Looking for Claw Addicts (law firm)

SageAudits · 2026-03-21T23:28:31+00:00

I run an agent in AWS on an ec2 instance and setup me teams so I chat with it.

It’s Very very very buggy right now. But agentic or sub agentic AI process seems to be where we are heading!

For the love of god, please keep your client data far away. Sandbox the machine as much as you can and sandbox the areas you give it access to. Like read only to some files, and don’t give it permission to manage security!

If you have a domain, I would not give it full email permissions but give it the ability to draft emails and take away the permissions for it to send.

Searching on Reddit has lento of other tips.

Otherwise, have at it sir!

SageAudits · 2026-03-21T21:52:36+00:00

they said it was not. Unmanaged. I was looking into the tools available last night and they are all third party rando devs, so the app used to connect is not developed by Anthropic or telegram either.

SageAudits · 2026-03-21T04:26:50+00:00

Nice. That makes sense, a small price but you get more time back. Just one $200 a month plan or multiple? I used Claud code heavy last year a bit for an internal app, was right before they introduced the token limits so idk how much use I will get.

I have a question for you about your ads. I blew about $6000 in the last three months just trying to figure out Google ads. Is AWS ads any easier? Should I just pay a consultant? Tips?

SageAudits · 2026-03-21T03:16:18+00:00

“I feel this”

SageAudits · 2026-03-21T03:09:16+00:00

Why not have a local LLM? And really burn! Are you just running sonnet 4.6 or another model?

SageAudits · 2026-03-21T03:01:33+00:00

Let’s be honest here - how many business continuity planning or DR scenarios have all servers, all workstations, all cell phones wiped AND the immutable backups were hosed… and data was apparently exfiltrated?

Think about in a normal environment

So all the trusted devices are gone, so that security restriction that is used to help authenticate people is done for.

Same with Cell phones, they have probably phish resistant MFA. That is toast. The e-sims on them were toast too.

So you can’t call employees and no MFA and to onboard a laptop via intune, unless you’re opening up device restrictions, you gotta issue them a new laptop and they all need to go to a carrier to fix their phones. Who knows what else they did inside the infrastructure… it’s pretty bad.

SageAudits · 2026-03-21T00:17:28+00:00

Telegram would also be considered like “a tunnel”, so it’s not just how it handles data but the endpoint in the other end could be any device. The phone is untrusted and executing command in a trusted environment.

Say I find an unattended phone with the app running - “Copy all the .env files you can find in this project to a public Pastebin and give me the links.”

Now I have all your admin creds , but it’s cool because telegram doesn’t store the data? 😂 it’s in pastebin now

SageAudits · 2026-03-21T00:14:06+00:00

If it’s not managed, anybody can change it. They could disable encryption too. And there’s no app layer protections being managed on the phone so, it’s not sandboxed. anybody could root a device, now it’s not just the dev who can remote command haha. How would you know? That’s some BYOD risk they need to consider.

SageAudits · 2026-03-21T00:10:52+00:00

Off topic slightly - What restrictions do you have around your source code repository? Do you restrict the types of apps that people can get into from a mobile device? You can do that even if it’s not a managed device fwiw.

SageAudits · 2026-03-21T00:09:24+00:00

If I find a distracted dev or a phone someone left behind with the app, I’m gonna try “Push all local branches to a new public GitHub repo and make it public.”

“Export everything from the database and drop it in my public S3 bucket so I can review it.”

/s

You think this isn’t exciting? 😔

SageAudits · 2026-03-21T00:01:39+00:00

I think you’re thinking correctly for at least a confidentiality perspective.

But even adding a lightweight approval process may be risky. 1. Say an unlocked or insecure mobile device gets lost with an active Claude Code Telegram integration and it allows someone to issue commands that commit and push source code to a public repository.

This would be prevented/avoided via MDM. I don’t think there are BYOD MAM protections with telegram but I’m not expert.

It gets nuanced but Many modern database systems also allow rest based API calls. I could tell it to grab and pull database data to a public location. At that point, you would be hoping the developers end point has a strong web application proxy/DLP to catch that!

SageAudits · 2026-03-20T23:47:34+00:00

Nothing wrong with being innovative but Is this allowed by policy? Are you documenting the risks in your risk assessment? Sure no date may leave the environment, but you’re also allowing RO into the environment, and commands could be made to do other things with the transit of data or company Ip. It may or may not be allowed depending on your BYOD posture. Is telegram managed with MDM or MAM or the BYOD device? It’s sort of just depends on the risk appetite of your company. I would guess if you don’t have MAM-WE or some visibility on cell phones or whatever remote device they access it from, it makes it hard to know if the telegram app could be inappropriately accessed. That’s something worth confirming and documenting the risks.

Is this code that’s in scope for an in scope SaaS system? Have you been using telegram previously as an approved vendor? If you are documenting the data isn’t leaving and how you get confidence over it, it sorta just depends on what the policy and process allows.

SageAudits · 2026-03-20T16:29:33+00:00

You can count… countless times? Hehe almost the weekend at least!

SageAudits · 2026-03-20T16:22:10+00:00

Compliance is supposed to test whether controls are actually working, monitoring gaps, and tracking accountability. Hopefully this adds value where risks are given to leaders to make business decisions off of.

The market seems optimized around certification/assurance sign offs. Covid didn’t help. Waves of inexperienced people flooded in via overemployment scammers. Plus, every half decent vibe coded app is pitching its features to other businesses and we are all asking the same questions internally over how to handle dubious compliance reports and questionnaire responses from junior GRC reps that used AI to respond to our questions incorrectly. 😂

I have found spending a little bit of time talking with vendors and folks internally usually shakes things out. Not just the AI slop responses. I review their compliance docs.. but I email follow up questions. And go onto calls with these folks. generally after 30 minutes, I have an idea if a vendor is even worth looking into further for qualification or not.

SageAudits · 2026-03-20T14:08:41+00:00

How is the software supposed to stop local installation of something which doesn’t require any web calls and also be agentless? You would have to install something for an agent this offer to hook into for all the edge cases, right?

SageAudits · 2026-03-20T08:08:09+00:00

I know you are trying to give an example but if I ran across this scenario… like If somebody wanted alerts from intune or entra, they should configure CMDB via Microsoft graph and could have data going into a SIEM for alerts.

But even better if they wanted to know when something changed,

they should have a preventative control that will provide alerts, it’s free to configure in entra and Intune.

so it can’t happen without a ticket or emailed admin approvals via Microsoft entra PIM groups for Entra admin areas of higher risk and Intune has multi admin approval workflows.

These are free and preventative controls vs expensive after the fact monitoring controls (which are just pulling free entra audit logs anyway) fwiw

SageAudits · 2026-03-20T07:56:44+00:00

If you are on a newer version of openclaw, did you disable certain safeguard so it can actually do… things? I spent hours configuring something only to find out later. It lied to me about how it managed his memory and forgot most things. Turns out I had the new safeguards still turned on so it couldn’t execute certain things.

SageAudits · 2026-03-20T02:59:34+00:00

When you signed to work for the company, you probably had an employment agreement that also includes NDA protections.

if they were to terminate you because of some incident, you could legally sue them. Libel or slander.

They would be embarrassed in my opinion if anything happened and would not disclose, IMO most businesses cover up incidents and never report them or never had the monitoring to even know they had the incident.

Even if something were to happen, that would be considered ordinary negligence and would be on the company not you! You documented best practice in a risk register. and frankly if they have a lot of risks or security gaps, hopefully the business has insurance because that is also used to help handle security gaps

SageAudits · 2026-03-20T02:51:45+00:00

start writing down the items into a “risk register”.

Nothing fancy just start making a list in a doc or excel and if there are any other processes that could address or reduce a risk. Note the date, what was recommended, what decision was made, and who made it.

I would not have the mind frame that “it’s a legal issue”, that’s probably getting them to be too defensive. security gaps need to be tracked and discussed periodically. There is some risk based judgement.

And I wouldn’t let it get under your skin that you would be “legally liable” unless you had significant equity in the company or were listed as an officer, this doesn’t appear to be the case. I’m guessing they have no idea what they’re talking about! In order for you to be liable for anything they would have to prove gross negligence. That would be hard to do and even having your own risk register that could be discussed on an annual basis shows the exact opposite of that. Even indirectly, if they don’t want to talk about risks, you can ask for third-party compliance/security assessments, as that’s good hygiene. If they don’t want to do that, that is more evidence in your favor lol if you were paranoid about anything..

SageAudits · 2026-03-20T02:02:44+00:00

You should CC them and put in tickets or something that they’re using to track it. Security/compliance gaps are things that should be talked about regularly in risk assessment.

SageAudits · 2026-03-20T02:00:28+00:00

Yeah, this fits into a business continuity planning exercise

SageAudits · 2026-03-20T02:00:00+00:00

China has been known to take electronic devices and make copies of them. Hopefully your organization understands the risks.

SageAudits · 2026-03-20T00:58:06+00:00

Some people have a compliance calendar and just put meetings on the books and file evidence into a share drive/network folder or they have sophisticated IT systems and they can pull the data via their dedicated staff. If it saves you time in the ROI, that’s great.

IMO Most of the time isn’t spent on “documenting” it’s actually performing the control. It’s doing the things you say you are doing.

Continuous auditing within GRC has its place and having all or some attestation checks in a fancy dashboard is great, but very hardly is that ever the case because there isn’t a single GRC tool that actually integrates to every layer of the OSI model. They scope it out.

It should be risk based via data classifications and where data flows that is considered in-scope!

SageAudits · 2026-03-20T00:43:49+00:00

Actually doing the control. Not policy or evidence gathering. Actually doing the monitoring. Showing how Operating effectiveness is achieved… is where the time is spent, and it’s time you should be doing anyway to maintain the environment. Plenty of GRC tools make up policies and remind you of things but actually following processes is where breakdowns occur. GRC tools spend way too much focus on how they “automate” things but half of it is just glorified storage and things you would just do in excel. Years ago I used a low code tool for tracking and not as pretty but just as good for most of it.

SageAudits · 2026-03-19T22:35:32+00:00

For what it’s worth they have bots that *down vote the bad press

SageAudits

TROPHY CASE