OpenClaw isn't fooling me. I remember MS‑DOS

April 20, 2026
aisecurityprivacybusiness
Detailed close-up of a laptop keyboard featuring Cyrillic characters, showcasing technology and language.
Photo by Alexey Demidov on Pexels

Back to the bad old days

Davi Ottenheimer warns that modern agent gateways risk reintroducing the same blunt, system‑wide trust that made MS‑DOS a security nightmare. He notes — with an eye roll and a memory of a drunken bar anecdote — that early POS deployments ran everything on one address space with shared passwords and no real separation. The story sticks because it’s not just nostalgia; it’s a cautionary tale. It has been reported that Wal‑Mart’s breach in 2006 and the slow notification that followed are part of that painful history.

NVIDIA's tutorial and NemoClaw

NVIDIA has published a hands‑on tutorial showing how to deploy OpenClaw and a NemoClaw self‑hosted agent on DGX Spark, walking through model serving, Telegram connectivity, and runtime controls. The guide takes practical steps — binding Ollama to 0.0.0.0 for namespace reachability, pairing bots via chat codes, and gating outbound connections through host‑side approvals — which Ottenheimer describes as real engineering rather than lip service. He appreciates the careful work, but he’s still wary: it has been reported that some gateways hand models exec tools and a single token, effectively trusting the agent with the keys to the kingdom.

An alternative: shrink the boundaries

Ottenheimer’s own project, Wirken, takes a different tack: break the agent into smaller, protected pieces. Channels run as separate processes with distinct Ed25519 identities; the vault lives out of process; inference stays on loopback; shell execution happens in a hardened, tool‑level container; high‑risk commands prompt every time. These are design choices meant to rebuild the rings and separations that operating systems learned the hard way decades ago. Whether you call it paranoia or prudence, the approach assumes you can’t secure what you refuse to subdivide.

Why it matters

This debate matters because agent gateways are poised to be everywhere — in enterprises, on developer machines, and tucked into third‑party services — and the wrong default architecture could scale a single point of failure into an industry‑wide one. Do we wrap and pray, or do we redesign with least privilege from the ground up? Ottenheimer’s piece reads like a reminder: history teaches, if you’re willing to listen.

Sources: flyingpenguin.com, Hacker News