Anthropic’s Claude Risk Report
February 12, 2026
Best AI Meeting Notes and Summary Software: No Bots, No Call Access
February 13, 2026Overall Posture & Philosophy
(From the Conversation With Lex Fridman )
Here is a concise, structured summary of the security-related work and developments Peter Steinberger (and the OpenClaw community) had implemented or publicly discussed up to mid-February 2026, based on the podcast transcript and contemporaneous sources.
Peter repeatedly described OpenClaw as powerful but inherently risky due to its local system-level access (shell, files, browser control, messaging integrations). He emphasized user responsibility and configuration discipline rather than claiming perfect security.
Key repeated statements:
- Prompt injection remains an industry-wide unsolved problem.
- Strong models (e.g. Opus 4.6, Codex 5.3) are significantly more resistant to prompt injection than weak/local/cheap models.
- Default / easy setups can be very dangerous → users should follow strict best practices.
- He was focusing intensely on security as his top near-term priority after the explosive growth phase (post name changes).
Concrete Security Improvements Shipped by Early 2026
Most hardening landed in the January 2026 rebrand releases (v2026.1.x series, especially v2026.1.29 and follow-ups).
| Category | Implemented Measures | Status / Notes |
|---|---|---|
| Gateway / Auth | Removed forever the extremely dangerous auth: none mode (open internet RCE risk) | Breaking change — forced upgrade for many early users |
| Sandboxing & Isolation | Built-in Docker-based / container sandboxing for tool execution | Optional but strongly recommended; per-session isolation, workspaceAccess: none default for non-main channels |
| Tool / Execution Control | Tool allow-lists, channel allow-lists, execution approvals for sensitive ops | Reduces blast radius when sandbox is active |
| Skills / ClawHub Ecosystem | Integrated VirusTotal (Google) AI-powered scanning for every published skill | Not perfect (can miss clever prompt-injection payloads), but catches many malware / credential-stealing skills |
| Input / Prompt Hardening | Various sanitization passes, thought-signature stripping, context-window guards, session compaction | Helps but does not eliminate prompt injection |
| Owner vs Non-Owner Checks | Explicit senderIsOwner threading through agent pipeline for sensitive operations | Patches several privilege-escalation vectors found in audits |
| Security Documentation | Greatly expanded security best practices page + audit checklist | Covers blast-radius exposure, browser control, disk hygiene, model choice, reverse-proxy setup, credential storage, logs on disk, etc. |
| Community & External Audits | Accepted & merged fixes from multiple security researchers (Trail of Bits, Cubic.dev, others) | Hired at least one security-focused contributor after helpful PR |
| Proactive Features | Heartbeat (proactive agent wake-ups) made more conservative / context-aware | Reduces unnecessary risk surface |
Known Remaining / Ongoing Challenges (acknowledged in early 2026)
- Prompt injection — still fundamentally hard; best mitigation = strong model + sandbox + minimal trust in messaging channels.
- Skill supply-chain attacks — ClawHub had already seen malware, fake downloads, credential stealers, indirect prompt injection via Markdown files.
- Exposed instances — Thousands of gateways were left open to the internet in the first weeks → major source of early CVEs and data leaks.
- No perfect security — Peter stated openly there is no configuration that is 100 % safe if the user gives the agent broad permissions and connects it to untrusted inputs.
Summary in Peter’s Own Words (paraphrased from transcript)
“Security is my next focus. […] We are making good progress […] but prompt injection is still unsolved. […] Use strong models, don’t expose to the public internet, stick to private networks, enable sandboxing, read the docs.”
By February 2026, the project had moved from “extremely permissive by default” → “still powerful but significantly hardened when configured correctly”, with security now the stated #1 engineering priority after surviving the rapid-rename & crypto-squatter drama.
C. Rich
“This blog emerged through a dialogue between human reflection and multiple AI systems, each contributing fragments of language and perspective that were woven into the whole.”
