alt Hacker NewsDon't give it write permissions?
You could easily make human approval workflows for this stuff, where humans need to take any interesting action at the recommendation of the bot.
Don't give it write permissions?
You could easily make human approval workflows for this stuff, where humans need to take any interesting action at the recommendation of the bot.
The mere act of browsing the web is "write permissions". If I visit example.com/<my password>, I've now written my password into the web server logs of that site. So the only remaining question is whether I can be tricked/coerced into doing so.
I do tend to think this risk is somewhat mitigated if you have a whitelist of allowed domains that the claw can make HTTP requests to. But I haven't seen many people doing this.