Transformer paper authors reinvent the lobster, say goodbye to OpenClaw naked bug

From | Quantum Magazine

How many lobsters are running naked on the internet?

AI agents exposing your passwords and API keys to the entire web.

Illia Polosukhin, the author of Transformer, couldn’t stand it anymore. He took action to rebuild a secure version of Lobster from scratch: IronClaw.

IronClaw is now open source on GitHub, offering installers for macOS, Linux, and Windows, supporting local deployment as well as cloud hosting. The project is still rapidly evolving, with version 0.15.0 binaries available for download.

Polosukhin (hereafter “Pineapple”) also posted on Reddit to respond to everything, attracting significant attention.

01 OpenClaw went viral, but also “caught fire”

Pineapple himself was an early user of OpenClaw and said it was a technology he had waited 20 years for.

It has changed how I interact with computing.

However, the security of OpenClaw is a disaster—one-click remote code execution, prompt injection attacks, malicious skill password theft—these vulnerabilities have been exposed one after another within the OpenClaw ecosystem.

Over 25,000 public instances are exposed on the internet without adequate security controls, directly called a “security dumpster fire” by security experts.

The root cause lies in the architecture itself.

When users give their email and Bearer Token to OpenClaw, they are directly sent to the LLM provider’s servers.

Pineapple pointed out on Reddit what this means:

All your information, even data you haven’t explicitly authorized, could be accessed by any employee of the company. The same applies to your employer’s data. It’s not that these companies are malicious, but the reality is users have no real privacy.

He stated that no convenience is worth risking his and his family’s safety and privacy.

02 Rebuilding everything from scratch with Rust

IronClaw is a complete rewrite of OpenClaw using Rust.

Rust’s memory safety features fundamentally eliminate traditional vulnerabilities like buffer overflows, which is crucial for systems handling private keys and user credentials.

In terms of security architecture, IronClaw establishes a four-layer deep defense.

The first layer is the memory safety guarantees provided by Rust itself.

The second layer is WASM sandbox isolation, where all third-party tools and AI-generated code run inside independent WebAssembly containers. Even if a tool is malicious, its destructive scope is strictly limited within the sandbox.

The third layer is an encrypted credential vault, where all API keys and passwords are stored using AES-256-GCM encryption. Each credential is bound by policy rules, specifying it can only be used for certain domains.

The fourth layer is Trusted Execution Environment (TEE), utilizing hardware-level isolation to protect data, making it inaccessible even to cloud service providers.

The most critical point in this design is that the large model itself never directly accesses raw credentials.

Credentials are only injected at the network boundary when the agent needs to communicate with external services.

Pineapple gave an example: even if the large model is targeted by prompt injection attacks attempting to send the user’s Google OAuth token to attackers, the credential storage layer will directly reject the request, log the incident, and alert the user.

However, the developer community remains cautious. After all, over 2,000 public OpenClaw instances have been attacked, and many malicious skills exist. Will IronClaw, once popular, repeat the same mistakes?

Pineapple responded that IronClaw’s architecture fundamentally blocks OpenClaw’s core vulnerabilities. Credentials are always encrypted and never touch the LLM. Third-party skills cannot execute scripts on the host; they only run inside containers.

Even when accessed via CLI, decryption requires the user’s system keychain, making the obtained encryption keys meaningless on their own.

He also mentioned that as the core version stabilizes, the team plans to conduct red team testing and professional security audits.

Regarding prompt injection, a well-known industry challenge, Pineapple provided more detailed ideas.

Currently, IronClaw uses heuristic rules for pattern detection. The future goal is to deploy a small, continuously updated language classifier to identify injection patterns.

He admits that prompt injection can not only steal credentials but also directly modify user codebases or send malicious messages via communication tools.

Countering such attacks requires a smarter strategy system that can review the agent’s intent without viewing input content. “More work is needed, community contributions are welcome.”

Someone asked about the trade-offs between local and cloud deployment.

Pineapple believes that pure local solutions have obvious limitations: the agent stops working when the device is shut down, mobile devices can’t handle high energy consumption, and long-term complex tasks are unfeasible.

He considers confidential cloud (confidential cloud) the best current compromise—offering near-local privacy guarantees while solving the “always online” problem.

He also mentioned a detail: users can set policies, such as adding extra security barriers during cross-border travel to prevent unauthorized access.

03 A bigger ambition

Pineapple is not just an ordinary open-source developer.

In 2017, he was one of eight co-authors of “Attention Is All You Need,” which introduced the Transformer architecture that underpins all modern large language models.

Although listed last in authorship, a footnote in the paper states “Equal contribution. Listing order is random.” The order was purely random.

That same year, he left Google and founded NEAR Protocol, dedicated to integrating AI with blockchain technology.

Behind IronClaw is NEAR Protocol’s larger strategic vision: User-Owned AI.

In this vision, users have full control over their data and assets, with AI agents acting on their behalf in trusted environments.

NEAR has built infrastructure such as an AI cloud platform and a decentralized GPU marketplace. IronClaw is the runtime layer of this ecosystem.

Pineapple even developed a marketplace where agents can hire each other.

On NEAR’s market.near.ai, users can register their specialized agents, which will gain more high-value tasks as they build reputation.

When asked how ordinary people should adapt to the AI era in the next five years, Pineapple’s advice is to adopt AI agents for work as soon as possible, learning to delegate entire workflows for automation.

This view isn’t recent; when he founded NEAR AI in 2017, he told everyone, “In the future, you only need to talk to computers, no more coding.”

Back then, people thought they were crazy, talking nonsense.

Nine years later, it’s becoming reality.

“AI agents are the ultimate interface for human interaction with everything online,” Polosukhin wrote, “but let’s make it safe.”