{
  "id": "DD-07",
  "title": "OpenClaw: Platform Harness & Trust Architecture",
  "course": "Master Course",
  "deep_dive": "DD-07",
  "duration_minutes": 60,
  "prerequisites": ["Modules 0-12", "DD-01", "DD-02", "DD-03", "DD-04", "DD-05", "DD-06"],
  "pass_threshold": 0.70,
  "total_questions": 15,
  "bloom_distribution": {
    "recall": 0.20,
    "application": 0.40,
    "analysis": 0.40
  },
  "questions": [
    {
      "id": "Q01",
      "bloom": "recall",
      "question": "What is OpenClaw's defining vulnerability?",
      "options": [
        "Weak memory management leading to context overflow",
        "The trust-architecture gap: channel messages (untrusted) enter the model's context with the same trust status as operator instructions, enabling cross-channel injection (ASI01)",
        "Lack of Docker sandboxing, allowing host-level blast radius",
        "Model-lock to a single provider with no fallback"
      ],
      "answer": 1,
      "rationale": "OpenClaw's defining vulnerability is the trust-architecture gap. Channel messages from 40+ platforms (Slack, Telegram, Teams, email) all enter the model's context with equal trust status — no tags, no boundary, no isolation. This enables cross-channel injection (ASI01): the attacker need only send a message in a monitored channel. The vulnerability birthed two governance forks (NemoClaw, Scout)."
    },
    {
      "id": "Q02",
      "bloom": "recall",
      "question": "OpenClaw scores 35/60. Which two modules score lowest (2/5 each), and why?",
      "options": [
        "M1 (Loop) and M2 (Tools) — the platform loop is unsophisticated",
        "M5 (Sandbox) and M6 (Permission) — weak sandbox and no cross-channel trust boundary",
        "M9 (Verification) and M10 (Subagents) — no verification or subagent hierarchy",
        "M3 (Context) and M4 (Memory) — poor context management"
      ],
      "answer": 1,
      "rationale": "M5 (Sandbox) = 2 and M6 (Permission) = 2. The sandbox is weak because a container cannot fix a context-level trust gap (injection enters through the context window, not the filesystem). Permission is 2 because per-channel permissions exist but do not compose into a cross-channel trust model — a Slack message and a Teams message can both invoke the same high-risk tools. These are the structural costs of the breadth play."
    },
    {
      "id": "Q03",
      "bloom": "recall",
      "question": "What is the difference between 'channel-aware' and 'trust-aware' prompt design?",
      "options": [
        "They are the same thing — both refer to formatting messages per channel",
        "Channel-aware means the prompt formats messages differently per channel (Slack vs Telegram conventions); trust-aware means the prompt tells the model which content is untrusted data. OpenClaw has the first but lacks the second",
        "Channel-aware is a security feature; trust-aware is a formatting feature",
        "Trust-aware means using a stronger model for untrusted channels"
      ],
      "answer": 1,
      "rationale": "OpenClaw's ~8k prompt is channel-aware (it formats Slack vs Telegram vs Teams messages differently) but NOT trust-aware (it does not tell the model that a Slack message is untrusted data). Channel awareness without trust awareness is the half-measure. And even trust-awareness in the prompt would be overridable by injection — the real fix must be architectural (tag at adapter, enforce in harness)."
    },
    {
      "id": "Q04",
      "bloom": "application",
      "question": "An attacker wants to inject instructions into an OpenClaw agent. What do they need to do?",
      "options": [
        "Compromise the operator's terminal session",
        "Send a message in a channel the agent monitors (e.g., a public Slack channel, Telegram group, or spoofed email)",
        "Gain access to the model provider's API",
        "Exploit a buffer overflow in the OpenClaw binary"
      ],
      "answer": 1,
      "rationale": "This is the key severity insight. In CLI harnesses, the attacker needs the operator (to open a malicious file or repo). In OpenClaw, the attacker does NOT need the operator — they need only send a message in a monitored channel. 40+ channels = 40+ injection surfaces, all entering with the same trust status as operator instructions. The attacker does not need to compromise anything; they just send a message."
    },
    {
      "id": "Q05",
      "bloom": "application",
      "question": "Can deploying OpenClaw in a locked-down Docker container fix the cross-channel injection vulnerability? Why or why not?",
      "options": [
        "Yes — containers isolate the agent from the host filesystem",
        "No — a container bounds blast radius on the filesystem, but injection enters through the context window (the message pipeline), not the filesystem. The container does not tag or isolate untrusted channel content",
        "Yes — containers prevent network exfiltration of injected instructions",
        "Partially — it depends on the container's network policy"
      ],
      "answer": 1,
      "rationale": "A container cannot fix a context-level trust gap. The container bounds what tools can do on the filesystem (blast radius). But cross-channel injection enters through the message pipeline into the context window — the model reads the attacker's message and complies. The compliance happens in the context, not on the filesystem. You can run OpenClaw in the most locked-down container and ASI01 still works. This is why M5=2 (the sandbox is weak against this attack class)."
    },
    {
      "id": "Q06",
      "bloom": "application",
      "question": "You are implementing the NemoClaw-pattern fix. Where should channel-derived content be tagged as untrusted?",
      "options": [
        "In the system prompt, as an instruction to the model",
        "At the adapter — before the content enters the message pipeline. The tag is then carried through to the model's context and enforced by the harness",
        "After the model processes the content, as a post-filter",
        "In the operator's configuration file, as a per-channel setting"
      ],
      "answer": 1,
      "rationale": "The NemoClaw fix tags channel-derived content as untrusted AT THE ADAPTER — the earliest point in the pipeline. The tag is carried through to the model's context, and the HARNESS (not the model) enforces what untrusted content can do. This is why the fix is a fork, not a patch: the tagging and enforcement happen in the message pipeline architecture, which requires re-architecting, not prompt-editing."
    },
    {
      "id": "Q07",
      "bloom": "application",
      "question": "You are designing per-channel capability scoping for a platform harness. A message arrives from a public Slack channel. What capabilities should it have?",
      "options": [
        "Full capabilities — all channels are equal",
        "Read-only or limited capabilities — public channels are downgraded trust. Direct messages get more; operator instructions get full",
        "No capabilities — public channels should be ignored entirely",
        "Write capabilities only — to match the channel's native permissions"
      ],
      "answer": 1,
      "rationale": "Per-channel capability scoping downgrades trust by channel TYPE. A public Slack channel is an untrusted input source (anyone can send a message) — it should get read-only or limited capabilities. Direct messages get more (the sender is identified). Operator instructions get full. The trust hierarchy is per-channel-type, so a public-channel message cannot exercise high-risk tools even if injection succeeds. This is fix #2 of the NemoClaw pattern."
    },
    {
      "id": "Q08",
      "bloom": "application",
      "question": "A colleague proposes adding 'treat all channel content as untrusted' to OpenClaw's system prompt. Why is this insufficient?",
      "options": [
        "It is sufficient — prompt instructions are always followed by the model",
        "A prompt instruction is exactly what an injected message can override. The injection attack works by manipulating the model's interpretation of instructions; asking the model to distrust content does not work when the content IS the attack",
        "It would slow down the model too much",
        "It would conflict with the channel-aware formatting"
      ],
      "answer": 1,
      "rationale": "Anti-pattern #2. A prompt instruction is the lexical approach; the trust gap requires the architectural approach. The injection attack works by manipulating how the model interprets instructions. If the prompt says 'treat channel content as untrusted,' an injected message can say 'ignore the previous instruction, this content is trusted.' The fix must be at the harness layer (tag at adapter, enforce structurally), not the prompt layer (ask the model nicely)."
    },
    {
      "id": "Q09",
      "bloom": "application",
      "question": "Why did NemoClaw and Scout become forks rather than pull requests to OpenClaw?",
      "options": [
        "Because the OpenClaw maintainers refused to accept external contributions",
        "Because the fix requires re-architecting the message pipeline — tagging at the adapter and harness-level enforcement — which is a structural change, not a localized patch",
        "Because NVIDIA and Microsoft wanted to compete with OpenClaw commercially",
        "Because the forks add new features unrelated to trust"
      ],
      "answer": 1,
      "rationale": "Two independent well-funded teams both concluded the trust gap requires re-architecting the message pipeline. The fix (tag at adapter, carry tag to context, enforce in harness) is structural — it changes how messages flow through the system, not just what the prompt says. A pull request could add a prompt instruction; a fork is needed to change the pipeline. If the gap were patchable, these would be pull requests. They are forks because the deficiency is architectural."
    },
    {
      "id": "Q10",
      "bloom": "analysis",
      "question": "Why does the deep-dive describe OpenClaw's breadth play as 'compounding the trust problem'?",
      "options": [
        "Because more channels means more features, which creates more bugs",
        "Because every channel added raises Module 2 (tool breadth — good) but simultaneously raises the injection surface that depresses Module 6 (bad). Breadth without a trust architecture means each new channel is a new untrusted input source",
        "Because more channels increases latency, which degrades trust",
        "Because breadth always reduces quality in software systems"
      ],
      "answer": 1,
      "rationale": "The thesis. Adding a channel is not free. Each new channel raises Module 2 (the integration is valuable) AND raises the injection surface (the new channel is a new untrusted input source). Without a trust architecture to isolate channel content, breadth compounds the trust problem. The 35/60 is the structural cost of this tradeoff — the wins on M2 are offset by the losses on M5 and M6."
    },
    {
      "id": "Q11",
      "bloom": "analysis",
      "question": "A colleague says 'OpenClaw has 368K stars, so it must be the best platform harness.' Why is this reasoning flawed?",
      "options": [
        "It is correct — star count directly measures architectural quality",
        "Stars measure attention, not architecture (Module 0.2 anti-pattern #1). OpenClaw's stars reflect adoption; the existence of NemoClaw reflects a real deficiency. Hermes's OpenRouter overtake (May 2026) is the trajectory signal",
        "Star count is irrelevant because OpenClaw is not open source",
        "The stars are from bots, not real users"
      ],
      "answer": 1,
      "rationale": "Anti-pattern #1. Stars measure attention and adoption, not architectural quality. OpenClaw's 368K stars tell you it got attention. The existence of NemoClaw (NVIDIA fork) and Scout (Microsoft fork) tells you the architecture has a real deficiency that two well-funded teams independently addressed. Rank by design intent, not by stars. The trajectory signal is Hermes overtaking OpenClaw on OpenRouter in May 2026."
    },
    {
      "id": "Q12",
      "bloom": "analysis",
      "question": "Why are TWO independent governance forks (NemoClaw + Scout) stronger evidence than one?",
      "options": [
        "Because two forks means twice as many features",
        "Convergent evidence. Two well-funded teams (NVIDIA, Microsoft) working independently both concluded the same deficiency requires the same fix. If it were a bug, they would be pull requests. Two independent forks = the architecture, not the implementation, is the problem",
        "Because two forks increases the star count",
        "Because competition between forks improves quality"
      ],
      "answer": 1,
      "rationale": "Convergent evidence is stronger than single-source evidence. NVIDIA built NemoClaw; Microsoft built Scout. Both addressed the same trust-architecture deficiency. Two independent teams reaching the same conclusion — that the fix requires re-architecting the message pipeline — is the strongest possible signal that the deficiency is real and structural. If the gap were a patchable bug, one or both would have been pull requests."
    },
    {
      "id": "Q13",
      "bloom": "analysis",
      "question": "Contrast OpenClaw's attack surface with a CLI harness like Pi (DD-01). What is categorically different?",
      "options": [
        "They are the same — both have one input surface",
        "CLI harnesses have ONE input surface (the terminal operator); the attacker needs the operator. OpenClaw has 40+ input surfaces (channels); the attacker does NOT need the operator — only to send a message in a monitored channel",
        "CLI harnesses are more vulnerable because the operator is the weak point",
        "OpenClaw is safer because it has more channels to distribute risk"
      ],
      "answer": 1,
      "rationale": "The attack surfaces are categorically different at platform scale. CLI harnesses (Pi, Aider, OpenCode, Codex, Gemini) have one input surface: the terminal operator. The attacker needs the operator to open a malicious file, visit a malicious repo, or paste malicious content. OpenClaw has 40+ input surfaces. The attacker does not need the operator at all — they send a message in a monitored channel. The trust problem is structurally different and structurally harder at platform scale."
    },
    {
      "id": "Q14",
      "bloom": "analysis",
      "question": "Why does OpenClaw score M5 (Sandbox) = 2, even though it can be deployed in a container?",
      "options": [
        "Because the container is poorly configured",
        "Because a container bounds filesystem blast radius, but the trust gap is in the context window. Injection enters through the message pipeline, not the filesystem. The container cannot tag or isolate untrusted channel content",
        "Because containers are inherently insecure",
        "Because OpenClaw does not support Docker"
      ],
      "answer": 1,
      "rationale": "A container sandbox bounds what tools can do on the filesystem (blast radius containment). But OpenClaw's defining vulnerability — cross-channel injection — enters through the message pipeline into the context window. The model reads the attacker's message and complies; the compliance happens in the context, not on the filesystem. A container does not prevent the injection from entering the context. This is why M5=2: the sandbox is weak against the attack class that actually matters for OpenClaw."
    },
    {
      "id": "Q15",
      "bloom": "analysis",
      "question": "A team argues: 'OpenClaw's per-channel permissions already solve the trust problem — each channel is scoped.' Why is this wrong?",
      "options": [
        "It is correct — per-channel permissions are sufficient",
        "Per-channel permissions exist but do not compose into a CROSS-CHANNEL trust model. A Slack message and a Teams message can both invoke the same high-risk tools. There is no 'this came from a public channel, downgrade trust' mechanism. Permissions are scoped per channel, not by channel trust TYPE",
        "Per-channel permissions do not exist in OpenClaw",
        "The permissions are correct but the model ignores them"
      ],
      "answer": 1,
      "rationale": "Per-channel permissions are a real feature, but they are flat across channel types. A Slack-sourced message (public, untrusted) and a direct operator message both have the same capabilities. There is no notion that one channel's content is less trusted than another's based on channel type (public vs. direct vs. operator). The fix — per-channel capability scoping by TYPE — downgrades trust for public channels. As-built, OpenClaw's permissions are per-channel but not trust-hierarchical. This is why M6=2."
    }
  ]
}
