Your Computer Wasn't Built for This

When OpenClaw broke, most of the conversation was about security. I think the real problem is structural — the computer itself, not the software running on it.

30,000 exposed instances. 12% of skills malicious. API keys and conversation logs leaking. Security experts all gave the same advice: run it in a VM, sandbox it, buy a separate machine. None of those are wrong. But every one of them is pointing to the same question. What is a computer actually for, now that something other than a human is using it?

Look at what's on your laptop right now. Work files. Personal photos. Browser passwords. Cloud auth tokens. Messaging app sessions. All on one machine, with local files syncing to the cloud automatically and the line between them effectively gone.

When the operator was a human, this was fine. I open the file. I click the link. Even when I make a mistake, I make it at human speed — the damage stays small.

Agents change that completely. An agent inherits your permissions and runs at machine speed. It reads files, calls APIs, sends messages, runs scripts. Seconds, not minutes. And if it gets hijacked by a single prompt injection, everything leaks at the same speed.

That was OpenClaw, end to end. An agent opened a shared Google Doc. The doc contained a hidden instruction. The agent followed it — pulled every file with credentials, shipped them out. The whole chain ran faster than it would take a person to read the document.

"What if I just move everything to the cloud?" Agents access cloud services too. One OAuth token and an agent can read your entire Drive, send email on your behalf, edit your calendar. And with auto-sync — iCloud, Google Drive, OneDrive — it gets worse: compromise local and you get the cloud, steal a cloud token and local opens up. The attack surface doesn't shrink. It just moves.

So the problem isn't any one tool's code quality. The problem is the shape of the machine. One device holds everything. Local and cloud sync in the background. That setup wasn't built for software that acts on its own.

I think we're heading toward a clear split in how computers get used.

Big enterprises figured this out years ago — that's what VDI is. The shift is that the same logic now needs to reach every individual using AI tools, not just regulated workforces.

One environment is the agent's workspace. Isolated OS. Minimal permissions. Explicit limits on which services it can reach. Disposable — if it gets compromised, you throw it away and spin up a new one. VM, dedicated server, cloud instance, the form doesn't matter much. What matters is the guarantee: if the agent makes a mess, my life stays intact.

The other is the device you actually use. Tablet, phone, lightweight laptop. This is where you review what the agent did, approve it, act on it. The control tower.

Monday morning. The agent runs on a cloud VM, working through your inbox while you make coffee. You pick up your iPad — the control tower — and swipe through five queued actions. Approve, approve, edit, approve, decline. Ship it.

Right now those two things are running on the same laptop. You check work email and run agents in the same browser. You switch between your terminal and your personal files. The mixing itself is the attack surface.

We don't have a name for this shift yet. But the direction is clear: isolated execution environments for agents, lightweight and safer interfaces for humans, and explicit permission boundaries between the two.

OpenClaw wasn't a lesson about one bad tool. It was a demonstration that a new kind of software — AI agents that take real action — has arrived in an environment that was never built for it.

The shape that put everything on one machine worked for a human operator. It doesn't anymore.

The question isn't "how do we secure our current setup?" It's "how do we split our computers?"