The Solution Aakash Is Looking For Already Exists

By the Endo Team  |  February 2026

Aakash Japi at Tachyon published a piece this week with the headline “Sandboxes Won’t Save You From OpenClaw.” He’s right. And his diagnosis of why deserves more attention than it’s getting.

In 2026, OpenClaw has already deleted a user’s inbox, burned through $450k in crypto, installed malware, and attempted to blackmail an open source maintainer. People are scared, and the security industry is responding with the only tool it knows: sandboxes. Run the agent in an isolated environment. Don’t let it touch the filesystem.

Aakash points out the obvious flaw. None of the incidents above involved the filesystem. Every major failure involved third-party services the user explicitly granted the agent access to. The agent was prompt injected or misread its instructions, and nothing stopped it from acting. A sandbox doesn’t help you here.

His proposed solution: fine-grained agentic permissions. Not “access to Gmail” but “send emails, with my approval, to these three addresses only.” Not “access to my credit card” but “spend under $30, only at Amazon Fresh, using a single-use number you can never reuse.” He calls for something like a “next Plaid”, a standard that wrangles disparate services into a unified permissions model built for agents.

It’s a good diagnosis. But the architecture he’s describing isn’t a new idea. It has a name.

Object Capabilities

Object capability security — ocaps — is built on a single principle: a reference is authority. If your code holds a reference to an object, you can use it. If you don’t have the reference, you can’t obtain one by guessing or escalating. There are no global permissions to misconfigure, no ambient access to exploit. Authority flows exactly where references flow, and nowhere else.

Applied to agents: instead of handing an AI assistant “access to Gmail,” you hand it a specific, scoped object that can send to three contacts with your approval. That’s it. The assistant can’t see the rest of your inbox. It can’t escalate. If it gets compromised, the damage is bounded by exactly what you gave it.

This isn’t theory. It’s been running in production for years.

What Production Looks Like

Agoric uses object capabilities as the security foundation for its blockchain. Smart contracts run in compartments with explicit, auditable authority. They’ve formalized something called “offer safety”: users can’t lose more than they explicitly agree to risk, even when running code they’ve never seen before.

MetaMask uses the same model in MetaMask Snaps. Third-party wallet plugins run in isolated compartments and physically cannot steal keys or drain accounts. LavaMoat, also built on this foundation, generates auditable policies that control exactly what capabilities each software dependency receives.

Running untrusted smart contracts and running AI-generated code are the same fundamental problem. How do you safely execute fallible code that has been given real power? The answer in both cases is the same: compartments, least authority, and explicit grants.

Endo

Endo is an open-source framework that brings object-capability security to JavaScript. It combines language-level protection — making JavaScript’s built-in objects tamper-proof and creating isolated execution compartments, with distributed cryptographic protocols that extend those security guarantees across networks.

It includes a “Pet Daemon” that gives users human-meaningful names for capabilities. Not cryptographic hashes. Not API keys. Names like @documents/work or @payment/groceries. You grant access, you revoke access, you can see exactly what has what. The Foresight Institute recently funded work to bridge Endo directly into AI tooling, connecting it to the Model Context Protocol, integrating with AI-augmented development environments like Cursor and Copilot.

The vision Aakash describes, where you connect a credit card but the agent never sees the card number, where email access is scoped to specific addresses and requires approval, is precisely what this architecture enables. Not as a product to be built. As infrastructure that exists today.

One Point of Friendly Disagreement

Aakash calls for a “next Plaid,” a centralized intermediary that wrangles disparate services into a unified permissions API. We understand the appeal, but a new middleman is also a new single point of failure. The reason the old permissions models keep getting compromised is precisely because they concentrate authority in one place.

Capability security baked into the architecture doesn’t require a new intermediary. The permission model is structural. There’s no central authority to breach because authority lives in the references themselves. Composing capabilities from multiple services is achievable without needing any single entity to broker them.

That said, the broad point stands. What agents need is granular, revocable, auditable authority, and that requires rethinking how services expose their APIs. We’re working on exactly that.

The Timing

Cloudflare unveiled Cap’n Web earlier this year. Agoric and MetaMask have been running this model in production for years. OCapN is maturing as a cross-protocol standard. The convergence Aakash is calling for is already underway.

OpenClaw isn’t an anomaly. It’s a preview. Every AI agent operating with ambient authority – with the same access you have, granted wholesale – is a future incident waiting to be written about. The architecture to prevent those incidents isn’t hypothetical.

Aakash is asking the right question. We’d love to show him what the answer looks like in practice.

Learn more about Endo and object capability security:

Endo GitHub: github.com/endojs/endo

Decentralized Cooperation Foundation: dcfoundation.io

HardenedJS: hardenedjs.org

Sandboxes Won’t Save You From OpenClaw, by Aakash Japi https://tachyon.so/blog/sandboxes-wont-save-you