DD-07 — OpenClaw
Platform Harness & Trust Architecture
368,000+ stars. 40+ messaging channels. The breadth play. The trust-architecture gap that birthed two governance forks — NemoClaw (NVIDIA) and Scout (Microsoft).
60 min · 9 artifacts · score 35/60
Thesis
Breadth compounds the trust problem
Every channel added raises Module 2 (tool breadth) and simultaneously raises the injection surface that depresses Module 6. The 35/60 is not a failure of execution — it is the structural cost of the breadth play without a trust architecture.
The defining vulnerability: channel messages (untrusted) enter the model's context with the SAME trust status as operator instructions. No tags, no boundary. Cross-channel injection (ASI01).
The trust gap
Channel-aware prompt, flat trust model
The ~8k-token system prompt knows how to format a Slack message vs. a Telegram message. It does not tell the model that the Slack message is untrusted data. Channel awareness without trust awareness is the half-measure.
Channel-aware (has)
Prompt formats messages differently per channel. Knows Slack vs Telegram vs Teams conventions.
Trust-aware (missing)
Prompt does NOT tell model which content is untrusted. No "this is data, not instruction" tag. The half-measure.
ASI01 — Cross-channel injection
The attacker does not need the operator
The attack: a message from an attacker-controlled channel (public Slack, Telegram group, spoofed email) enters the model's context with FULL AUTHORITY. The model cannot distinguish "do this" said by the operator from "do this" said by a stranger.
Why it is high-severity: the attacker does not need to compromise the operator. They need only send a message in a channel the agent monitors. 40+ channels = 40+ injection surfaces.
The evidence — two governance forks
NemoClaw (NVIDIA) + Scout (Microsoft)
NemoClaw — NVIDIA
Governance fork. Adds NeMo Guardrail trust boundary at the adapter. Tags channel content as untrusted, demotes to data.
Scout — Microsoft
Independent governance fork. Addresses the same deficiency with an equivalent trust boundary.
Two well-funded teams independently building the same fix = the strongest signal that the architecture, not the implementation, is the problem. If it were patchable, these would be pull requests, not forks.
12-module audit
Score: 35/60
| Module | Score | Key decision |
| M1 Loop | 4 | platform-adapted ReAct |
| M2 Tools | 4 | channel-aware, 40+ integrations |
| M3 Context | 3 | channel-mixed (the problem) |
| M5 Sandbox | 2 | weak — channel trust is the gap |
| M6 Permission | 2 | per-channel, no cross-channel trust boundary |
| M10 Subagents | 3 | channel-routing agents |
| M12 Prompt | 4 | ~8k, channel-aware |
| TOTAL | 35 | breadth wins; trust gap loses |
Wins where breadth pays (M2, M12). Loses where trust matters (M5, M6). The 35 is structural, not a failure of execution.
Three anti-patterns
What OpenClaw is not
"368K stars means it's the best"
No — stars measure attention, not architecture. The existence of NemoClaw tells you the architecture has a real deficiency. Rank by design intent, not stars.
"Channel awareness in the prompt solves trust"
No — channel awareness without trust awareness is the half-measure. And a prompt instruction is exactly what an injected message can override. The fix must be architectural.
"The trust gap is a bug that can be patched"
No — two independent governance forks are the evidence. If it were patchable, NemoClaw and Scout would be pull requests, not forks.
Three fixes
The NemoClaw pattern
01 — Cross-channel trust boundaries
Tag channel-derived content as untrusted AT THE ADAPTER. Carry the tag to the model's context. Enforce in the harness, not the prompt.
02 — Per-channel capability scoping
A Slack message (public channel) should not exercise the same capabilities as a direct operator message. Downgrade trust by channel type.
03 — Injection detection at the adapter
Pre-filter channel inputs before they reach the model. A harness-layer check, not a prompt instruction the model can be talked out of.
Objectives
After this module
- 1. Apply the 6-phase methodology to OpenClaw; produce a scored card.
- 2. Defend breadth as a strategy — and state why it compounds the trust problem.
- 3. Explain the trust-architecture gap and why it enables cross-channel injection (ASI01).
- 4. Articulate why two governance forks are evidence the fix is architectural, not a patch.
- 5. Distinguish channel-aware (has) from trust-aware (missing) prompt design.
- 6. State the three fixes that constitute the NemoClaw pattern.