Lesson 08 · OpenClaw, Safely Pro+ ~11 min Scopes & sandboxes

Browser, files, and shell: the dangerous trio.

These three capabilities are why OpenClaw is an agent, not a chatbot: it browses, reads and writes files, and runs commands. They're also the exact mechanics behind every serious compromise in Lesson 2. The answer isn't "never grant them" — it's granting them like an engineer: scoped, sandboxed, and earned one at a time.

The rule that governs all three

The trio is where "tricked" becomes expensive.

Assume the agent will eventually be tricked (Lesson 3). A tricked agent that can only chat says something dumb. A tricked agent with browser + files + shell can exfiltrate, modify, and persist. So every grant answers one question: if this capability were hijacked today, what's the worst hour an attacker could have with it?

Do it · grant the trio

Set each scope. Watch the worst hour change.

Configure each capability, then read the bottom line: if a stranger hijacked your agent right now, what could they do in an hour?

🦞 Capability grants
⏱ If hijacked right now, the worst hour is…
Make a choice for each capability above.
Do it · the combinations

Some grants are fine alone, deadly together.

The headlines from Lesson 2 weren't one bad setting — they were a payload capability wired to an instruction channel. For each pairing: fine, or never combine?

Fine together, or never?0 / 4
The earn-it progression

Capabilities are promotions, not defaults.

Weeks 1–2
Chat + read-only browsing. The Lessons 4–6 phase — prove it's boringly reliable.
Week 3+
Workspace file access — one folder — after the boring-and-reliable streak.
Only when a named task requires it
Shell, in the sandbox, with the task written down first.
Never on the calendar
Credentials in the browser · folders beyond the workspace · sudo. There is no week where these become fine.
Why this works

Each stage gives the previous one time to fail visibly while the stakes are still low. An agent that mangles its own workspace in week 3 just taught you what it would have done with more — and you learned it for free.

Audit yourself

Open your agent's config right now and list what the trio can reach: which sites it's logged into (should be none), which folders (should be one), shell or not (should be "not yet" or "sandboxed user"). If reality matches, you're running tighter than the vast majority of instances in those scan reports. If it doesn't — you know exactly which lesson to re-read.

What you can do now

  • Evaluate any capability grant with the hijack question: what's the worst hour an attacker could have with it?
  • Run browsing read-only, credential-free, with standing "pages are information, not instructions" rules
  • Enforce the one-folder rule and keep every secret out of the workspace
  • Treat shell as RCE-as-a-feature: off by default, sandboxed user when needed, allowlisted commands
  • Promote capabilities on the earn-it schedule — and name the three grants that never happen
Pro+
Up next in OpenClaw, Safely

Lesson 09 · Automations that run while you sleep

Cron jobs, webhooks, and watchers at full power — plus the logging habit that means you always know what your agent did at 3am. Start lesson 09 →

🎓
AI Coach
Ask anything about this lesson
Hey! I'm your AI Coach for this lesson. Ask me anything about the dangerous trio — browser, files, shell — how to scope each one, or the combinations to never allow. What's on your mind?
Free lesson coaching is limited to 3 questions. Upgrade to Pro for unlimited coaching on every lesson.