage its growth independently, despite the founder joining OpenAI.
- OpenClaw's security recommendations include not putting personal agents in group chats and enabling sandboxing if an agent interacts with untrusted content.
- Local and open models are crucial for OpenClaw's vision, enabling users to maintain control over their data and circumvent corporate data silos.
Vocabulary
OpenClaw — A fast-growing open-source AI project, likely an agentic system, focused on making AI more accessible.
AI agents — Autonomous software programs that can perceive their environment, make decisions, and take actions to achieve specific goals, often interacting with other systems or data.
GitHub stars — A metric on GitHub indicating the popularity of a repository, often used to gauge community interest and adoption.
Bus factor — A measurement of the risk that knowledge or capability is concentrated in a few individuals, such that if they were to leave, the project would be severely impacted.
Security advisories — Formal notifications or warnings about security vulnerabilities or issues discovered in software.
CVSS — Common Vulnerability Scoring System, a free and open industry standard for assessing the severity of computer system security vulnerabilities. A score of 10 indicates the most critical vulnerability.
Remote Code Execution (RCE) — A type of software vulnerability that allows an attacker to execute arbitrary code on a remote system.
Supply chain attacks — Cyberattacks that target less secure elements in a software supply chain, such as dependencies, to compromise the final product.
Fee mongering — The act of generating or spreading fear, especially for financial gain or to create sensational stories.
Sandboxing — An isolation mechanism for running untrusted programs in a restricted environment, preventing them from accessing or damaging the host system.
Pseudomode — A non-standard or altered operational mode, possibly implying elevated privileges or a relaxed security posture, often requiring code changes to enable.
Lethal trifactor — A term used to describe a dangerous combination of three elements in agentic systems: access to user data, interaction with untrusted content, and communication capabilities.
Prompt injection — A security vulnerability in large language models where malicious input (a "prompt") manipulates the model into ignoring its intended instructions or performing unintended actions.
Dual LL approach — A proposed solution for prompt injection involving two LLMs, where one (the "jailbreak detector") analyzes prompts for malicious intent before passing them to the main LLM.
Transcript
Our next presenter is the creator of OpenClaw, the world's fastest growing open-source AI. He recently joined OpenAI to work on bringing agents to everyone. Please join me in welcoming to the stage Peter Steinberger. Good morning everyone, so Swiss asked me to do a state of the claw. Who here is running OpenClaw? Give me some hands. I was like 30% or 40%. Very good. Yeah, it's been quite a few months. The project is now five months old. I think it's fair to say that we are the fastest growing project in GitHub's history. If you've seen the graph, some projects look like a hockey stick, but I was just like a straight line, an event called it Stryper Pole, gross. And that comes with its own challenges. So we have, I think now we have the largest number on GitHub stars. There's a few that are bigger, but the basic educational target, no other software project is that big. It's around 30,000 commits. It, we're closing in 2,000 contributors soon to be 30,000 PRs. And we're not slowing down. So you see that it's a ramp, but we only have April 9th. So velocity keeps being good. And at the same time, it hasn't been easy. I had two roads when I decided what I wanted to do. And I did the whole company thing, and I was like, I don't want to do this again. And then I joined OpenAI, but then we also created the OpenCloth Foundation. And now I kind of have two jobs. And running the foundation is like running the company on hard mode, because you're like all the, all the things that you need to take care of, but now so you have a lot of volunteers that you can really direct. So one of my goals has been working on the bus vector, like who does commits. And you see that it's slowly improving. Vincent's actually talking after me. But he's still not there. In the last months, I talked to a lot of companies. So we now have people from NVIDIA on board. We have someone from Microsoft on board to help with MS Teams, with a Windows app. We have someone from Red Hat, who's really helping us with security and documentation. We work with a lot of Chinese companies. We have people from Tencent and ByteDance. They actually much larger users than any other continent. And people from pretty much around the world. But the main thing I want to talk a little bit about is about OpenCloth, so insecure. You know, you've seen the memes. So OpenCloth invites the bad guys. And you probably have seen companies like NVIDIA doing NEMO-Claw and everyone has their lobsters. So you also noticed that in the last two or three months, there's been a lot of releases where things broke. I've basically been deduced by security advisories. So that's what I did and what I focused on. So far we got 1,142 advisories. That's around 16.6 a day. 99 are critical. We published around 469 and we closed 60% of them. So these numbers sound like absolutely terrifying. If you compare it, for example, to other large projects, like the Linux kernel gets like eight or nine a day. We get twice as much. CurlSify has 600 reports. We have twice as much as curl. So every time I get a security incident, the rule is to hire the higher they are screaming how critical they are, they're more likely it's slop. Like we're probably also seen the news, like we are very fast moving into a world where we have to change how people software because all these AI tools are getting so good at identifying even the most weird multi-chained exploits and like we're going to break all the software that exists. I'll give you an example like Nvidia, they launched NemoClaw and NemoClaw is a plugin and a security layer for open-claw is put in a sandbox. The keynote was on Monday, they invited me on Sunday to work with them. I hooked it up to code security. It's found like five different ways to break out of their secure sandbox within half an hour. That's because if you use that product, you get access to the under-off model that is quite a bit smarter in terms of cyber than what the public has access exactly because it's dangerous. But yeah, also this whole industry, those people for them it's like credits, right? The more issues they find, the more they are seen, so like open-claw was like the insecure product that everybody tried to break. So literally like hundreds of people firing up their clankers trying to break open-claw. The typical attack surface is like remote code execution, bypass approval, code injection, password, so again, sounds all very dangerous. And I give you one concrete example. GSH4GP, this is about a, this is a CVSS of 10, so it's like the scariest thing that you can possibly do. It is an issue where if you sync, for example, the iPhone app that we haven't even shipped yet, but is in progress, and you give it only read permission, then you could like break the system to also get right permission. So this one was so critical that the, I don't know, this one was actually different in all practical ways. It is not even an incident because the typical use cases you install it on your machine, either in a Claude or if you have to on a Mac Mini, I stopped fighting this, I'm just letting people have fun now. But in 99%, 99% of cases, you'll either have access to your gateway or you'll have not access to the gateway. In my defense, this was my mistake that I tried to create a more permissive model. For example, if you have devices that would target speech, and then we'd only like read certain things, there's like some use case where you could like have a reduced permission system would make sense. But nobody's even using that. But this doesn't matter because the rules of the, of those, how you create the CVSS numbers, they don't contribute to that at all. And I try to play by the rules. So it is a 10 out of 10 and the world's going crazy over incidents that in all practical ways, they're not effect people. There's some other stuff that does effect people. We have nation states trying to like hack people. There was like GhostClaw, which is like from, likely from North Korea, which is basically confusing people with a different NBN package. And if you go to a wrong website and you try to download it, you get like a root kit. That's outside of our control. That happens for other people as well. Also, there's the Axios thing, which fun enough, we are not using Axios. But we are using MS teams, or Slack as a dependency. And they're using Axios and they did the pinners. And of course, because that's how supply chain attacks work. We were also affected. How do you survive? 1,142, I'm sure, in our 2050. For a while, I try to handle a loop by myself, which is absolutely impossible. So the fastest way to get help was getting help from companies. And then video has been really amazing to give us some people that basically work full time, going through the slop and hardening the code base. Oh, there's also one that is... Okay. This is one of the anglers. The other angler is like, there's a lot of companies that do fee mongering. And it's not just companies, also universities. I don't know if you've seen it, there was like this paper who made the rounds, agents of chaos. And they say, it's about agents in general, but then there's four pages that explain the open-cloth architecture in utmost detail. But you know which page they didn't even mention? That's a security page where we explain how you should install it. Because then it wouldn't be fun, then it wouldn't be... It would be hard to make a good story. So what they instead did is they ignored all of the recommendations we do on security. Recommendation is it's your personal agent. Don't put it in a group chat. If you put it in a group chat, turn on sandboxing. Because if anyone can talk to your agent, they can expel to it anything that the agent can do. So if it's a team agent, it should only know what the team can know and not any secret data. And you probably want to have it restricted. If it's your personal agent, you should be the only one being able to talk to you. But if you don't play by the rules, you can get some really fun interactions. Like, hey, I can talk to your agent and it can break your system. And then because I was grilling them a little bit because I had some questions, how do you do things? They told me, oh yeah, no, we run it in pseudomode because we run it the agent to be like maximum powerful. So they actually thought they set up... It's actually not easy to run it in pseudomode, you have to change code. But they didn't mention it in the report because again, that wouldn't give them Claude. So yeah, my current frustration is like, there's like a whole industry that tried to put the protein negative light. It's a nightmare. It's insecure by default. It's unacceptable. And meanwhile, a lot of people love it. And people who actually read the security docs understand it. Can you just just find? One example that I found particularly great is we had one remote... One RCE that panicked Belgium. So the Belgium cybersecurity did a release about the remote execution environment. And the whole bug was a feature where a malicious website could create a link that would trigger the gateway and then forward your gateway token. Now, if you use the setup that is the default and that is recommended, the gateway token is local only. Or if you have to, it's in your private network. No external website can actually access it. If you actively fight the setup, for example, you use Claude Code to set it up without reading, you might be able to get the setup working. But again, that's not anything but set on the website. So to be very honest, yes, there's absolutely a risk. The big risk is the, basically the lethal trifactor. Any agentic system that has access to your data has access to untrusted content and the ability to communicate is something that's potentially at risk. That's not anything special to OpenClaw. It's like any agent, any proficiency system has a problem. The more powerful you make it, the more it can do for you. But the more you also have to understand what it does. So this is like the main issue. But people are not talking about it. Yeah, and then also some part about maintaining. So the problem is like if you get all those security advisories, you know that most of them are created with agents. But you still have to use your brain to actually read it because we're not at the point where you can fully trust. Or I'm not at the point where I can just fully trust that the agent will figure it out. So it is a huge burden on time. Sometimes you can often guess. Anytime, the Reaper is too nice or like someone apologizes, it's very likely AI, because usually people are insecure to don't apologize. But it is a huge problem. And it's something that I see more and more OpenClaw projects complaining about, like, breaking. Some are very public about it, like FFAMPAK. Usually you get the report. It's very rare to actually get a report and a fix. If you get a report and a fix, it's usually a very bad fix. If you rush it, as I sometimes did in the beginning, because I was overlooked, you will very certainly break a product. So this is something that's just very difficult to pull up only with volunteers. So what are we working on? Number one is, my people say like OpenAI bought OpenClaw. That's not the truth. They might bought my solder indeed. But they very much understand that in order for what the world needs, it's like more people that play with AI to understand what the AI can do, to both understand the risk and also the possibilities. They understand that if you, or someone who never played with, never used AI, suddenly is at home and uses OpenClaw, they'll come to work. And they will ask, why don't we have AI at work? So they very much understand that supporting this project is very useful. And in order for that project to be successful, it cannot be under one company. Therefore, I'm building Switzerland with the OpenClaw Foundation. And I have Davis helping me visit. It's almost done. The last thing that's keeping us going is like the American bank system, which is a little bit slow and very confused when you're not American. It's inspired by what Gosti did. And this will actually then help us to hire full-time people to both keep up the pace, improve the quality. And free up some of my time that I can work on cool stuff again. And get some a little update on state of the claw. I'll be around later for a Q&A. Thank you for listening. OK. Great. Thank you for the whoop. Love the whoop. So Exam, OK, you've chosen the claw track to get started on for our breakouts. And it's going to be great, I think. It's going to be a good session. We are going to be hearing about a bunch of different things related to open claw and just personal AI assistance in general. There's some open claw contributors, open claw maintainers, open claw competitors, and open claw creators going to be here on the stage. We're actually going to be taking this through until the lunch break. Oh, there we go. We can see up there. So it's about an hour and a half of sessions, slightly shorter sessions than earlier. I think, but we're going to be starting with an AMA. I mean, you saw Peter earlier on, but you're going to get a chance to ask questions, and there's going to be a bit of a conversation with Peter and Swix. So I think to get us started, I will simply invite Swix up who will kick things off. So please welcome him to the stage. Swix, come on up. Swix, you can come out together. But there's no secret Peter. Welcome everybody. OK. OK. So the deal for this is meant to be an AME. The main idea is that I've run six of these AI engineers. And whenever we have some big maintainer, big VIP, we only give them a talk. But actually, you guys have questions that you want to ask. So we wanted to create that opportunity. So you can submit there. I'm going to moderate and all that. The spicy one I'm just going to start off with, Peter just quoted me and saying, send all your questions about close claw. Right? What's up? I think people have a lot of questions about the future of OpenClaw at OpenAI. And I want to just give you the space. What are people saying about close claw, and then what is your response? I didn't even think about it. It came up when I decided to go to OpenAI. And I think people have a point that OpenAI wasn't always amazing with OpenSource. And I think a lot changed. Like, Cortex is OpenSource now. They released Symphony, which is a really cool orchestration layer. So like, they are really leaning in and understanding OpenSource now. They understand that OpenClaw needs to stay open, work with any model, be it one of the big companies or being a local model. Everybody in the industry wins if more people spend time with AI. You know, if I think AI is something scary, and then suddenly I play this OpenClaw, and suddenly it's like fun and weird. And then I come to work. And there's no, like, I don't know if AI tools at work. I'm going to get to my boss and say, why the F? Do we not have AI at work? And then those companies would probably not run OpenClaw, but we want something that's hosted and managed. And then somebody can make a sale. So they are very much on board. They provide me with resources. Actually, it's me. I could get a lot more people from OpenAI to help with the project. But that would just make a picture that they could have taken over the project. And I don't want that. So I brought in people from NVIDIA. We have from Microsoft, from Telegram, someone who's sales force of all the companies. So shout out. Actually, there's cool people at Slack. So we have someone that maintains the Slack plugin now. I brought a 10 cent on board bite dance. We talked to Alibaba, Minimax, Kimi, all the model providers. They're very much on board. NVIDIA has been immensely helpful. They, I think I wanted to cool this company as in terms of, here's some engineers who actually just hire agency and just do things. And now that I have all the other companies, I'm also bringing a few people in from OpenAI to help maintain the project. I mean, software is just like changing the pace of which this project operates is insane. You kind of like, you need an army. And I'm working on that. You have an army. But even the contributor chart that you showed shows that it's hard to get quality contributors to stick around. People keep hiring your maintainers. And then you have to find new ones. So there's a lot of questions about local models and open models. Not every part of the stack is open. There's many models where you don't have access to the models. And this sort of weird restrictions. How important is open and local models to the future of OpenClore? I mean, part of what motivated me to build OpenClore is, you see all these large companies. And then they have connectors to my Gmail. And then my email is hosted somewhere. Then this company has full access to my email. And then I can get a little bit down there. Much more exciting to me if I have all my data actually on the my control. And I, and like a little bit of it, goes up there if I need the top tier token. Yeah. And like a second kind of hierarchy of far back models. Yeah, you want to, I mean, I'm European at heart. You want to own your data. And the way you built it. So for me, that was very attractive. And also the fact that, you know, if you're a startup, and you want to connect to Gmail, it takes a coffee year. And it's like a very, very difficult process. But if I'm a consumer, my client can click on any website. And happily clicks on, I'm not a bot. If you have to give me the data somehow, if you can, if you give me the data, my agent is able to get the data. So you can walk around a lot of those silos, those big companies are building. And ultimately, you can do much cooler automation use cases that large companies can never do. So it's like, it's a little bit the heck of a way. Yeah. And any indications from the OpenIT on GBT OSS is that continuing to be a stream of work that will be aligned with OpenClaw? Or is that separate? I'm not in a position to give you insights on that. Just that part of an OpenClaw trigger is that more people in the company are getting excited about OpenSource. And I love that OpenAI is moving more into the OpenDirection again. If you compare it to some other top tier labs that start with an A, that very much will sue you if you leak any of their source or block you if you are too successful, I think OpenAI is an adequate direction. Yeah. OK, I want to highlight this question. People love hearing about your coding workflow. I think by now, your idea of the prompt requests rather than the pull requests is very well socialized. And also, you've been shocking people with just how you're spending tokens at OpenAI. So basically, people want to know how you ship and what you do about agent waiting times. Like, why is your spinning out so many agents? I know. I never imagined that this one picture of me would blow up so much. Yeah. Actually, it gives us numbers just to align people. I think there's times where I was running almost 10 sessions at the same time, especially when I used Codex with 5.0, 5.1. It was quite slow. I think now I have to say, we, it's so weird. We made improvements. The burst make it faster, and then it's also fast mode. So by now, my typical workflow is maybe half of that, maybe five, six windows instead of double, just because each loop is faster, and the area of work I think in and workers is pretty much the same. So I don't have to use split-screen so much anymore. And I think we're going to move into a future where token will be faster and faster. At some point, this is not natural that you work on six things at the same time. But it's basically a workaround until token's fast. Yeah. One of my interesting things of putting you next to Ryan was to see how the two of you approach token maxing, basically. I'm curious what you think about the complete dark factory approach that you don't even review code that goes in. I think that's more and more doable. But also, you know, when I, dark factory in a way also means I come up with everything I want to build in the beginning. And I just don't think you can build good software in that way. Like, the way to the mountain is usually never straight line. It is very curved. Sometimes you go a little bit off track. And then you see something new that inspires you. You find short cuts. Once you're at the top, you can find the optimal paths but you never work like this. So at the same time, the first idea that you have about your project is very unlikely going to be the final project. But if I suddenly use the waterfall model again, that will be the final project. For me, that doesn't work for me. I build steps. I play with it. I see how it feels. I get new ideas. My prompts change. So to me, it's a very iterative approach. So I don't see how you could fully automate that. You can definitely build pipelines for certain things. But even for PRs, you don't just want to build a pipeline that's just merges PRs. Because a lot of them just don't make sense. People will pull your product into all kinds of directions. But if you automate that, I will very unlike you know what's the right direction. You can guide it. I have a vision document that I tried some of that. But the bottleneck is still sinking. And like having taste. Yeah, taste is very important. How do you define taste? This is something that in my conversations with people, everyone understands taste is the most. But nobody agrees on what taste good taste is. So I'm just curious to hear yours. I think in this day and age, the very low level of taste is if it doesn't stink like AI. And you know exactly what I mean. If something is just writing style, personality, also UI. But now you've seen so much a genteque built UI that you immediately know if it's AI. If it has the color border on the left. Yeah, I mean, for a while it was like the public gradient. But much more so I feel it's like a feeling. The same as you can identify AI written slop right away. That's why I say it's a smell. Even if you can pinpoint it, you will know. So that's probably the lowest characterization of taste. And then going higher up, because now so much of software is automedable, there's actually much more time you can spend on the little details. I know, you know, just when you run open-close, you get a little message that sometimes roast people. And also like the delightful details, I think, that you'll just not get if you prompt in a high level. Yeah. One of my favorite two of yours is how you really put a lot of work into your soul, soul MD. And you open source your approach. And I don't think people worked on enough soul until you came along. So I think that's really interesting. I have a podcast that I haven't done yet. I haven't released yet with Mikhail Parakin, who is the CEO of Shopify now. He was the guy leading Bing, where Sydney was the original sort of unaligned chatbot that emerged. But I think people really have fun when your soul, your chatbot has personality. Your clinker has different obsessions. Well, it's also because the world changed, right? We had chat CBD in 2023 and 2004. And it was basically us having AI without understanding what AI can do. So we rebuilt the Google. So you have like a search field and like you get a response. And you don't expect Google to have a personality. But now that we moved more towards agents, if I didn't think about in the beginning about WhatsApp relay and I just hooked it up to Claude Code. And then when I was on WhatsApp, I noticed that it doesn't feel quite right. Like even though Claude Code already has some personality, it didn't really fit how people would write to you on WhatsApp. So that's how my whole iteration started. It was like, oh, again, it's about taste. It doesn't feel quite right. It's like too wordy. It uses too many dots. My friends text different. And that's how I started working. They say, no, this isn't like try to write more like a human. Yeah, I actually run a writing like a lobster. Yes. One of my favorite quotes of yours is madness with a touch of science fiction. This is how you run AI projects. And I think not all AI projects, but specifically, something like OpenClaw would have never been able to, it would not have come out of an American company just because it would have been killed in legal long before it would have been released. Because it just has some problems that we haven't really solved as an industry yet. But now we have some mitigations when it's getting better. The models are getting a lot better. But I don't see how any of the big labs could have released that. It would be too much pushback, not enough market proof that this is what people want. So it had to be done with someone outside. Yeah. Literally, when I built it in the very beginning, I was like, oh, it's the worst that can happen. Like it could exploit my token, my emails, nothing seems like that would completely kill me. It could upload some of my pictures. I was like, I guess the worst already online, if you use grind. So it was like, I can live with that risk. It would be uncomfortable, but it's manageable. If your company is very different, it requires a little different approach. Yeah. By the way, here's Instagram account. Good follow. Under followed. It's also has some good stuff. OK, you were talking about WhatsApp, talking about Telegram, a lot of these tech apps. Text apps are good. People are also looking for the next form factor. People want the glasses, the earbuds. What is your wish list in terms of having agents in your life? I started on that actually already, but then I was just getting bogged down by all the people using it and just like the daily grind. But if you're at home, I want to be in any room. And it's Star Trek, when you say computer, green. I want to talk to my agent wherever I am. And it should just be able to respond to me. It should know where I am. I have little iPads in every room. And my agent can use the canvas feature and project stuff on those iPads. So if I ask a question that is easier to be answered by also showing me something, like it could use the nearest display because it's aware of where I am. So the phone is just a very convenient input point, but I kind of want to talk to it from anywhere. If I'm around and I have glasses, I should just be able to listen in and project something on me. But just ubiquitous. Follow you. Yeah, once we have a least smart home, agents on your phone, but really want ubiquitous agents. And then you want maybe you will have your your upper case open claw, your private agent at work, you might have your lower case opening eye claw. And then that claw should be able to like talk to your personal claw in a way that both your company and you are comfortable with. So that's kind of like the future where you need to work out. Yeah. I just did a podcast with Mark and Jason, was a huge fan and also have conversations on Jay Karpathi. Both of these guys are running open claw to run their house. And I think open claw for homes is like a kind of underrated, but like people are really discovering it. And my funniest sort of irony is that it's only possible because the internet of shit means that most smart devices are terrible in security, which means open claw can run them. It's going to be much much better in a few months even the models are getting really bad. Yeah, they're very good. OK, one security question about prompt injection. How do you want to solve prompt injection? Or what ways in which have you been thinking about the prompt injection problem? Probably not enough yet. On the other hand, like the the front model is a really quite good at detecting all the cases where like just stuff randomly comes in from a website or an email is usually not a problem anymore. Your mark is untrusted content. Very hard to x-fix trade you from that. If I have unlimited access to your claw and can bombard it with stuff, then there is still a chance. Then there's still a chance. But like for one of things, it's no longer the biggest problem. If you use that's also why, you know that this is probably the angle where like some people say, oh, Peter doesn't like local models. But then I see like people running like a 20 billion per month model that just does whatever you tell it and it's not trained to have any defenses at all. That's still problematic. If you run that and then you use a web browser or email would worry me. That's why open claw warns you if you use a small model. And then people spin a whole thing like I love that it would support everything. But like you have to steer the regular user a little bit into a direction to make it harder for them to shoot themselves in the foot. Yeah, there are some ideas for prompt checksion. It's still a little bit away. I have more than answer. I think Simon Willister has been working a lot on this. He coined the term prompt injection and the sort of dual LL approach seems smart. And I'm not smart enough to figure out all the ways that which it can be attacked. At some point trust has to be a thing. Something interesting I found out from talking with Vincent who is speaking next is that you guys had to implement the same trust system that Toby had to implement, which is you build reputation over time and things with more trust gets more privileged access. I think that makes sense. That's part of the story. Okay. So, there's some more broader questions. What cool projects would you like to work on once you have more free time? I mean I wanted to work on dreaming. And I like my maintenance worked on dreaming while I'm there like for dreaming. How you were dreaming. So like that. You just hit it right? Yeah. What is dreaming? It's like a way to reconcile memories and I kind of create a little bit like a dream lock. It goes through your session locks. We found out from the Anthopic source code leak that they also were working on dreaming. I mean there's more companies working on that. But think a little bit like how do we learn as humans? You experience a lot of things during the day and then you sleep. In sleep your brain is like a garbage collect. Convert some local store memories into long time storage and drop others. And that's similar ideas that I think could also be very useful for agents. And then what we should do dreaming is a first little step in that direction. It's related to the wiki thing that Andre has been talking about where you collect everything into a... This is more memory but like everything kind of blends together. The beauty of open clothes that we can just dry stuff. Like everything we worked on for the last months or so is that in the beginning it was a big spaghetti code base mess. And now like everything is an extension, a plugin. So you can replace memory, you can add the wiki, you can add dreaming, you can add I don't know, whatever crazy idea you have and just make it your own. You don't have to send everything to a pull request because we are still completely overloaded on this. But it's more like Linux where you can just install your own parts. Yeah. And you are building what a lot of people think is the most cost sequential open source since Linux. Which I don't know how do you deal with that. What do you do with the fame, what is the day in your life as the BDFL effectively of something like this? Well, there's still a lot of coding. There's also a lot of... By the way, in between sessions he was coding. Like there. Yeah, they get token excited. You have to like something else to be able to push the agents, right? Yeah. We're chipped a little bit now. It's a lot more talking and steering people in the right direction. Because there's a lot of things that we already learned at OpenClaw. So part of my role at OpenClaw is to help and not make the same mistakes again. And at OpenClaw it's like trying out new things that seem exciting and some might work and some might not work. We enable companies to build their own claw without having to fork away, but making everything more customizable. Yeah, sometimes I sleep. Sometimes you sleep. Okay, great. I think maybe this is the last good closing questions. What skills do you want humans and engineers in particular to focus on developing in the H.O.V.I.? The case was a big one, but I already mentioned that. System design is still very important. Yes, we talked about this in terms of... Yeah, if I just go. Yeah. If you don't think about that, you will eventually slide yourself into a corner. Just by defining the boundaries. The funny thing is, everything is in the clenker, but you still need to ask the right questions. Otherwise, that makes this a difference of like go to code that comes out or really bad code that comes out. And that's still where all the knowledge you have, like how you build software, you can apply to steer the agent into something that is not sloped. And I think a skill that is becoming more and more important is saying no. And that's something I had to learn as well, because even the wildest idea is just to prompt away. And usually this one idea is never a problem, but like this idea and this idea and this idea and then how all of that fits together, that's the problem. So like... I think we still bottlenecked on thinking and about like big picture thinking. Yeah. Because imagine the world from your clenker. Like you're being thrown into code base, you might have an outdated agent's.deafel, but you basically don't know what DF is. And you like, then like, you tell me, hey, add user profiles. And you like, somehow add user profiles are connected to the two things you see, but you didn't see the whole system, right? And that's where a lot of those localized solutions comes. Where like the project has like words and it's our job to like help the agent do its best work, but like providing them with like hints. Hey, you want to consider this? You want to look there? How would this interplay with this? And then ultimately you get like a much assistant that actually is maintainable. Yeah. Well, thank you for maintaining one of the most important software of all time, and thank you for spending time with us. Thanks for having me. Yeah. Hopefully you stick around and ask questions. Thank you.