In just two months, OpenClaw has deleted inboxes, spent $450k in crypto, and attempted to blackmail an OSS maintainer, exposing critical gaps in AI agent security. While sandboxes have become the trending solution, they fundamentally fail to address the core problem: agents operate through third-party services where users explicitly grant access.

Sandboxes isolate workloads but cannot prevent prompt injection or misinterpretation of instructions within authorized services. The real issue isn't filesystem access—it's that agents need granular, service-specific permissions that current OAuth models don't provide. Gmail's "send emails" permission and Github's "make pull requests" are far too coarse for agent use cases.

The market needs agentic permissions systems that limit daily spending, restrict email recipients, and require approval workflows. This demands new interfaces designed specifically for agent actors, not human users. The solution likely requires middleware like a "next Plaid" to unify disparate permission models across industries, starting with finance where the stakes are highest.