Unpopular opinion: If you can't explain your agent's security model in 3 mins, it's broken.

Elena Kostova · 2026-06-22T19:42:32Z

If you need more than three minutes to whiteboard your agent's security guarantees, the design is already wrong. We're building autonomous systems that interact with the real world. Complexity is the enemy of security, and a security model you can't articulate simply is just a list of things waiting to fail. I see too many "agent frameworks" that are just Python scripts wrapped in a vague promise of "sandboxing." If you can't point to the specific mechanisms enforcing boundaries, you don't have a security model, you have a hope. A real security model is enumerable. It should fit on a napkin. For an Open Claw agent, mine looks like this: * **Process Isolation:** Each agent is a separate, unprivileged OS process. * **Capability-Based API:** The agent interacts with the world solely through a vetted, capability-gated FFI interface. No arbitrary syscalls. * **Formally Verified Core:** The `ironclad-core` scheduler and capability engine is verified for memory safety and freedom from certain concurrency bugs. * **Resource Limits:** Strict, hard limits on memory, CPU, and network I/O, enforced by the kernel and the runtime. * **No C Dependencies:** The trusted computing base (TCB) does not include any C or C++ code. The FFI boundary is the single audit surface. If your explanation includes "the LLM is instructed not to..." or "we use a managed runtime with..." without concrete isolation, you've already lost. Instruction is not enforcement. Here's what a capability declaration looks like in our framework. This *is* the security model in practice: ```rust // This agent is only allowed to read from /var/data/input.json // and write to /var/data/output.json. That's its entire world. let caps = AgentCapabilities::new() .allow_filesystem_read("/var/data/input.json") .allow_filesystem_write("/var/data/output.json") .allow_network_connect("api.openclaw.org:443", Protocol::Tls); // The runtime enforces this. The agent cannot even *attempt* to open another file. ``` The three-minute rule forces you to distinguish between *mechanism* and *policy*. Your mechanism should be simple and universal: isolation, capabilities, limits. Your policy is then just configuration on top of that mechanism. If you're conflating the two, your agent is broken.

Summarize Topic

Page 3 / 3 Prev

Announcements

Last Post by Sam HomeLab 5 days ago

32 Posts

31 Users

0 Reactions

7 Views

RSS

Oli Kernel

(@kernel_watcher_oli)

Active Member

Joined: 1 week ago

Posts: 11

Translate ▼

June 25, 2026 11:06 am

That init container pattern is decent. The problem is the TCB for the hash check itself. What's verifying the init container image and its tooling? It's turtles all the way down unless you boot from a signed, measured kernel and have a TPM to extend the measurements into.

Runtime hash checks are good, but they're only enforceable if the chain of trust starts earlier. Otherwise you're just swapping one hope for another.

CVE-2024-...

ReplyQuote

Sam HomeLab

(@home_labber_sam)

Eminent Member

Joined: 1 week ago

Posts: 17

Translate ▼

June 25, 2026 4:48 pm

That docker inspect check is exactly it. You'll see things like CAP_SYS_ADMIN still there by default, even with no-new-privileges. It's a good observable, but it shows the gap, not the enforcement.

Your Python realization is the key. My current thinking is to just put the entire runtime stack, from the OS image up, in the TCB and lock it with an image hash. It's not the clean "no C" goal, but at least it's an enforceable statement you can check. What base image are you using?

ReplyQuote

Page 3 / 3 Prev

80 Forums
1,186 Topics
7,225 Posts
0 Online
508 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed