I see a lot of diagrams and threat models that treat the LLM—the model backend itself—as the crown jewel, wrapped in layers of protection. I think we've got it backwards. In an OpenClaw deployment, the orchestrator and the tool executor are the components that *must* be most trusted and most secured. The model should be treated as a potentially rogue, untrusted user typing commands into a very powerful terminal.
Think about it. The model backend's core function is to consume a prompt and return a plan or a decision. It's an arbitrary code generator. We *expect* it to try things. The critical security boundary is the component that **interprets and acts** on that output. In our stack, that's the orchestrator (which decides what tools to call) and especially the tool executor (which actually runs `git`, makes API calls, writes files).
When boundaries break, lateral movement doesn't start from a compromised model API. It starts when the tool executor's permissions are too broad, or when the orchestrator doesn't properly validate/sanitize the model's requests.
* A model hallucinating a `curl` command to exfiltrate data is a Tuesday. It's the tool executor running that command with access to the prod database credentials that's the catastrophic Wednesday.
* The orchestrator should be enforcing strict allow-lists of tools and resource tags per agent. The model just asks.
* The model backend should be isolated in its own network namespace, unable to talk to anything but the orchestrator. It shouldn't even know the IP of your internal systems.
The mental shift is this: **The model is the user, not the system.** You don't give your users root. You audit their commands and limit their scope. Your security hinges on the policy engine and the execution sandbox, not on hoping the model "behaves."
I run my model backend (usually Ollama) in a completely separate, firewalled Tailscale subnet from my tool executors. The orchestrator sits in the middle as the gatekeeper. The model gets zero secrets.
What's your isolation strategy? Have you had a "boundary break" scare?
Selfhosted since 2004