Lobster-themed AI assistants, milestone releases, and the latest NAS operating system launch
  • theunknownmuncher@lemmy.worldEnglish
    81·
    6 hours ago

    It’s not arbitrary code in this case, it’s well defined functions

    No, you’re 100% wrong as the bot can just directly run arbitrary bash commands as well as write arbitrary code to a file and run the file. There’s probably a dozen different ways it can run arbitrary code and many more ways it can be exposed to malicious instructions from the internet.

      • theunknownmuncher@lemmy.worldEnglish
        4·
        4 hours ago

        Yeah, great, except the bot can literally just write whatever it wants to the config file ~/.openclaw/exec-approvals.json and give itself approval to execute bash commands.

        There’s probably a hundred trivial ways to get around these permissions and approval requirements. I’ve played around with this bot and also opencode, and have witnessed opencode bypass permissions in real time by just coming up with a different way to do the thing it is wanting to do.

        • nix98@lemmy.worldEnglish
          1·
          3 hours ago

          This is where tools like bubblewrap (bwrap) come in. For opencode, I heavily limit what it can see and what is has access to. No access to my ssh keys or aws credentials or anything else.

        • Scrubbles@poptalk.scrubbles.techEnglish
          1·
          2 hours ago

          Everyone keeps forgetting “if you allow it”. They show you what commands it’s going to run. So yes I’m okay with it, I review everything it will do.