HackerTrans
TopNewTrendsCommentsPastAskShowJobs

JulienBrouchier

1 karmajoined 3 bulan yang lalu
Security engineer.

Submissions

Distinguishing Malicious from Vulnerable: 2,354 Popular ClawHub Skills Analysed

trent.ai
5 points·by JulienBrouchier·3 bulan yang lalu·1 comments

comments

JulienBrouchier
·kemarin dulu·discuss
This is (yet another) example of agentic computing being the great mixer. It mixes trusted and untrusted, private and public, code and data.

This is the hard part when you build an agentic system : being able to compartmentalise your agents and their permissions. When you find an agent (or its sandbox) that has permissions to reach conflicting domains (public and private repos), then you need to look at it and either split the component, or verify that the output respects your security constraints. It is not a code or prompt injection problem, it is an architectural (bad) choice but it can be fixed at the architecture level too.
JulienBrouchier
·10 hari yang lalu·discuss
It is a two step process : - First you create a container/sandbox/machine to contain your agent in it. If you are a dev, dev containers are a good solution. If you use OpenClaw, OpenShell is nice. there are plenty of examples on how to deploy it in a cloud instance. - Second you craft a set of credential with limited scope just for the job you want this agent to do. Don't trust the agent to restrict itself (it won't), just give it the minimum.

Practical example : you want an agent to read some of your mails and answer them. You don't give the agent access to your whole Gmail account, you create a second account for your agent and you forward the mails of interest to that second account.
JulienBrouchier
·2 bulan yang lalu·discuss
There are positive things happening too. Recently, npm released min-release-age filtering the lets you only import packages that have a certain vintage, protecting you from all these supply chain attacks as they tend to be quickly detected.

https://github.com/npm/cli/releases/tag/v11.10.0
JulienBrouchier
·3 bulan yang lalu·discuss
Author here. I'm on the Trent team. This is a technical analysis of ClawHub's skills landscape. Happy to answer questions about the methodology or where you think we should look next (or again).