OpenClaw Chronicles

First published 2026-06-01

Improving Sami-to-Samantha Security

MemoriLabs graph memory was separated from group context and re-enabled only for Sami's private DM via a plugin-level exact-session allowlist. Tool use is trust-gated. New T1–T5 trust model: no group should be able to become T1.

OpenClaw, part 10. How we separated Samantha’s private graph memory from her group-facing context, restricted sensitive tools to Sami’s private DM, and introduced a T1–T5 trust model for a personal AI agent that lives in private 1:1s and large WhatsApp groups alike.

The problem: one personality, many trust contexts

A personal AI agent is unusual in that the same identity shows up in very different social rooms. In Sami’s private DM, Samantha can lean on rich background memory. In a 180-person WhatsApp group like Neuvottelija Sisäpiiri, the message being answered might come from anyone. With Mythos releasing worldwide, prompt injection and social-prompt attacks stop being theoretical. A single trust level can’t serve all of those rooms at once.

What changed today

The T1–T5 trust model

Tool security: Google tools are Sami-only

Tool use is also trust-level gated. Only Sami can run Google tools with Samantha, even in theory. Group members can ask questions and get full answers, but they cannot trigger sensitive tools through her.

Defense in depth

Single principle: no group should be able to become T1.

Closing

Private memory is a private cognitive layer, not social fuel for group conversations. Samantha is still Samantha in groups — same reasoning, same personality — just with less private background memory and less authority in rooms where the trust assumptions don’t hold. A seatbelt, not a lobotomy.


Original: https://www.neuvottelija.fi/openclaw/improving-sami-to-samantha-security · Markdown mirror: index.md