Security researcher Davi Ottenheimer has published a critique of OpenClaw, arguing they repeat the same security mistakes that plagued MS-DOS. The core problem: a single process with a single token, where the LLM holds the line between safe operation and disaster. Ottenheimer draws a direct parallel to Wal-Mart's MS-DOS point-of-sale systems, which stored customer payment data with zero protection and one shared password. When that system was breached in 2006, the company waited three years to notify anyone.
AI agents like OpenClaw are at the center of these debates.
NVIDIA's NemoClaw tutorial attempts to address security by sandboxing the entire agent inside a container. But this creates awkward workarounds. You have to bind Ollama to 0.0.0.0 so the agent can reach inference across network namespaces. Outbound connections get approved through a separate host-side TUI. Ottenheimer argues this is what happens when you try to wrap security around something that breaks when you put security around it.
His alternative, Wirken, flips the approach. Instead of a big sandbox around the whole agent, security boundaries shrink to the tool layer. Each channel runs as a separate process with its own Ed25519 identity. The vault runs out of process. Inference stays on loopback. Shell execution happens inside hardened containers with cap_drop ALL, no-new-privileges, read-only rootfs, and no network access. Sixteen high-risk command prefixes prompt on every call. The audit logs show it working: a curl attempt gets denied before reaching the sandbox, and a shell probe hits a read-only filesystem.
Hacker News commenters met the whole thing with skepticism, calling it "tech debt" and questioning whether OpenClaw usage is an end in itself rather than a means to accomplish something real. The pattern is familiar: convenience wins early, security debt accumulates, and everyone acts surprised when things go wrong.