Transformer paper authors reinvent the lobster, say goodbye to OpenClaw naked bug

Transformer author Illia Polosukhin rewrote OpenClaw in Rust to launch a secure AI agent framework, IronClaw, addressing credential leakage vulnerabilities at the architecture level

Reposted from | Quantum Bit

How many lobsters are running naked on the internet?

AI agents exposing your passwords and API keys to the entire web.

Transformer author Illia Polosukhin couldn’t stand it anymore. He took action and rebuilt a secure version of Lobster: IronClaw.

IronClaw is now open source on GitHub, offering installers for macOS, Linux, and Windows. It supports local deployment and cloud hosting. The project is still rapidly evolving, with version 0.15.0 binaries available for download.

Polosukhin (hereafter “Pineapple”) also posted on Reddit to respond to everything, attracting significant attention.

01 OpenClaw went viral, but also “caught fire”

Pineapple was an early user of OpenClaw and called it a technology he had waited 20 years for.

It has changed the way I interact with computation.

However, OpenClaw’s security situation is disastrous, with vulnerabilities like one-click remote code execution, prompt injection attacks, and malicious skill password theft being exposed one after another.

Over 25,000 public instances are exposed on the internet without adequate security controls, directly called a “security dumpster fire” by security experts.

The root of the problem lies in the architecture itself.

When users give their email Bearer Tokens to OpenClaw, they are directly sent to the LLM provider’s servers.

Pineapple pointed out on Reddit what this means:

All your information, even data you haven’t explicitly authorized, could be accessed by any employee of the company. The same applies to your employer’s data. Not that these companies are malicious, but the reality is users have no real privacy.

He stated that no matter how convenient, risking his own and his family’s security and privacy isn’t worth it.

02 Rebuilding everything from scratch in Rust

IronClaw is a complete rewrite of OpenClaw using Rust.

Rust’s memory safety features fundamentally eliminate traditional vulnerabilities like buffer overflows, which is crucial for systems handling private keys and user credentials.

In terms of security architecture, IronClaw employs a four-layer defense-in-depth model.

The first layer is the memory safety guarantees provided by Rust itself.

The second layer is WASM sandbox isolation, where all third-party tools and AI-generated code run inside independent WebAssembly containers. Even if a tool is malicious, its destructive scope is strictly limited within the sandbox.

The third layer is an encrypted credential vault, where all API keys and passwords are stored using AES-256-GCM encryption. Each credential is bound by policy rules, specifying it can only be used for certain domains.

The fourth layer is Trusted Execution Environment (TEE), utilizing hardware-level isolation to protect data, making it inaccessible even to cloud service providers.

The most critical point of this design is: the large model itself never directly accesses raw credentials.

Credentials are only injected at the network boundary when the agent needs to communicate with external services.

Pineapple gave an example: even if the large model is targeted by prompt injection attacks attempting to send the user’s Google OAuth token to an attacker, the credential storage layer will directly reject the request, log the incident, and alert the user.

However, the developer community remains cautious. After all, over 2,000 public OpenClaw instances have been attacked, and many malicious skills exist. Will IronClaw, once popular, fall into the same trap?

Pineapple responded that IronClaw’s architecture fundamentally blocks OpenClaw’s core vulnerabilities. Credentials are always stored encrypted and never touch the LLM. Third-party skills cannot execute scripts on the host; they only run inside containers.

Even when accessed via CLI, decryption requires the user’s system keychain, making the obtained encryption keys meaningless on their own.

He also mentioned that as the core version stabilizes, the team plans to conduct red team testing and professional security audits.

Regarding prompt injection, a well-known industry challenge, Pineapple provided more detailed ideas.

Currently, IronClaw uses heuristic rules for pattern detection. The future goal is to deploy a small, continuously updated language classifier to identify injection patterns.

He admits that prompt injection can not only steal credentials but also directly modify user codebases or send malicious messages via communication tools.

Countering such attacks requires a smarter strategy system capable of reviewing the agent’s intent without inspecting input content. “More work is needed, community contributions are welcome.”

Someone asked about the trade-offs between local deployment and cloud deployment.

Pineapple believes pure local solutions have obvious limitations: the agent stops working when the device is shut down, mobile energy consumption is high, and complex long-term tasks are hard to run.

He considers confidential cloud (confidential cloud) the best current compromise, providing near-local privacy guarantees while solving the “always online” problem.

He also mentioned a detail: users can set policies, such as adding extra security barriers during cross-border travel to prevent unauthorized access.

03 A bigger ambition

Pineapple is not an ordinary open-source developer.

In 2017, he was one of eight co-authors of “Attention Is All You Need,” which introduced the Transformer architecture that underpins all modern large language models.

Although listed last in authorship, a footnote in the paper states “Equal contribution. Listing order is random.” The ranking is purely random.

That same year, he left Google and founded NEAR Protocol, aiming to integrate AI with blockchain technology.

IronClaw is part of NEAR Protocol’s larger strategic vision: User-Owned AI.

In this vision, users have full control over their data and assets, with AI agents operating in trusted environments to perform tasks on their behalf.

NEAR has built infrastructure like an AI cloud platform and decentralized GPU marketplace. IronClaw is the runtime layer of this ecosystem.

Pineapple even developed a marketplace where agents can hire each other.

On NEAR’s market.near.ai, users can register specialized agents, which gain more high-value tasks as they build reputation.

When asked how ordinary people can adapt to the AI era in the next five years, Pineapple’s advice is to adopt AI agent workflows quickly and learn to delegate entire work processes to automation.

This insight wasn’t sudden; back in 2017, when founding NEAR AI, he told everyone, “In the future, you only need to talk to computers, no more coding.”

People thought he was crazy then.

Nine years later, it’s becoming reality.

“AI agents are the ultimate interface for human interaction with everything online,” Polosukhin wrote, “but let’s make it safe.”

GitHub link:

https://github.com/nearai/ironclaw

Reference links:

[1] https://www.reddit.com/r/MachineLearning/comments/1rlnwsk/d_ama_secure_version_of_openclaw/