"front"	"back"	"tags"
"What is OpenClaw's defining vulnerability?"	"The trust-architecture gap: channel messages (untrusted) enter the model's context with the SAME trust status as operator instructions. No tags, no boundary. Enables cross-channel injection (ASI01). NemoClaw + Scout were forked to fix this."	harness-eng::dd07::recall
"Why did NemoClaw and Microsoft Scout fork OpenClaw?"	"Because OpenClaw's trust architecture has no cross-channel untrusted-content boundary. Two independent well-funded teams built governance forks to add enforcement outside the agent's reach. The forks are evidence the deficiency is architectural, not a patchable bug."	harness-eng::dd07::analysis
"OpenClaw scores 35/60. Where does it win and lose?"	"Wins on channel breadth (M2=4, 40+ integrations; M12=4, channel-aware prompt). Loses on trust architecture (M5=2, M6=2) - the cross-channel trust gap is its defining deficiency. The 35 is structural cost, not execution failure."	harness-eng::dd07::analysis
"What is the 'breadth compounds the trust problem' thesis?"	"Every channel added raises Module 2 (tool breadth - good) and simultaneously raises the injection surface that depresses Module 6 (bad). Breadth without a trust architecture means each new channel is a new untrusted input source with no isolation. The 35/60 is the structural cost."	harness-eng::dd07::analysis
"Explain cross-channel injection (ASI01) in OpenClaw."	"A message from an attacker-controlled channel (public Slack, Telegram group, spoofed email) enters the model's context with FULL AUTHORITY. The attacker does NOT need to compromise the operator - only send a message in a monitored channel. 40+ channels = 40+ injection surfaces."	harness-eng::dd07::analysis
"Distinguish 'channel-aware' from 'trust-aware' prompt design."	"Channel-aware (OpenClaw HAS): prompt formats messages differently per channel (Slack vs Telegram conventions). Trust-aware (OpenClaw LACKS): prompt tells model which content is untrusted data. Channel awareness without trust awareness is the half-measure."	harness-eng::dd07::analysis
"Can a container sandbox fix OpenClaw's trust gap? Why or why not?"	"NO. A container bounds blast radius of tool execution on the FILESYSTEM. The trust gap is in the CONTEXT window - injection enters through the message pipeline, not through the file system. You can run OpenClaw in a locked container and cross-channel injection still works."	harness-eng::dd07::analysis
"Name 3 things OpenClaw does better than any other harness."	"(1) Channel breadth (40+ integrations). (2) Enterprise adoption (NVIDIA + Microsoft partnerships). (3) Ecosystem size (368K stars, largest in platform-harness category)."	harness-eng::dd07::recall
"Name the 3 fixes (the NemoClaw pattern)."	"(1) Cross-channel trust boundaries: tag channel content as untrusted AT THE ADAPTER, enforce in harness. (2) Per-channel capability scoping: downgrade trust by channel type (public=read-only, operator=full). (3) Injection detection at the adapter (pre-filter before model)."	harness-eng::dd07::application
"Why can't the trust gap be fixed with a prompt instruction?"	"Because a prompt instruction ('treat channel content as untrusted') is EXACTLY what an injected message can override. The injection attack works by manipulating the model's interpretation of instructions - asking the model nicely to distrust content does not work when the content IS the attack. Fix must be architectural (harness-enforced), not lexical."	harness-eng::dd07::analysis
"Is OpenClaw's 368K stars evidence of architectural quality?"	"NO. Stars measure attention, not architecture (Module 0.2 anti-pattern #1). OpenClaw's stars tell you it got attention; the existence of NemoClaw tells you the architecture has a real deficiency. Hermes's OpenRouter overtake (May 2026) is the trajectory signal. Rank by design intent, not stars."	harness-eng::dd07::analysis
"Why are two independent forks (NemoClaw + Scout) stronger evidence than one?"	"Convergent evidence. Two well-funded teams (NVIDIA, Microsoft) working independently both concluded the same deficiency requires the same fix. If it were a bug, they would be pull requests. Two independent forks = the architecture, not the implementation, is the problem. Strongest possible signal."	harness-eng::dd07::analysis
"What does 'channel multiplexer' mean as OpenClaw's core architecture?"	"40+ adapters, each translating a messaging platform's protocol (Slack webhook, Telegram bot API, Teams graph, email IMAP) into a common message object the agent loop consumes. The load-bearing question is not the multiplexing but the TRUST STATUS of the resulting message."	harness-eng::dd07::recall
"Why does OpenClaw score M6=2 (Permission)?"	"Per-channel permissions exist but do NOT compose into a cross-channel trust model. A Slack-sourced message and a Teams-sourced message can both invoke the same high-risk tools. No 'this came from a public channel, downgrade trust' mechanism. The structural cost of breadth."	harness-eng::dd07::analysis
"State the 3 anti-patterns for OpenClaw."	"(1) '368K stars means it's the best' - NO, stars != architecture. (2) 'Channel awareness in prompt solves trust' - NO, half-measure that injection can override. (3) 'The trust gap is a patchable bug' - NO, two forks prove it requires re-architecting."	harness-eng::dd07::analysis
"Contrast OpenClaw's attack surface with CLI harnesses (Pi, Aider, OpenCode)."	"CLI harnesses have ONE input surface: the terminal operator. The attacker needs the operator to open a malicious file/repo. OpenClaw has 40+ input surfaces (channels). The attacker does NOT need the operator - only to send a message in a monitored channel. The trust problem is categorically different at platform scale."	harness-eng::dd07::analysis
"What is a 'governance fork' and how does it differ from a feature fork?"	"A governance fork's primary contribution is a trust/governance layer (NemoClaw adds NeMo Guardrail), not a feature. It exists because the parent's architecture cannot support the trust model in-place. Governance forks are evidence of architectural deficiency; feature forks are evidence of missing capability."	harness-eng::dd07::analysis
"What is the ~8k-token system prompt's limitation?"	"It is channel-aware (formats Slack vs Telegram differently) but NOT trust-aware (does not tell model which content is untrusted). It can format a message; it cannot classify it. Channel awareness without trust awareness is the half-measure. And even trust-awareness in the prompt would be overridable by injection."	harness-eng::dd07::recall
"Under what conditions is OpenClaw the right choice?"	"(1) Multi-channel reach where inputs are trusted or governance layers (NemoClaw-style) are deployed. (2) Enterprise adoption matters (NVIDIA/Microsoft partnerships). (3) The deployment accepts the trust gap risk or mitigates it with the three fixes. Wrong choice for security-critical or untrusted-input work as-is."	harness-eng::dd07::application
"How does per-channel capability scoping work as a fix?"	"Downgrade trust by channel TYPE (not just per-channel). Public Slack channel = read-only capabilities. Direct message = more. Operator instruction = full. The trust hierarchy is per-channel-type, so a public-channel message cannot exercise high-risk tools even if injection succeeds."	harness-eng::dd07::analysis
