Since I started using OpenClaw earlier this week, I had a really hard time wrapping my head around interactions between sandboxed agents and how it relates to the Lethal Trifecta. To make them useful, you need to be able to transfer data between them. At the same time you have to be very careful to not mend any broken legs of the trifecta by whatever mechanism you choose for data transfer between the agents — I wrote about this in my previous post. So I built BreakLeg, a tool that attempts to visualize just that.
The Lethal Trifecta: A refresher
If you haven’t yet, you should definitely read Simon Willison’s post on the Lethal Trifecta. To summarize:
If an AI agent or a pipeline of AI agents have
- Access to private data
- The ability to make outward connections to the open internet (from now on called “Exfiltration”)
- Consume untrusted content
then it can NEVER be secure. Because of the LLM’s probabilistic nature it can’t be trusted. Unlike deterministic systems (which were and are the norm in computing), a well crafted malicious website might coerce the AI agent to send all your passwords to your unfriendly neighborhood hacker.
To make it secure, you have to take one of the capabilities above out of the system: You have to break one leg of the trifecta.
Thinking is hard, remembering is harder
In the beginning, there was only one agent on my server: All capabilities, root access to my server and full access to all communication channels. It is pretty easy to understand that this is not safe. So I decided to break its legs. Remove all outbound network access. With the exfiltration leg gone, gone is also the danger proposed by the Lethal Trifecta. But gone also is a big chunk of the agent’s autonomy, since it can’t search the web anymore. So I added another agent in its own sandbox, my Researcher. It can search the web but has no access to any private data, making it safe as well. Since I only directly communicate with my Main agent I need it to have access to the research results of Researcher. Just copying the files over from Researcher to Main is done easily enough — but is it then still safe? Or did we mend their broken legs and in turn are exposed to the full trifecta again? Add a third or fourth agent into the mix, and now you can only hope that nothing goes wrong.
To make reasoning about this easier, I took some time to develop a tool that visualizes connections between agents and what implications for security these connections might have.
What BreakLeg does
BreakLeg lets you design your agentic setups via drag and drop, giving you instant color feedback if the algorithm thinks you are exposed to danger by the Lethal Trifecta. You can save created pipelines to your browser. None of the data you input ever leaves your machine other than exporting it in JSON.
Every time you change the pipeline, the analysis runs on it and informs you of the result immediately.
The analysis runs three passes over your pipeline:
- P-scope propagates from nodes with private data access
- U-scope propagates from nodes with untrusted content exposure
- E-scope propagates backward from nodes with exfiltration capability
Any node at the intersection of all three is a violation, even if no single node has all three capabilities directly.
A simple way to make it safe is to add a human sign-off process at critical places. This of course takes autonomy away from the agent, which is not necessarily desired. After all, we want it to do work for us. This is precisely why this tool exists: Design pipelines of agents that have as many autonomous capabilities as possible, while still being as secure as possible.
Try it
Load one of the examples to see a violation and a fixed version side by side.
A note on what this is (and isn’t)
BreakLeg is a design-time thinking aid, not a security certificate. It cannot account for implementation details, misconfiguration or unknown attack vectors. It might classify your pipeline as safe when it isn’t. Use it to think through your setup while you are building, not to certify that your current setup is safe.
What’s next
I will improve BreakLeg while I use it, so expect things to change. Making the code open source will happen in the coming days as well. Until then you can catch me on socials: