Blog
April 12, 2026

The Cheat Sheet Is the Threat Model

I set up another OpenClaw environment today. Noticed something that must have been in every previous build.

The stock TOOLS.md ships with a section for cameras. And SSH hosts. And smart speakers.

Front door camera. Living room camera. Kitchen HomePod. Examples already filled in to show you how.

Nobody asked if I should wire any of that up. The template just assumed I would.

And the template is the part that matters. Because here's what we already know about the things it's quietly inviting in:

Agents lie. They hallucinate. They break their own rules. We've documented this endlessly. This isn't contested. This is the baseline.

And agents are useful. Genuinely. They write code, they reason, they compute, they work. I run a company on them.

But there is a gap between capable and ready. And the gap is widest exactly where the templates are quietest.

Writing a Rust crate and unlocking your front door are not the same category of action. One gets reverted with a git command. The other gets reverted by calling a locksmith.

A coding agent that hallucinates a function name costs you ten minutes. A home agent that hallucinates a command costs you something you can't put back.

The industry keeps saying "agentic" like it's one word covering one thing. It isn't. "Writes code in a sandbox" and "actuates physical devices in the room where your kids sleep" do not belong in the same category. Different risk profile. Different recovery model. Different error budget.

But the templates flatten them.

And here's the part that should bother you:

Somebody decided this.

TOOLS.md ships in the stock OpenClaw install. Cameras, SSH, speakers — sitting there as the canonical example of what an agent environment is for. A human wrote it. A human shipped it as the default.

We don't know who. We don't know if anyone in the room raised their hand and said maybe the first thing a new user sees shouldn't be a checklist of physical-world actuators.

The owner never has to actively choose to expose the cameras. They just have to not delete the example. Default-on by suggestion is still default-on.

That's not a threat model. That's a vibe shipped as a default.

We are not ready for this. Not the agents. Not the protocols. Not the recovery paths.

The agents can work. Give them a sandbox. Give them a repo. Give them a problem. Don't give them the front door.

Not because they can't. Because nobody asked if they should.

All Posts Research Home