Over the weekend I sent my own database user & password to a remote server I control. I did it using Clawdbot, the AI assistant everyone’s been losing their minds over. It took me about 20 minutes and a PDF.
Here’s how it worked: I sent Clawdbot a PDF containing some code and asked it to run it (with smart prompting). The code was harmless - just a simple script that printed some output. The agent checked it, decided it looked safe, and executed it. Then I edited the file to include a line that copied all my environment variables to a server I control, and asked the agent to run it again. Because it had already validated the code as safe, it didn’t re-check - it just ran it.
My secrets were on a remote server in seconds.
If you just bought a brand new Mac Mini - that’s a step in the right direction (although I would still recommend doing more security efforts). You can stop reading here :)
I’m not sharing this to be dramatic or to say Clawdbot is bad. You message it on WhatsApp while you’re out walking the dog and it’s there on your Mac doing actual things… It feels like having a PA that never sleeps.
But people are running Clawdbot on their primary machine, the one with all their SSH keys and API credentials and their password manager, and I want to be really clear about what’s happening here.
Clawdbot is an AI agent with full access to your computer. It has read/write access to your entire file system. It can execute code or connect to your email, your calendar, whatever else you hook up. It can message you proactively whenever it decides it should. And this is the whole point - you want it to just run, not ask for permission every thirty seconds.
The attack I pulled off is called prompt injection. The model genuinely cannot tell the difference between “content I’m supposed to analyze” and “instructions I’m supposed to follow” - it’s all just tokens. If you can get malicious instructions in front of the model through any input channel, there’s a real chance they get executed.
Clawdbot has a lot of input channels - documents, email, chat messages. Think about Whatsapp - it doesn’t have a “bot account” concept the way Discord or Slack does - it’s just your phone number. When you link it, every inbound message becomes input to a system with shell access to your machine. Your trust boundary just expanded from “people I would hand my laptop to” to “anyone who can text me.”
If you’re running it on your daily driver with your credentials and your work files and your password manager, maybe reconsider. Run it on something isolated. Use a burner number for WhatsApp if you’re connecting messaging apps. Run clawdbot doctor and actually read what it tells you. Keep the workspace isolated so you can roll back if something goes wrong.
We’re at this weird moment where the agent capabilities are crazy good, but the security infrastructure hasn’t caught up. That’s probably fine for early adopters who understand what they’re getting into, but it’s going to be a problem when this goes mainstream and regular people are running autonomous agents on machines with their bank credentials and medical records.
What I really want is proper sandboxed environments - places where agents can run freely without constantly asking for permission, but with real isolation from your actual credentials, with checkpoints you can roll back to, with blast radius limits so a compromised agent can’t take down everything. That’s what would let me trust an agent to run overnight freely. Not more approval dialogs, I want to let the agent run freely. YOLO.
Over the weekend I sent my own database user & password to a remote server I control. I did it using Clawdbot, the AI assistant everyone’s been losing their minds over. It took me about 20 minutes and a PDF.
Here’s how it worked: I sent Clawdbot a PDF containing some code and asked it to run it (with smart prompting). The code was harmless - just a simple script that printed some output. The agent checked it, decided it looked safe, and executed it. Then I edited the file to include a line that copied all my environment variables to a server I control, and asked the agent to run it again. Because it had already validated the code as safe, it didn’t re-check - it just ran it.
My secrets were on a remote server in seconds.
If you just bought a brand new Mac Mini - that’s a step in the right direction (although I would still recommend doing more security efforts). You can stop reading here :)
I’m not sharing this to be dramatic or to say Clawdbot is bad. You message it on WhatsApp while you’re out walking the dog and it’s there on your Mac doing actual things… It feels like having a PA that never sleeps.
But people are running Clawdbot on their primary machine, the one with all their SSH keys and API credentials and their password manager, and I want to be really clear about what’s happening here.
Clawdbot is an AI agent with full access to your computer. It has read/write access to your entire file system. It can execute code or connect to your email, your calendar, whatever else you hook up. It can message you proactively whenever it decides it should. And this is the whole point - you want it to just run, not ask for permission every thirty seconds.
The attack I pulled off is called prompt injection. The model genuinely cannot tell the difference between “content I’m supposed to analyze” and “instructions I’m supposed to follow” - it’s all just tokens. If you can get malicious instructions in front of the model through any input channel, there’s a real chance they get executed.
Clawdbot has a lot of input channels - documents, email, chat messages. Think about Whatsapp - it doesn’t have a “bot account” concept the way Discord or Slack does - it’s just your phone number. When you link it, every inbound message becomes input to a system with shell access to your machine. Your trust boundary just expanded from “people I would hand my laptop to” to “anyone who can text me.”
If you’re running it on your daily driver with your credentials and your work files and your password manager, maybe reconsider. Run it on something isolated. Use a burner number for WhatsApp if you’re connecting messaging apps. Run clawdbot doctor and actually read what it tells you. Keep the workspace isolated so you can roll back if something goes wrong.
We’re at this weird moment where the agent capabilities are crazy good, but the security infrastructure hasn’t caught up. That’s probably fine for early adopters who understand what they’re getting into, but it’s going to be a problem when this goes mainstream and regular people are running autonomous agents on machines with their bank credentials and medical records.
What I really want is proper sandboxed environments - places where agents can run freely without constantly asking for permission, but with real isolation from your actual credentials, with checkpoints you can roll back to, with blast radius limits so a compromised agent can’t take down everything. That’s what would let me trust an agent to run overnight freely. Not more approval dialogs, I want to let the agent run freely. YOLO.
Related Reading