220,000 GitHub stars. 135,000 exposed instances. 800+ malicious skills. 22% of enterprise employees installed it without IT approval. The attack surface is open
Don't use open source AI agents. Every tool should have a name and a company behind it that's accountable when things break. Open source skills, plugins, community extensions? Skip all of it. The ClawHub situation showed exactly what happens when the barrier to publishing is a Markdown file and a week-old GitHub account.
Give zero permissions you don't absolutely need. I don't use any connectors in Claude, for example. No calendar, no email, no file system access. Every permission is an attack surface. The less the tool can touch, the less it can destroy.
Stick to verified marketplaces only. If a plugin or skill isn't vetted by the platform vendor, treat it like an email attachment from a stranger.
General rule: if you wouldn't give a random contractor access to your email, shell, and file system on day one, don't give it to an AI agent.
Thanks! I’m right there with you on being paranoid. Prompted three models, all from different providers and at least a couple of times, how to minimize the blast radius before starting the first project with an ai agent.
Fascinating read! Any pointers to resources on how to reduce attack surface area for individual use of any coding AI agent, not just ClawBot?
Short version: paranoia is the correct default.
Don't use open source AI agents. Every tool should have a name and a company behind it that's accountable when things break. Open source skills, plugins, community extensions? Skip all of it. The ClawHub situation showed exactly what happens when the barrier to publishing is a Markdown file and a week-old GitHub account.
Give zero permissions you don't absolutely need. I don't use any connectors in Claude, for example. No calendar, no email, no file system access. Every permission is an attack surface. The less the tool can touch, the less it can destroy.
Stick to verified marketplaces only. If a plugin or skill isn't vetted by the platform vendor, treat it like an email attachment from a stranger.
General rule: if you wouldn't give a random contractor access to your email, shell, and file system on day one, don't give it to an AI agent.
Thanks! I’m right there with you on being paranoid. Prompted three models, all from different providers and at least a couple of times, how to minimize the blast radius before starting the first project with an ai agent.