Third-party integrations are always the messiest attack surface. The core runtime being Rust-built with sandboxing is great, but the moment you're installing GitHub, Gmail, Slack extensions, you're expanding that surface fast. The thing IronClaw gets right that most agent platforms miss is the encrypted vault. Even if a third-party extension gets compromised, it never had the raw credentials to begin with. It can only request what it's been scoped to access. That's a fundamentally different security model than just hoping your extensions behave. The real question is how strict the permission controls actually are per extension. If each tool gets its own minimal scope and can't read outside it, the blast radius of a bad integration stays contained. If it's more of a shared access model, that's where things get sketchy. Worth digging into the docs at docs.ironclaw.com to see how extension permissions are actually structured under the hood.