First published 2026-06-01
Improving Sami-to-Samantha Security
MemoriLabs graph memory was separated from group context and re-enabled only for Sami's private DM via a plugin-level exact-session allowlist. Tool use is trust-gated. New T1–T5 trust model: no group should be able to become T1.
OpenClaw, part 10. How we separated Samantha’s private graph memory from her group-facing context, restricted sensitive tools to Sami’s private DM, and introduced a T1–T5 trust model for a personal AI agent that lives in private 1:1s and large WhatsApp groups alike.
The problem: one personality, many trust contexts
A personal AI agent is unusual in that the same identity shows up in very different social rooms. In Sami’s private DM, Samantha can lean on rich background memory. In a 180-person WhatsApp group like Neuvottelija Sisäpiiri, the message being answered might come from anyone. With Mythos releasing worldwide, prompt injection and social-prompt attacks stop being theoretical. A single trust level can’t serve all of those rooms at once.
What changed today
- MemoriLabs graph memory is now treated as private, high-trust memory. It is no longer a general-purpose context source for every conversation.
- It was separated from the other memory layers: lossless conversation memory, permanent Karpathy-style wiki
.mdmemory, and public-safe group context. - WhatsApp groups no longer get direct access to MemoriLabs. Samantha still participates, reasons, summarizes, and helps — without silently injecting private graph memory into group answers.
- MemoriLabs was re-enabled only for Sami’s private DM. A plugin-level allowlist guard permits MemoriLabs only for that exact direct session. WhatsApp groups, other direct chats, Telegram, Discord, cron jobs, and unknown contexts are denied by default.
The T1–T5 trust model
- T1 — Sami’s private context. Highest trust. Can use private graph memory and sensitive tools.
- T2 — Trusted small contexts. Limited shared-safe memory, no private graph injection.
- T3 — Trusted groups, e.g. Neuvottelija Sisäpiiri. Full, useful answers, no private memory injection, no sensitive tools.
- T4 — Lower-trust public or semi-public contexts. Stricter limits.
- T5 — Low-trust or unknown contexts. Fail closed.
Tool security: Google tools are Sami-only
Tool use is also trust-level gated. Only Sami can run Google tools with Samantha, even in theory. Group members can ask questions and get full answers, but they cannot trigger sensitive tools through her.
Defense in depth
- OpenClaw-level conversation access gating
- plugin-level Samantha privacy guard
- exact-session allowlist for Sami’s T1 DM
- fail-closed behavior for unknown contexts
- recall timeout protection so slow memory calls fail cleanly
- a re-applicable patch script so the guard can be restored after plugin updates
Single principle: no group should be able to become T1.
Closing
Private memory is a private cognitive layer, not social fuel for group conversations. Samantha is still Samantha in groups — same reasoning, same personality — just with less private background memory and less authority in rooms where the trust assumptions don’t hold. A seatbelt, not a lobotomy.
Original: https://www.neuvottelija.fi/openclaw/improving-sami-to-samantha-security · Markdown mirror: index.md