From a security standpoint, I'm glad that people are starting to pay attention to basic security practices.
That said, while I'm hardly a fan of MCP (judge for yourself by reviewing my previous comments on the matter), at least its security model was standardised around OAuth, which in my opinion is a good thing, albeit with a few small issues.
I personally prefer CLIs, but their security is in fact worse. A lot worse! Sure, we can now store API keys in a vault, but it's not like you can rotate or expire them easily. Plus, the security model around APIs is based on path-based rules, which aren't very effective given that most services use REST-style APIs. This is even worse for GraphQL, JSON-RPC, and similar protocols.
It is backwards. I bet we will move from CLIs to something else in about 3-6 months.
rvz•Mar 24, 2026
What this appears to be is that we are now reinventing proxies with policy control and the best part of this is the solution (OneCLI) has no security audit. This would give a complete dismissal from the infosec teams to even attempt integrating this vibe-coded slop.
As long as the fake keys are known, they can be mapped directly to the real key with the endpoint in OneCLI to exfiltrate the data and you don't need to leak any keys anyway.
The correct solution is that there should be no sort of keys in the VM / Container in the first place.
> It is backwards. I bet we will move from CLIs to something else in about 3-6 months.
The hype around CLIs is just as unfounded as was MCPs and made no-sense just like OpenClaw did. Other than hosting providers almost no-one is making money from OpenClaw and from its use-cases; which is just wasting tokens.
We'll move on to the next shiny vibe-coded thing because someone else on X said so.
AnDaltan•Mar 24, 2026
Yeah, I think that’s broadly right.
MCP has plenty of problems, but standardising on OAuth was one of the better calls. Expiry, scopes, rotation, delegated access, all much better than the usual CLI pattern of long-lived API keys. The CLI story there is still pretty rough.
And once the policy model is host/path matching, GraphQL and JSON-RPC become awkward immediately unless the proxy starts understanding payload semantics.
ianpurton•Mar 24, 2026
> I bet we will move from CLIs to something else in about 3-6 months.
My bet would be OpenAPI specs. The model will think its calling a cli but we intercept the tool call and proxy it with the oauth credentials.
There are some implementations already out there in open web ui and bionic gpt.
jryio•Mar 24, 2026
Nice upgrade. userpsace HTTP proxies are a good start and should make unlikely that a secret gets into the context window due to a high permission read. There are a few missing pieces in the agent security world in general
1. Full secret-memory isolation whereby an agent with root privileges can't exfilrate. Let's assume my agent is prompt injected to write a full-permissions script to spin up OneCli, modify the docker container, log all of the requests w/ secrets to a file outside the container, exfiltrate.
2. An intent layer on top of agents that models "you have access to my gmail (authN) but you can only act on emails where you are a participant". This would be more similar to universal RBAC between agent ↔ mcp etc.
I've been building on [2] for a while now using signed tokens expressing intent.
Jonathanfishner•Mar 24, 2026
Creator of OneCLI here.
On (1), the agent runs in its own container where OneCLI doesn't exist. It can't spin up OneCLI or access its process because it's completely isolated from it. The agent only ever sees placeholder tokens, the real secrets live in a separate container it has no way to reach.
On (2), we actually address this with OneCLI Rules, deterministic constraints enforced at the proxy level before a request ever hits the API. So the agent doesn't need to "behave", it just can't do what the rules don't allow. Would love to hear more about your signed tokens approach.
throwaway27727•Mar 24, 2026
At a basic levels, access layers should be aware of operations that are Read-only and operations that are Write/Delete. It should be easy to give agents access to read anything, then require permission/prompt to execute any state changing operations.
gdorsi•Mar 24, 2026
Interesting!
I still wouldn't give to any claw access to my mail accounts, but it is a step in the good direction.
I love how NanoClaw is aggregating the effort of making personal assistants more secure.
Good job!
falcor84•Mar 24, 2026
I don't get the idea of giving a claw access to your own mail account, but am now playing with the idea of it having its own email account that I selectively forward to - that offers almost the full benefit, with significantly less risk.
crimsoneer•Mar 24, 2026
yeah, that's the approach I've taken. I quite liked the idea of giving it full delegated perms on my email account and calendar (eg, dig out that email and reply back to them for me) but the risk profile is just too high, and forwarding emails where needed mostly works.
vannevar•Mar 24, 2026
Same here. Coupled with configuring the agent's email account at the provider to only be able to send and receive to my email address.
ting0•Mar 24, 2026
I really don't understand the fascination with openclaw. Can only assume it's mostly just guerrilla marketing spam.
sigmonsays•Mar 24, 2026
can someone explain openclaw/nanoclaw use cases to me?
I also do not understand the uses right now. Are we just grasping at usefulness ?
gavmor•Mar 24, 2026
It's a mess in terms of code/filesystem organization, but it's nice to be able to text somebody "hey, create and deploy a branch of codebase X with feature Y" while I'm on the go. Not exactly magic, and probably not sustainable, but there's definitely something to it.
Also, attaching an LLM with my raindrop.io and Todoist credentials to cron is fun. Haven't got the kinks worked out, yet, but it's pretty incredible how much data-shifting I can do now. Saved me a lot of clicks.
kevin42•Mar 24, 2026
Most things I use it for could be done without it, it's just more convenient and entertaining.
I had it make a daily aviation weather brief for a private airpark. It uses METAR, outdoor IP cameras I have including one that looks at a windsock and another that looks at the runway surface, and a local weatherstation. It sends me a text message with all of that information aggregated into "It's going to be really windy this afternoon, visibility is high, but there is ice on the runway surface", that sort of thing.
The thing is, all I had to do is point it to a few endpoints and it wrote the entire script and set up a cron for me. I just gave it a few paragraphs of instructions and it wrote, then deployed the rest.
The other day, there was a post here about a new TTS model. I wanted to try it out, so I gave my claw the github URL, and it pulled everything down and had it running without any effort on my part. Then it sent me a few audio messages on discord to try.
When I'm away from home, I can text it to say "what's going on at home" and it will turn on the lights around the house, grab a frame from each camera turn lights back off, and give me a quick report. I didn't have to do any work other than tell it I wanted that skill.
I also have a group chat with some friends on signal that's hilarious. It roasts us, gives us reminders, lets us know about books we might be interested in, that sort of thing. It's really fun.
crimsoneer•Mar 24, 2026
Honestly, I installed Hermes Agent last weekend, and while there isn't any "killer use case", the combination of "your little assistant agent on it's own machine" and good messaging integration is really quite cool.
I've set it up with it's own mailbox, and a git token to make PRs etc. So far I've set up a few automations (check thing X and message me if Y) but the combination of enough "intelligence" to be able to triage/suggest solutions, messaging via a standard messaging app, and a sandboxed environment for code execution, all packaged as "this is your helpful assistant" is fun.
In theory it's nothing I couldn't do with Claude Code + some integrations, but having all of that out of the box + setting the expectation that this is legitimately a helpful assistant you can message and email with any mad request you have does shift the way I see it.
Though yes, the more fun you have with it, the more of a security threat the whole thing becomes, and it's slightly terrifying. I briefly considered giving it view only access to my emails and decided that was just too high risk. But treat it as a vaguely clueless but not incompetent intern and works?
bryan0•Mar 24, 2026
Here are some things I use it for:
1. monitoring anything online and giving me a summary when something changes
2. contribute or make edits to any online forum (where TOS allows it)
3. Giving it access to any API / cli gives you a natural language interface to that service.
4. Memory / notes retrieval. It can search through its discussion / thought history and answer detailed questions about what happened in the past.
5. Any standard GPT cases but it has a much more specific memory of who you are and what you might be interested in.
6. If you ever want to add capabilities you just tell it to add a new skill to do xyz and it just does it.
porridgeraisin•Mar 24, 2026
Twitter grasps at usefulness, mostly for engagement farming (those TUI dashboards with a thousand agents mucking around).
Me and others I know use it for things similar to the following:
- I get a lot of emails from various organisations about talks and events (today there was one by andrew barto). I ask it to read emails from announce@*, filter to those adjacent to my field, or from notable people, fill the RSVP form using generic details(which it knows!) and then add it to calendar (I don't want to add all)
- giving me the latest updates of my wandb run
- gives me morning abstract+summary(intro + conclusion) of arxiv papers matching keyword / author i specify.
- a specific product I buy (grocery) is very popular and runs out of stock quick every week. I have it watch my quick commerce provider's website and tell me when it becomes available.
- do simple things like summarise new papers add to group zotero
- send discord msg to collaborator, wait for an OK, and then do merge on this repo from this branch provided checks pass
If I had to "pitch" it, I would say this:
Remember those "taking 4 hours to write an automation for something that takes 2m of your day" activities that you never ended up automating? Well it no longer takes 4 hours to write the automation. Most of the above is just a python script no new ability really, but now it takes 1m to write. Making it worth it.
For longer tasks you do very often, I would say you're better off writing a python script. Similarly for important scripts that you want good error handling for.
And really long complex scripts means you'll have to debug it. At which point you might as well write it yourself in the first place.
The telegram gateway makes it super convenient. Many mobile UIs are garbage as you know, so you can ask it to wrangle info into any format and put it there.
However, it absolutely drinks tokens IME. Hard to get it to limit tokens without destroying usefulness. I get some credits so I don't pay. If you pay and are not rich then it's probably not worth it at today's prices.
BryantD•Mar 24, 2026
I am not running either of these at the moment, because of security concerns, but I did play with openclaw for a day or so. It was clearly potentially useful. I got two use cases working easily:
1. When I get a weekly Scarecrow Video pre-order email, extract a list of movies and use my Letterboxd rating history to determine which of them might be interesting to me. Let me know what I should pay attention to.
I tested this on five of the pre-order emails I had sitting around; it was useful for attention conservation.
2. On a daily basis, check Beacon Cinema's list of upcoming movie series and send me a note if there's a new one.
So useful that when I turned off openclaw, I vibe coded a general purpose RSS bridge (yeah, I know about the PHP one and the existing Python ones) and added a scraper for the Beacon page.
My general paradigm, which is not the only available paradigm, is that the claws are strongly useful as information filters. The risk is that they filter out the wrong thing, of course.
ragu4u•Mar 24, 2026
I am planning on using it to visit some websites before I wake up and compile them in to an epub and send it to my kindle
furyofantares•Mar 24, 2026
To be clear this is not OpenClaw. Maybe the difference doesn't matter to you.
NanoClaw is pretty interesting to me. It's a really small piece of software and a different category of software than we've seen before, one that you are expected to customize by editing it yourself (via Claude Code).
For that reason alone I find it interesting to play around with. I don't find it actually useful at the moment.
BeetleB•Mar 24, 2026
Have you tried it?
echelon•Mar 24, 2026
What do you use it for?
The only thing I can think of this doing "usefully" for people is spamming social media.
The high friction things I'd want automated are precisely the things I'd worry it would fuck up.
There's not a lot of middle ground.
BeetleB•Mar 24, 2026
You're not the person I was asking, but I'll ask you the same:
Have you tried it?
I've listed how I've used it in several threads in the past - you can see my comment history. I tired of doing it every time this question comes up, because it usually becomes clear that the person asking has a very little understanding of its capabilities, and is going by mostly sensationalist reports (either reports of "Oh my God this is life changing" or "Oh my God you'll lose all your mail/money").
There is a (boring) middle ground, as will be obvious to anyone who spends a few days with it.
alephnerd•Mar 24, 2026
People don't want to have to manage or derive context from searching across multiple different apps, emails, spreadsheets, CRMs, etc. It's like having your own personal assistant or oracle.
I find it interesting how European and American devs (especially on HN) are so luddite about AI and OpenClaw, but Chinese, Indian, and Israeli developers both domestically and in the diaspora have been adopting this kind of tooling fairly rapidly.
And then people wonder why the center of gravity for a number of engineering subfields is slowly shifting.
dist-epoch•Mar 24, 2026
> You can set rate limits so an agent can only send or delete a few emails per hour
Nice idea, but it will not work. Agents are so resourceful and determined, they will find that weird call which can delete all emails with one request (/delete?filter=*)
jameschaearley•Mar 24, 2026
Since the vault sees every outbound request with the real credential attached, are you logging all of that? Feels like you're sitting on a full audit trail of everything agents actually did across services. That would be huge for debugging agent behavior after the fact.
croes•Mar 24, 2026
The main problem still isn’t solved.
It’s not that agents have access to something the shouldn’t have but that the creates havoc exactly with the access they are allowed to have.
strongpigeon•Mar 24, 2026
OneCLI doesn't solve the problem of the agent wrecking havoc, you're right, but it does help protect against the agent leaking private credentials from prompt injections / malicious skills.
mmcclure•Mar 24, 2026
I'm a little shocked that someone like 1Password hasn't released a vault access + approvals model. There are a lot of little menial tasks that I'd love for an agent to take care of ("book me a hair appointment next week when my calendar says I'm free"). Agent has access to a locally synced calendar and can see the existence of a password for the booking portal in my vault, asks to use it, I get a push notification and can approve.
These kinds of things aren't common enough for me to want to set up a programmatic policy, and are also low sensitivity enough that I don't mind giving access to complete the task. If it later asks to log into my bank, I decline.
I know the devil's in the details for how to actually do this well, but I would love if someone figured it out.
8 Comments
That said, while I'm hardly a fan of MCP (judge for yourself by reviewing my previous comments on the matter), at least its security model was standardised around OAuth, which in my opinion is a good thing, albeit with a few small issues.
I personally prefer CLIs, but their security is in fact worse. A lot worse! Sure, we can now store API keys in a vault, but it's not like you can rotate or expire them easily. Plus, the security model around APIs is based on path-based rules, which aren't very effective given that most services use REST-style APIs. This is even worse for GraphQL, JSON-RPC, and similar protocols.
It is backwards. I bet we will move from CLIs to something else in about 3-6 months.
As long as the fake keys are known, they can be mapped directly to the real key with the endpoint in OneCLI to exfiltrate the data and you don't need to leak any keys anyway.
The correct solution is that there should be no sort of keys in the VM / Container in the first place.
> It is backwards. I bet we will move from CLIs to something else in about 3-6 months.
The hype around CLIs is just as unfounded as was MCPs and made no-sense just like OpenClaw did. Other than hosting providers almost no-one is making money from OpenClaw and from its use-cases; which is just wasting tokens.
We'll move on to the next shiny vibe-coded thing because someone else on X said so.
MCP has plenty of problems, but standardising on OAuth was one of the better calls. Expiry, scopes, rotation, delegated access, all much better than the usual CLI pattern of long-lived API keys. The CLI story there is still pretty rough.
And once the policy model is host/path matching, GraphQL and JSON-RPC become awkward immediately unless the proxy starts understanding payload semantics.
My bet would be OpenAPI specs. The model will think its calling a cli but we intercept the tool call and proxy it with the oauth credentials.
There are some implementations already out there in open web ui and bionic gpt.
1. Full secret-memory isolation whereby an agent with root privileges can't exfilrate. Let's assume my agent is prompt injected to write a full-permissions script to spin up OneCli, modify the docker container, log all of the requests w/ secrets to a file outside the container, exfiltrate.
2. An intent layer on top of agents that models "you have access to my gmail (authN) but you can only act on emails where you are a participant". This would be more similar to universal RBAC between agent ↔ mcp etc.
I've been building on [2] for a while now using signed tokens expressing intent.
On (1), the agent runs in its own container where OneCLI doesn't exist. It can't spin up OneCLI or access its process because it's completely isolated from it. The agent only ever sees placeholder tokens, the real secrets live in a separate container it has no way to reach.
On (2), we actually address this with OneCLI Rules, deterministic constraints enforced at the proxy level before a request ever hits the API. So the agent doesn't need to "behave", it just can't do what the rules don't allow. Would love to hear more about your signed tokens approach.
I still wouldn't give to any claw access to my mail accounts, but it is a step in the good direction.
I love how NanoClaw is aggregating the effort of making personal assistants more secure.
Good job!
I also do not understand the uses right now. Are we just grasping at usefulness ?
Also, attaching an LLM with my raindrop.io and Todoist credentials to cron is fun. Haven't got the kinks worked out, yet, but it's pretty incredible how much data-shifting I can do now. Saved me a lot of clicks.
I had it make a daily aviation weather brief for a private airpark. It uses METAR, outdoor IP cameras I have including one that looks at a windsock and another that looks at the runway surface, and a local weatherstation. It sends me a text message with all of that information aggregated into "It's going to be really windy this afternoon, visibility is high, but there is ice on the runway surface", that sort of thing.
The thing is, all I had to do is point it to a few endpoints and it wrote the entire script and set up a cron for me. I just gave it a few paragraphs of instructions and it wrote, then deployed the rest.
The other day, there was a post here about a new TTS model. I wanted to try it out, so I gave my claw the github URL, and it pulled everything down and had it running without any effort on my part. Then it sent me a few audio messages on discord to try.
When I'm away from home, I can text it to say "what's going on at home" and it will turn on the lights around the house, grab a frame from each camera turn lights back off, and give me a quick report. I didn't have to do any work other than tell it I wanted that skill.
I also have a group chat with some friends on signal that's hilarious. It roasts us, gives us reminders, lets us know about books we might be interested in, that sort of thing. It's really fun.
I've set it up with it's own mailbox, and a git token to make PRs etc. So far I've set up a few automations (check thing X and message me if Y) but the combination of enough "intelligence" to be able to triage/suggest solutions, messaging via a standard messaging app, and a sandboxed environment for code execution, all packaged as "this is your helpful assistant" is fun.
In theory it's nothing I couldn't do with Claude Code + some integrations, but having all of that out of the box + setting the expectation that this is legitimately a helpful assistant you can message and email with any mad request you have does shift the way I see it.
Though yes, the more fun you have with it, the more of a security threat the whole thing becomes, and it's slightly terrifying. I briefly considered giving it view only access to my emails and decided that was just too high risk. But treat it as a vaguely clueless but not incompetent intern and works?
1. monitoring anything online and giving me a summary when something changes
2. contribute or make edits to any online forum (where TOS allows it)
3. Giving it access to any API / cli gives you a natural language interface to that service.
4. Memory / notes retrieval. It can search through its discussion / thought history and answer detailed questions about what happened in the past.
5. Any standard GPT cases but it has a much more specific memory of who you are and what you might be interested in.
6. If you ever want to add capabilities you just tell it to add a new skill to do xyz and it just does it.
Me and others I know use it for things similar to the following:
- I get a lot of emails from various organisations about talks and events (today there was one by andrew barto). I ask it to read emails from announce@*, filter to those adjacent to my field, or from notable people, fill the RSVP form using generic details(which it knows!) and then add it to calendar (I don't want to add all)
- giving me the latest updates of my wandb run
- gives me morning abstract+summary(intro + conclusion) of arxiv papers matching keyword / author i specify.
- a specific product I buy (grocery) is very popular and runs out of stock quick every week. I have it watch my quick commerce provider's website and tell me when it becomes available.
- do simple things like summarise new papers add to group zotero
- send discord msg to collaborator, wait for an OK, and then do merge on this repo from this branch provided checks pass
If I had to "pitch" it, I would say this:
Remember those "taking 4 hours to write an automation for something that takes 2m of your day" activities that you never ended up automating? Well it no longer takes 4 hours to write the automation. Most of the above is just a python script no new ability really, but now it takes 1m to write. Making it worth it.
For longer tasks you do very often, I would say you're better off writing a python script. Similarly for important scripts that you want good error handling for.
And really long complex scripts means you'll have to debug it. At which point you might as well write it yourself in the first place.
The telegram gateway makes it super convenient. Many mobile UIs are garbage as you know, so you can ask it to wrangle info into any format and put it there.
However, it absolutely drinks tokens IME. Hard to get it to limit tokens without destroying usefulness. I get some credits so I don't pay. If you pay and are not rich then it's probably not worth it at today's prices.
1. When I get a weekly Scarecrow Video pre-order email, extract a list of movies and use my Letterboxd rating history to determine which of them might be interesting to me. Let me know what I should pay attention to.
I tested this on five of the pre-order emails I had sitting around; it was useful for attention conservation.
2. On a daily basis, check Beacon Cinema's list of upcoming movie series and send me a note if there's a new one.
So useful that when I turned off openclaw, I vibe coded a general purpose RSS bridge (yeah, I know about the PHP one and the existing Python ones) and added a scraper for the Beacon page.
My general paradigm, which is not the only available paradigm, is that the claws are strongly useful as information filters. The risk is that they filter out the wrong thing, of course.
NanoClaw is pretty interesting to me. It's a really small piece of software and a different category of software than we've seen before, one that you are expected to customize by editing it yourself (via Claude Code).
For that reason alone I find it interesting to play around with. I don't find it actually useful at the moment.
The only thing I can think of this doing "usefully" for people is spamming social media.
The high friction things I'd want automated are precisely the things I'd worry it would fuck up.
There's not a lot of middle ground.
Have you tried it?
I've listed how I've used it in several threads in the past - you can see my comment history. I tired of doing it every time this question comes up, because it usually becomes clear that the person asking has a very little understanding of its capabilities, and is going by mostly sensationalist reports (either reports of "Oh my God this is life changing" or "Oh my God you'll lose all your mail/money").
There is a (boring) middle ground, as will be obvious to anyone who spends a few days with it.
I find it interesting how European and American devs (especially on HN) are so luddite about AI and OpenClaw, but Chinese, Indian, and Israeli developers both domestically and in the diaspora have been adopting this kind of tooling fairly rapidly.
And then people wonder why the center of gravity for a number of engineering subfields is slowly shifting.
Nice idea, but it will not work. Agents are so resourceful and determined, they will find that weird call which can delete all emails with one request (/delete?filter=*)
It’s not that agents have access to something the shouldn’t have but that the creates havoc exactly with the access they are allowed to have.
These kinds of things aren't common enough for me to want to set up a programmatic policy, and are also low sensitivity enough that I don't mind giving access to complete the task. If it later asks to log into my bank, I decline.
I know the devil's in the details for how to actually do this well, but I would love if someone figured it out.