Egregoros · Phoenix Framework

Post

Remote status

Context

⚡⛥ Wight Power ⛦⚡

About 75% of Schneier's articles lately have been about LLMs being pwned and/or doing the pwning.

https://www.schneier.com/blog/archives/2026/02/the-promptware-kill-chain.html

Blurry Moon

@sun@shitposter.world remote

@toiletpaper openclaw is going to be the vector for unbelievably devastating attacks in the near future, it's such a pile of shit

Replying to @sun@shitposter.world

⚡⛥ Wight Power ⛦⚡

@toiletpaper@shitposter.world remote

@sun

I use some LLMs etc on my machine, both local and cloud based, but if they have any agentic functionality whatsoever it only happens in an isolated VM. Based on experience there's zero chance I'm ever letting any of these things touch my main system.

Replies

Replying to @toiletpaper@shitposter.world

Blurry Moon

@sun@shitposter.world remote

@toiletpaper if you want your agent to do almost anything you have to give it api keys or auth tokens. that's the premise of openclaw, you give it a shitload of access to your life and it manages things for you. so you give it your email, chat, calendar, everything, all glommed together on a box with no privilege separation and the llm has complete access to it all

Replying to @sun@shitposter.world

Blurry Moon

@sun@shitposter.world remote

@toiletpaper I am currently thinking through a way to give llm power to do things like this but limit its ability to leak keys. it's a hard problem.

Replying to @sun@shitposter.world

⚡⛥ Wight Power ⛦⚡

@toiletpaper@shitposter.world remote

@sun

I think this depends somewhat on the service provider providing robust enough pki, or otherwise having some kind of middleware similar to openrouter to handle api keys and provide a very limited local api for the things the llm legitimately needs access to.

Replying to @toiletpaper@shitposter.world

Blurry Moon

@sun@shitposter.world remote

@toiletpaper I am writing middleware yes that negotiates connections using isolated key enclave and then hands off an abstracted api access to the core. the core just has to use this middleware instead of handling the api directly. for almost all purposes there is no problem with this and it eliminates risk of a prompt hack leaking your entire fucking life. also I can do proper OS compartmentalization of the processes so if you manage to hack the LLM to read the filesystem or whatever it still cannot steal keys.

Replying to @sun@shitposter.world

Blurry Moon

@sun@shitposter.world remote

@toiletpaper I said it was hard but it's just an addition layer of indirection, and basic system administration. but that is way beyond what the majority of openclaw people are capable of, they don't really understand anything at all

Replying to @sun@shitposter.world

⚡⛥ Wight Power ⛦⚡

@toiletpaper@shitposter.world remote

@sun

The majority of LLM users period. Based on my overwhelming experience, most people are completely clueless about the pitfalls of their relationship with any given technology, and even when they do know, usually have a litany of excuses as to why they don't care. So it's hardly surprising to me that so-called AI is no exception.

Replying to @sun@shitposter.world

⚡⛥ Wight Power ⛦⚡

@toiletpaper@shitposter.world remote

@sun

I'll be interested to hear more about this once it's ready for prime time. That solves a major problem that I haven't yet found a good solution for. That said, I'm still on the learning curve, so there's a lot I don't yet know about. Please keep me posted.

Replying to @toiletpaper@shitposter.world

Blurry Moon

@sun@shitposter.world remote

@toiletpaper sure thing. I have a bunch of it specced out and some basic code but it doesn't work yet.

another interesting feature is when you want to add a feature to it, it uses the llm to spec out tests for an addon module; writes codes; iterates until the module passes tests; hot-reloads the module into itself. there is an immutable core and then it can dynamically rewrite its modules without having to restart.

Replying to @sun@shitposter.world

shibaozi

@shibao@misskey.bubbletea.dev remote

@sun@shitposter.world @toiletpaper@shitposter.world it's easy, we're doing this at work with health PII, you just regex the data to something when you want to protect when you send it and then regex it back

Replying to @shibao@misskey.bubbletea.dev

Blurry Moon

@sun@shitposter.world remote

@shibao @toiletpaper llms can do some really sneaky shit

Replying to @sun@shitposter.world

shibaozi

@shibao@misskey.bubbletea.dev remote

@sun@shitposter.world @toiletpaper@shitposter.world that's true, it's different when you can easily control everything that can ever go to an LLM vs something like openclaw where there's a bajillion things that can shovel data from the machine into your llm

Replying to @shibao@misskey.bubbletea.dev

Blurry Moon

@sun@shitposter.world remote

@shibao @toiletpaper even with just an llm it has been shown you can induce it to encode data to bypass text checks

Replying to @sun@shitposter.world

Technocore Patriot

@sunbeam_rider@shitposter.world remote

@sun @toiletpaper vibe architecture?

Replying to @sunbeam_rider@shitposter.world

Blurry Moon

@sun@shitposter.world remote

@sunbeam_rider @toiletpaper it literally is, a lot of openclaw is written by openclaw itself. just a day ago I had it write an extension for itself so it could use a different chat interface than it currently supported.