I'm currently hesitating to use something like OpenClaw, however, because of prompt injections and stuff, I would only have it able to send messages to me directly, no web query, no email reply, etc...
Basically act as a kind of personal assistant, with a read only view of my emails, direct messages, and stuff like that, and the only communication channel would be towards me (enforced with things like API key permissions).
This should prevent any kind of leaks due to prompt injection, right ? Does anyone have an example of this kind of OpenClaw setup ?
DNS Queries are fine, and also conditional URL fetches, as long as they are not arbitrary, should be okay too.
I don't mind the agent searching my GMail using keywords from some discord private messages for example, but I would mind if it did a web search because it could give anything to the search result URLs.
I wrote this exact tool over the last weekend using calendar, imap, monarchmoney, and reminders api but I can’t share because my company doesn’t like its employees sharing their personal work even.
Sandboxing is great, and stricter Authorization policies are great too, but with these kinds of software, my biggest fear (and that's why I am not trying them out now) is prompt injection.
It just seems unsolvable if you want the agent to do anything remotely useful
Ultimately a prompt injection attack is trying to get the agent to do something it wasn't intended to do and if you have the appropriate sandboxing and authorization in place, a compromised agent won't be able to actually execute the exploits
Didn't really hear about people getting fines for this, but the law exists.
reply