Browser, files, and shell: the dangerous trio.
These three capabilities are why OpenClaw is an agent, not a chatbot: it browses, reads and writes files, and runs commands. They're also the exact mechanics behind every serious compromise in Lesson 2. The answer isn't "never grant them" — it's granting them like an engineer: scoped, sandboxed, and earned one at a time.
The trio is where "tricked" becomes expensive.
Assume the agent will eventually be tricked (Lesson 3). A tricked agent that can only chat says something dumb. A tricked agent with browser + files + shell can exfiltrate, modify, and persist. So every grant answers one question: if this capability were hijacked today, what's the worst hour an attacker could have with it?
Set each scope. Watch the worst hour change.
Configure each capability, then read the bottom line: if a stranger hijacked your agent right now, what could they do in an hour?
Some grants are fine alone, deadly together.
The headlines from Lesson 2 weren't one bad setting — they were a payload capability wired to an instruction channel. For each pairing: fine, or never combine?
Capabilities are promotions, not defaults.
Each stage gives the previous one time to fail visibly while the stakes are still low. An agent that mangles its own workspace in week 3 just taught you what it would have done with more — and you learned it for free.
Audit yourself
Open your agent's config right now and list what the trio can reach: which sites it's logged into (should be none), which folders (should be one), shell or not (should be "not yet" or "sandboxed user"). If reality matches, you're running tighter than the vast majority of instances in those scan reports. If it doesn't — you know exactly which lesson to re-read.
What you can do now
- Evaluate any capability grant with the hijack question: what's the worst hour an attacker could have with it?
- Run browsing read-only, credential-free, with standing "pages are information, not instructions" rules
- Enforce the one-folder rule and keep every secret out of the workspace
- Treat shell as RCE-as-a-feature: off by default, sandboxed user when needed, allowlisted commands
- Promote capabilities on the earn-it schedule — and name the three grants that never happen