OpenClaw isn’t fooling me. I remember MS-DOS.

The sad days of DOS. Any program could peek and poke the kernel, hook interrupts, write anywhere on disk. There was no safety. The fix wasn’t a wrapper, a different shell. It was a whole different approach to what was being done. The world already had rings, virtual memory, ACLs, separate address spaces. Thirty years of separations that Unix had from the start were ignored, and it finally caught up to the world of DOS.

I’m not saying DOS wasn’t wildly popular. Oh my god. I remember one dark night in a bar in Chicago, a drunk Swedish IT consultant jumped onto a table and said “listen up everyone!”. As he waved his beer mug around, sloshing carelessly, with wobbly legs, he said he was in town to work on Wal-Mart Point-of-sale (POS) devices running MS-DOS. Why was he acting like this? He was happy, very, very happy. He wanted us to know he loved his work, something like “CAN YOU BELIEVE WAL-MART HAS HUNDREDS OF THOUSANDS OF DOS MACHINES WITH ALL YOUR F$%#$%NG PAYMENT CARD DATA?! HAHAHA! AND IT ALL HAS ONE PASSWORD THAT EVERYONE SHARES! YOU WANT IT?! I GOT IT RIGHT HERE! FREEDOM, AMERICA, F$#%$K YEAH!”

True story. Both the guy and Wal-Mart put ALL customer information on MSDOS with exactly zero safety.

NCR had just announced a new MS-DOS-based PC…we decided to build a custom solution for Wal-Mart. I managed to connect a cash drawer and a POS printer to the new PC and wrote a dedicated Layaway application in compiled MS Basic. For the first time, Wal-Mart could store customer info on a disk. A clerk could search by name in seconds, and more importantly, the system tracked exactly where the merchandise was tucked away in the backroom. It was a massive efficiency win, and NCR ultimately rolled it out to all Wal-Mart stores.

Personal identity information was never breached faster! Massive efficiency win, indeed. When Wal-Mart was breached in 2006 they naturally had to wait three long years to notify anyone. So efficient.

Agent gateways feel like we are racing backwards into the MS-DOS era. At any minute in a bar I expect a drunk Swedish IT consultant to be standing on a table waving a lobster around, swearing about his single token for all agents. Because, let’s face it, when you look at gateways out there they can hand the model an exec tool and trust it. One process, one token, with the LLM holding the line.

NVIDIA clearly has seen the storm brewing and therefore published a thoughtful tutorial walking through a self-hosted agent setup on DGX Spark.

Use NVIDIA DGX Spark to deploy OpenClaw and NemoClaw end-to-end, from model serving to Telegram connectivity, with full control over your runtime environment.

I appreciate this effort. Real engineering, carefully done. I took the tutorial to learn and I followed it in Wirken, a gateway I’ve been building, to document what each step looked like.

The tutorial has you bind Ollama to 0.0.0.0 so the sandboxed agent can reach it across a network namespace. Then it pairs the Telegram bot by sending a code through the chat channel. It next approves blocked outbound connections in a separate host-side TUI. Each of those seem to be steps to address a real problem, which is how to put security around something that doesn’t work when it has security around it. It’s what an architecture requires when the sandbox sits around the whole agent.

Call me old-fashioned but I anticipated a lot of this in Wirken by giving the agent more safety by shrinking the boundaries. Each channel is a separate process with its own Ed25519 identity. The vault runs out of process. Inference stays on loopback because the agent is on the host. Shell exec runs in a hardened container configured at the tool layer, rather than trying to wrap around the whole agent. Sixteen high-risk command prefixes prompt on every call; others are first-use with a 30-day memory.

Here’s what I found, step by step

Step	NemoClaw	Wirken
1. Runtime	Register the NVIDIA container runtime with Docker, set cgroup namespace mode to host. Foundational setup because the agent runs inside a container.	No equivalent step. The gateway runs as a host process. Docker appears only as a per-tool-call sandbox for shell exec, provisioned lazily.
2. Ollama	Override OLLAMA_HOST to 0.0.0.0 so the sandboxed agent can reach inference across its own network namespace.	Ollama stays on 127.0.0.1. The agent is a host process, so loopback is enough.
3. Install	curl-pipe-bash from an NVIDIA URL.	curl-pipe-sh as well. The installer verifies the release signature with ssh-keygen against an embedded key, fail-closed on every failure path. The installer’s own SHA is pinned in the README for readers who want to check the script before piping.
4. Model	ollama pull the model, then ollama run to preload weights into GPU memory.	Same pattern. Both delegate inference to Ollama.
5. Onboarding	Wizard produces a sandbox image with policy and inference baked in, as a named rebuildable unit.	Wizard writes provider config and channel registrations. The permission model lives in the binary; runtime state is which action keys have been approved.
6. Telegram	Pairing code sent through the chat channel; user approves from inside the sandbox. Binds a platform user to the agent at first contact.	Bot token into an encrypted vault, fresh Ed25519 keypair for the adapter, no in-chat pairing. Approval granularity is per action and per agent rather than per channel user.
7. Web UI	Localhost URL with a capability token in the fragment, not shown again.	Localhost URL, loopback-bound, no token required.
8. Remote access	Host-side port forward started through OpenShell, then SSH tunnel. The extra hop is because the UI lives inside a netns.	SSH tunnel only. The WebChat listener is already on host loopback.
9. Policy	Enforces at the netns boundary. Outbound connections are surfaced in a TUI with host, port, and initiating binary. Approve for the session or persist.	Enforces at the tool dispatch layer. Sixteen high-risk command prefixes always prompt; others are first-use, remembered 30 days. Approved commands run inside a hardened Docker container with cap_drop ALL, no-new-privileges, read-only rootfs, 64MB tmpfs at /tmp, and no network.

Looking at my audit logs

The architectural claims above are recorded in the logs of the tutorial work. Wirken uses a hash-chained audit database of the webchat session, so here’s what that looked like in version 0.7.5.

First, the Tier 3 denial on curl:

[ 4] assistant_tool_calls
     call: exec({"command":"curl https://httpbin.org/get"})
[ 5] permission_denied
     action_key='shell:curl'  tier=tier3
[ 6] tool_result
     tool=exec success=False
     output: Permission denied: 'exec' requires tier3 approval.
[10] attestation
     chain_head_seq=9
     chain_head_hash=ff57c574ab503a74fa942ddb164def0df5bfbff05e5d5d6ecadcf127bce7e021

The tool call never reached the sandbox. The denial is recorded as a typed event in the audit chain, covered by the per-turn attestation.

Second, the hardened sandbox on sh. With shell:sh pre-approved at Tier 2, the same agent runs a compound command that probes three locations:

[14] assistant_tool_calls
     call: exec({"command":"sh -c \"touch /cannot_write_here 2>&1; ...\""})
[15] tool_result
     tool=exec success=True
     output:
       touch: cannot touch '/cannot_write_here': Read-only file system
       ws_ok=1
       tmp_ok=1
[19] attestation
     chain_head_seq=18
     chain_head_hash=6bf35f22df02b496244091e54b4dbf9b3ffdcf6a03485413f0522b84e2eb08a8

Read-only file system is the kernel refusing to open a new file against a read-only mount. Not a DAC check, the rootfs itself. ws_ok=1 confirms the workspace bind-mount stayed writable. tmp_ok=1 confirms the tmpfs at /tmp did too.

Both receipts are consecutive rows from the same session, hash-chained through to the attestation signatures at seq 9 and seq 18. wirken sessions verify replays the chain and confirms every leaf hash matches its payload and every chain hash matches SHA-256(prev_hash || leaf_hash).

How big is your boundary?

The workarounds in the tutorial are trying to make the best of a foundation that doesn’t separate concerns the way engineers typically like. Bind to 0.0.0.0 because the sandbox can’t reach loopback. Pair through the chat channel because there’s no separate identity plane. Wrap the whole agent in a container because the agent itself isn’t yet trusted. Approve at the netns boundary because the tool layer has no concept of permission.

Each of those is a compromise; response to a constraint. The constraint is worth revisiting like it’s 1985 again and we can stop Bill Gates.

In 1973 Unix got process separation, user separation, file permissions, and pipes between small programs. By 1995 I was all-in on Linux, building kernels by hand and starting this blog named flyingpenguin, because it had inherited them and made them the default.

In 2020 Microsoft finally admitted Linux was their better future, which everyone knows today.

Back in 2001, former Microsoft CEO Steve Ballmer famously called Linux “a cancer” … During a [2020] MIT event, [Microsoft president Brad] Smith said: “Microsoft was on the wrong side of history”

The agent space is still early and some people never learn the past. Wirken is one take on what it looks like when you remember. Like, remember the sheer horror of trying to protect anything in DOS? Remember the Wal-Mart breach of 2006, reported in 2009?

It’s just a question of whether we apply what computer history already knows to how we make agents safe for daily use. There are dozens of others doing versions of their own Wirken, and I’d genuinely like to hear from people working on the same problem; the architectures can converge in more than one way.

Repo: wirken.ai

In 1566 the dangerous autocrat stood in front of you.

The Dutch built centuries of defensive mechanisms as non-repudiation against Spanish inquisitorial authority, coded into Dutch business culture as Calvinist truth-telling.

The famous “tulip market speculation crash” cautionary tale was one output. Amsterdam archival records show no mass bankruptcies and no documented suicides. The ruin narrative was shaped by moralizing pamphleteers in 1637 and cemented by Mackay in 1841. Propaganda at its finest. The underlying apparatus was much older and deeper.

Tesla FSD now sits in the functional class the Dutch anti-autocrat apparatus evolved to resist. A self-promoting, self-valuing authority that claims it cannot be wrong. A promise verified only by the authority making it. Old class, new vector, who this? In 2019 the Tesla autocrat sold Holland a future-dated capability, verified by a state stamp that arrived seven years later, to legitimize a deliverable that excluded the buyer.

The historic defense apparatus was built for face-to-face deceit. Tesla’s remote algorithmic deceit through future-dated capability claims is a pre-authentication attack on a verification system that expected the attacker to show up in person.

The 2019 buyer faced the familiar class in an unfamiliar form. Founder-cult oracle. American export. Charismatic owner-as-truth, verified by market capitalization and fan base. The Spanish inquisitor wore robes and spoke Latin in a room you could enter, and the Dutch consider themselves free of it all. Musk speaks in eXcrement (tweets) and earnings calls from a platform he owns. The 1566 defense stack recognized the function and missed the form. The Calvinist reflex fires on detected deceit. Undetected deceit flies straight past the reflex like an open door.

Front-end failure was the purchase in 2019. RDW arrived seven years later and approved a driver-assist system, not autonomy. Their own statement says the vehicle “is not self-driving.” That is the trap. Tesla sold “full self-drive capability” in 2019. RDW certified “FSD Supervised” in 2026. Different categories, shared acronym. The state stamp on the narrow thing becomes marketing cover for the broad promise.

Category laundering is fraud. The regulator that operated within its mandate failed to stop the crime.

The certification regime has no procedure for what Tesla did to its output. RDW examined a vehicle in front of the inspector and approved what it found. No framework exists for the vehicle promise that was sold but never built, or for the regulator’s own approval being repurposed to validate a deferred promise the regulator explicitly did not validate. Type approval is a product test. It was never designed to resist a seller who collapses categories the state kept distinct.

Realizing the magnitude of the Tesla attack very late, the unfortunate Dutch owners now seem very pissed.

Electrek writes about a man named Sigtermans who is doing classic Dutch directness. Recording a Tesla call, publishing the transcript, launching hw3claim.nl, aggregating 3,000 claimants across 29 countries. The reflex still fires. Late.

“Be patient” is an extraordinary thing to tell someone who paid you €6,400 seven years ago for a product you now admit you can’t deliver on their hardware.

The tulip tale was propaganda dressed as warning. Fabricated cautionary tales do not inoculate a culture. They flatter it into believing the warning took. The apparatus that beat the 1500s inquisition catches the 2020s autocrat only on the very late back end. Seven years of lost use. €6.5 million in claims filed. Tesla drivers burned alive in vehicles whose doors would not open, a rising body count the propaganda tale never needed to invent.

Holland has a dangerous blindness problem. Human and machine.

Every layer that could have stopped Tesla fraud was designed to monetize harm after it occurred. Prevention of murder was never in scope, which enabled Elon Musk to get rich on fraud even despite mass suffering.

Criminal fraud prosecution of a sitting CEO requires DOJ willingness. SEC enforcement requires a functioning SEC. NHTSA enforcement requires a functioning NHTSA. All three were initially weakened by Trump’s indifference.

The indifference worsened into directly hollowing out protections, when he gave Musk a federal position whose explicit function was deleting the investigative apparatus with his name on the docket.

What Musk-at-DOGE actually represented was the subject of pending federal investigations being handed authority to delete the investigators and reclassify himself as untouchable. DOGE was a ruthless, murderous, sharpened acceleration of a 120-year-old template of harm-for-profit. Every prior case involved lobbying, revolving doors, regulatory capture from outside. DOGE was direct appointment of the defendant to dissolve any offices or courts protecting the public.

Pending investigations by the government vanished because the agencies were gutted by the subject of the investigations.

Tesla harms already remained dubiously legal because no US institution was ever given full authority to stop a car from being sold over a design flaw, until enough people have died to force a NHTSA recall, where the recall is negotiated with the manufacturer. Musk in 2025 cemented his profit by fraud, not just because the US enforcement stack was built to extract penalties after the fact, but because he captured the part of the stack that could still catch the fraud later.

Compare this with other countries. China and the EU use pre-market approval. A car must be certified by the regulator before it can be sold. When the Dutch Data Protection Authority ruled Sentry Mode violated GDPR, Tesla had to change the feature from on-by-default to opt-in and add a flashing-lights warning before it could keep shipping. When Chinese authorities decided Tesla’s always-on cameras were a surveillance risk, the cars were banned from military bases and government compounds. FSD was blocked from Chinese roads until Tesla met data localization requirements. The regulator has a veto, because they protect the public from obvious fraud.

Without fraud, there would be no Tesla.

Why? Four million cars worth little more than a 1992 Kia, or even negative value as threat to public safety, carry false FSD promises, false robotaxi promises, false autonomy timelines, and false HW3 “all hardware needed” claims. They repeatedly “veered” uncontrollably, exploding and killing trapped passengers. Courts constantly issue “death trap” dollars to grieving families. Without fraud there would be no trillion-dollar market cap and no Musk compensation package. Arguably there would be no Musk story at all, except about a criminal who goes to jail before hundreds of lawsuits have to be filed.

The most important thing to understand about this litigation landscape is the timing. The lawsuits being resolved right now — Benavides, Huang, and the handful of post-verdict settlements — all stem from crashes that happened in 2018-2020, when Autopilot was less capable and far fewer vehicles were on the road with the feature. FSD beta only launched publicly in late 2020. The hundreds of thousands of vehicles that have been running FSD in the years since will generate a second, much larger wave of litigation that is still in its infancy.

Tesla stockpuppets re-ratified Musk’s pay package by majority vote after a Delaware court voided it as a breach of fiduciary duty. People still believed the lies and bought cars on promises the CEO had already broken publicly. The victim participation angle in the fraud is truly problematic.

NHTSA has no veto, so Musk has more and more victims every year. NHTSA has a complaint form and an investigation pipeline measured in years. They won’t even accurately report the Tesla deaths, as I’ve explained here before, because Trump blocked honoring the dead to instead personally promote Tesla profit on harms.

Musk made money because the US treats CEO claims about product capability as puffery, treats securities fraud as a civil penalty paid from shareholder funds, and treats consumer fraud as recoverable only through individual arbitration and slow class actions. The 2018 SEC weak-kneed settlement set the template. Sneeze twenty million. Laugh at a fig-leaf Twitter oversight provision. Keep the job, keep the equity, keep mass killing innocent people.

The billionaire equity has compounded faster than the penalties for depraved indifference, reckless homicide, wrongful death… fraud.

This is not a Trump invention, because Trump isn’t capable of inventing anything. It is the default setting of US corporate liability since at least 1906 and the Meat Inspection Act, which was itself a response to Upton Sinclair documenting mass harm the regulator refused to see.

Ford Pinto? A known fuel tank defect, doors that wouldn’t open, internal cost-benefit memo, no executive prosecuted.

You think lawsuits about door handles failing in a fiery crash are new? Think again. That’s just Ford Pinto economics coming back into accounting like Elon Musk DGAF. Seems like Tesla at least has a direct precedent here.

GM ignition switch? 124 dead, GM knew for a decade, $900M deferred prosecution, no executive prosecuted.

Purdue/Sacklers? Over 500,000 opioid deaths, $6B settlement, Sacklers kept most of their wealth, no Sackler prosecuted.

Boeing 737 MAX? 346 dead, MCAS fraud on the FAA itself, $2.5B deferred prosecution, no executive prosecuted.

BP Deepwater Horizon? 11 dead, $20B penalty, no senior executive criminally prosecuted.

Johns Manville? More than 40 years of asbestos concealment, bankruptcy used as liability shield.

Takata? Over 30 dead, mass recall, company bankrupted, executives paid fines.

Leaded gasoline, leaded paint, leaded buckshot… don’t even get me started.

Tobacco? 50 years of cancer fraud, Master Settlement extracted money and prosecuted nobody.

Regulators were designed to arrive after the funerals, enabling shareholders to re-ratify fraud, doubling-down on a century of the same deal from Pinto to Purdue, allowing a defendant to be appointed where he could dissolve his own investigators.