This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
Can you speak a little bit more to the stats in the OP?
* 135k+ OpenClaw instances are publicly exposed
* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
That’s surprising, as the OpenClaw installation makes it pretty difficult to run without auth and explicit device pairing (I don’t even know if that’s possible).
The problem is that a lot of users of OpenClaw use a chatbot to set it up for them so it has a habit of killing safety features if it runs into roadblocks due to user requests. This makes installations super heterogeneous.
I agree—it looks like the OP didn't provide any sources for these numbers either. That's why I would have hoped that the original maintainer had a better set of metrics to dispute them. It doesn't seem like he does though :(
Those numbers aren't in the CVE. You introduced them, attributed them to a source that doesn't contain them, and now you're disclaiming them. Where did they come from, and what was the goal of sharing them?
The numbers were in the post when I clicked through and when I made the comment. It looks like the HN moderators have since changed the link for the post to go to the CVE entry. However, my comment was about the reddit thread, not the CVE entry.
Steinberger has a vested interest in protecting his, and OpenAIs reputation from the ramifications of serious in-the-wild exploits like this.
Or inviting any legal or regulatory scrutiny.
They don’t even read the code in any serious capacity so excuse me for not taking any assessment of the situation from him too seriously. Might as well just ask Claude Code to assess it yourself.
Welcome to the world vibe coding created. The fun is only just beginning.
Hard disagree. Vibe coding isn't responsible for people not doing the slightest due diligence when running this (pardon my French) shit. You can vibe code stuff and keep it at a much higher quality. And you can check who did the vibecoding and how they approached it, so the burden also falls on the person running the stuff to understand what they're running. This isn't an enterprise level application that has a full team behind it that had an issue. This is a pandora's box vibecoded overnight for fun, full of stuff we don't even know about, that was opened the moment you touched it with a stick.
Vibe coding means you don’t (or can’t) read the code. It does not mean anything an agent writes is vibe coded.. If you’re reviewing the code after the agent writes it, you aren’t vibe coding.
Steinberger has said he doesn’t look at (most) the code.
In my experience, most garden variety security problems stem from a) the developer not understanding the implications of something (maybe because they’re new, or operating outside of their usual domain,) or b) the developer not paying close enough attention to realize they did something they know is stupid. We’re only human.
Vibe coding obviously doesn’t make something insecure, per se, but saying it doesn’t reduce the attention paid to any given line of code, or encourage less knowledgeable people to write code, seems pretty dubious to me.
The Claude Code team is clearly competent and professional, yet they accidentally published the proprietary source code for one of the world’s hottest products. That’s like a Bank manager walking away with the keys in the door and alarm disarmed. When’s the last time you heard of a human team of developers doing that?
Again, I’m not saying that vibe coding necessarily creates unsafe code, but I don’t see how anyone could say vibe coding was devoid of security implications. I think this is an organizational/logistical problem that we’ll figure out at some point, but in think it’s going to be more of a C buffer overflow ‘figured out’ that never really goes away.
Very reasonable take, I agree 100%. But I don't you're putting any responsibility with users of the such very vibe coded apps. OpenClaw was primarily marketed towards devs and people in touch with IT. They should know better.
Honestly that seems like total guesswork. There's a lot of FUD going around, or people running portscans and assuming just because they detect a gateway on a port, that they can connect to it. That’s not the case.
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?
Jensen mentioned on a podcast (sorry I don’t have a link on me, it was either the all in podcast or Lex Friedman) that they are helping support and harden on the security side, and that he considers it like the “iPhone moment”
Most of these larger players are interested in supporting anything that helps grow the ecosystem so broadly.
My reply which was not an attack was detached from this sub thread as an attack. All I did was ask a clarifying question about why Telegram and Discord were specifically called out in this reply despite not being mentioned by the OP at all. I'd still like an answer to this question.
Just a heads up that everyone can still see the comment you made on your profile because it wasn't removed by moderator action. It was downvoted to oblivion because it was an attack on another user for using AI.
That user said that they use OpenClaw to scrape city meetings for context so that they can more efficiently participate in local politics. You then attacked them, accusing them of "leaving AI slop comments on public city meetings", which isn't what they said they were doing at all.
I see absolutely no problem in using AI to summarize large quantities of information (such as a collection of city meeting notes). Summarization is one of the places that AI really shines right now, and if it helps people wrap their head around what is happening in their communities, good!
I understand a healthy skepticm of AI. Everyone should have some degree of that. But maybe avoid the urge to publicly shame people for their use of AI, especially on a site like this where that won't be received well. Or, if you're going to offer criticism, show some tact.
You're referring to a different comment. This is the comment I left which was removed, word for word,
> What does Telegram/Discord have to do with anything? The OP never mentioned either of these software suites. In fact the only mention of Telegram anywhere in the entire thread is you copy-pasting this exact message.
That is genuinely horrifying. I wonder what the stats are for an average "artisan, hand-typed" project would be if it got as much attention as OpenClaw has. But 1.8 CVEs a day should scare any rational people away from the software... right? Surely?
I’m not an openclaw user or a vibe coder but - the use case of OpenClaw is “give me access to all of your data, programs and information, and I will make decisions and do stuff without asking you permission”. It’s the MO of the project. Even if it was perfectly designed, I think it would have more RCEs by the fact that the Venn diagram of use of the app and high risk areas are a perfect circle
I'm OpenClaw user and I never would do that. You can do with OpenClaw that, but it is definitely not the only use case, and I would argue that not even the one that makes sense overall. Most people want to be careful which decisions you want to outsource and which not, and you can direct the AI to work however you prefer. Personally I have developed some projects with OpenClaw, and it does have very limited permissions.
I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
This is why kernel-level sandboxing matters. I use a sandbox name greywall that enforce filesystem/network isolation at the syscall level (Landlock + Seccomp + eBPF on linux, sandbox-exec on mac).
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
The entire Von Neumann architecture is not suitable for agents.
Putting data and instructions in the same memory was always a bad idea - LLMs just took this to the extreme by making data and instructions the same thing.
I think it depends on your philosophical approach to agency or personas. Unix groups allowed individuals to share directories with various levels of access. The assumption was those were people. Agents are philosophically people in so far as they exercise agency. They can do things via the file system. They are just non organic agents. The basic Unix permission system can still work with them.
> Yes, if/since that user have no access to your apple id and keychain...
Right, these are system accounts. They don't have access to anything except their own home folder and whatever I put in their .bashrc. `sudo` is a pretty easy sandbox by itself and lets me manage their home folders, shell, and environment easily just with the typical Unix-isms. No need for mounting VM disks, persisting disk images, etc.
I don't need virtualization to let Claude Code run. I just let it run as a "claude" user.
Well, such things were to be expected.
It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance.
But at the same time, it's also quite cool that so many people can do interesting IT stuff now.
I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training.
Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something).
But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
The biggest problem is the people who don’t have the necessary IT understanding to secure such things are probably completely unaware this is even happening.
Yeah... The bill is already being paid. I wonder how the life quality of my nephew (and other children) of 5 years old today will be in the near future..
With your car example, you also assume the risk unto others. If your "chopper" of a car hits and kills someone else, and you survive, you're paying for the consequences of that. I don't think it's cool that untrained people can do interesting IT stuff now. I see it as a huge liability where some unsecured instance pwns the internet, then it's some 12 year old that gets marched in front of congress and everyone goes: "wtf?" There's essentially no accountability and the damage is still done.
Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
The 135k number appears to be pulled out of thin air? No idea where the 65% comes from. The command the post gives to list paired devices isn't correct. These are red flags.
It's pretty reasonable though, a lot of OpenClaw instances are hosted on a VPS, this is not unsafe.
My interpretation is that 135k instances are vulnerable, but of those there's more conditions that need to be met, specifically:
These need to be multi-user systems where there are users with 'basic pairing' privileges. Which I don't think is very common, most instances are single-user.
So way less than the 135k number. I think a more accurate title would have been "If you're running OpenClaw, you are probably vulnerable" but not "you probably got hacked", that's just outright false and there's no evidence that the exposed users were ALL hacked.
You know you’re getting into zealot territory when people are arguing semantics over the headline pointing to a zero authentication admin access vulnerability CVE that affects a double-digit percentage of users.
Thank you for the reality check. I like to assume people are coming from a certain baseline on HN, but I sometimes forget that certain topics have a passionate user base represented.
Does it really? Digging up the data from example the 135k instances in the open reeks like bullshit, I would suspect several other claims are exaggerated as well.
> Digging up the data from example the 135k instances in the open reeks like bullshit, I would suspect several other claims are exaggerated as well.
Do you so stringently examine most CVEs? I’ll bet you don’t. Are you a big fan of this project? I’ll bet you are. Do you have any actual data to counter what they said or do you just sort of generally not vibe with it? If so, now would be a great time to break it out while this is still fresh. If not…
They are pointing out the data provided does not appear to be real. There is no credible link to this 135k number. They do not need to provide a number, as one does not appear to exist.
It’s also only 65% of those that have zero authentication configured, according to that post (which I have done nothing to confirm or challenge at all… Frankly I wouldn’t touch OpenClaw with a ten foot… cable?) That said, I think it’s far more important to get people’s attention who might otherwise not realize how closely they need to pay attention to CVEs than it is to avoid hyperbole in headlines.
Because 20% is not “probably got hacked” and overstates the problem for most users.
That doesn’t mean this isn’t a critical vulnerability, and I think it’s insane to run OpenClaw in its current state. But the current headline will burn your credibility, because 80% of users will be fine with no action, and they’ll take future security issues less seriously as a result.
All the numbers you are using appear to be made up by the reddit poster. I say that as they provided no citation to them (for all I know they got them from an AI). I attempted to verify any of the numbers he used and could not. By exaggerating the numbers he is crying wolf.
Open Claw cannot be made "secure" by any normal definition of the word. Unless I'm very much mistaken, fundamentally it's a tool that lets LLMs do stuff.
So you take the output of an LLM, which is obviously impossibly to guarantee correct, and use that to choose a tool and execute it. Like, send an email or whatever. And you take the input for that LLM not only from prompts, and various files, but also your system and random stuff you download from the internet.
I am telling you people, this is lunacy. No good can come of this.
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
Since pretty much the beginning it wasn't and the documentation explicitly warned not to make it public, exposing it to the internet. It included information on how you can properly forward the gateway port to your machine without opening it up to the internet.
I’m surprised people are still using OpenClaw. I assumed they’d have switched to Nanoclaw or Nemoclaw. Is OpenClaw just that much better, or is it all inertia?
None of them, but prefer ones written with engineering rigor and security in mind. Having an unvetted plugin ecosystem with code that runs unsandboxed is laughably naive
OpenClaw has over 400+ security issues and vulnerabilities. [0]
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
Most of the people using it probably don't even know what SSH is, let alone using a VPS to maintain a personal bot for them for years with no maintenance. They know Vercel and Supabase. They will run it on their local machine and just keep clicking yes to everything until they get the result they want.
That is not how the software works.. I take it you have no first hand knowledge with this stack? This isn't a double click the exe and you are off the races. The hostinger vps is actually the easiest way for a normie to get this running.
This is not true. It is useful without having access to a single account of mine. My setup runs on its own accounts and hardware. Obviously it is not sending out emails from my inbox, but that is not a usecase of any value to me. And if it was, there are actually plenty of ways to do that safely as well.
If you think you need to give it the keys to your kingdoom to be useful, you are not actually experimenting with this stack but regurgitating the words of others. I really don't understand the mindset of comments like this.
> Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
I'd say that it's a given that we live in a world when your LAN is infested with compromised and hostile devices: from phones (spying devices) to home automation (spying chinese webcams) to TVs (with the TV's microphone listening 24/7 to everything people are saying) to chinese routers (which, yup, have backdoors for the chinese state) to that corean soundbar to really whatever enshittied device the world of enshittified turds we live in can come up with.
It is a fact of life that compromised, insecure, backdoored and at times all three of these shall find their way to our homes and appartments...
And it shouldn't be an issue.
What I mean by this: machines could be scanning my local networks and even maybe determine that this box at this IP is running Linux and... It still should be able to do exactly jack fucking shit with that information.
We must all learn to secure our devices for the Internet of Insecure and Enshittified Things is moving forward at godspeed. And if you think OpenClaw on its own device on your LAN is bad, wait until all the companies that were already selling enshittifed devices since years realize they'll now be able to enshittify those even more by slapping OpenClaw (or the equivalent) on their devices.
These insecure turds are all going to get a big boost of insecuredness, this time AI powered.
I'd say: bring it on. I'm ready. We all should be.
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
But coding is solved? Why do you need those guys if all they do is use claude code? Just have it solve it overnight. You forgot to prompt "make it secure pls"?
They didn't say the "folks" from those companies were engineers! Maybe it's a group of PMs from Nvidia, ByteDance, Tencent and OpenAI that are working to harden the codebase.
With respect...Security through obscurity is dead. We are approaching the point where only formally verified (for security) systems can be trusted. Every possible attack will be attempted. Every opening will be exploited, and every useful combination of those exploits will be done.
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).
Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...
I've only been playing with it recently ... I have mine scraping for SF city meetings that I can attend and public comment to advocate for more housing etc (https://github.com/sgillen/sf-civic-digest).
It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
But he already did this. With a bonus of it will continue to work in the future if something breaks or changes. Human time is more precious than computing resources nowadays.
I use it for a side project. I just put it on VPS, and then it edits the code and tests it. The nice thing is that I can use it on the go whenever I have spare moment. It is addictive, but way better addiction than social media IMO.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
I use it to manage a media server. And use natural language to download movies and series. Also I use to for homeassistant so I csn use natural language for vacuuming the house and things like that. I do use it for a number of other tasks but those are the most partical.
I don't use this one, but a simpler one, also running on a vps. I communicate via telegram.
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
I use it mostly for the crons, it runs a personal productivity system that tracks my tasks, provides nudges, talks through stuff etc. It's all stored in an Obsidian vault that syncs to my desktop. I don't use it to control email/calendars or other agents.
I was asked by someone recently to try to set up an OpenClaw that would search for ordinances and other land registry information for all 3000+ counties/parishes in the USA to obtain and distill specific details on their support for building tiny homes.
Claude Desktop and Code are built for synchronous, human-in-the-loop interactions. Scraping 3000 janky municipal websites, you need a "fire-and-forget" background worker. Claw lets you kick off a massive job and just get a ping when it's done.
I'd also instantly hit Claude Desktop's rate limits with this I reckon. Since Claw uses APIs, you bypass those limits and can route the messy scraping to cheap models, saving expensive ones for the actual analysis. It also handles Playwright integration and state persistence out of the box so a crash doesn't wipe your progress.
If I'm wrong, I'm open to learning. I'm as new to this as everyone :)
My main takeaway message is: models (even opus4.6) do not follow security "instructions" reliably. In OpenClaw, they added security warnings, tags, random IDs... None of these countermeasures work reliably. Even sandboxing can be escaped (not in the classical sense using vulnerabilities, but using multi-layered prompt injection payload with natural language only)[0].
As soon as untrusted content is injected in the context, do not trust any actions downstream.
Agent based chron jobs mostly that work with other agents. It’s really nice if you want to tell your computer to do something repeatedly or in confluence with many other agents in a very simple way. Like check my email for messages from Nadia and send me a notification and turn on all the lights in my driveway when she gets there without having to actually get into the nuts and bolts of implementing it. It’s actually really powerful and probably what Siri should be.
I think this is close to the head of the nail. It kinda unlocks handling novelish asks that previous siri/alexa just couldnt handle. As long as a thing has well documented api spec then it instantly is usable. This makes the clawbot flow extraordinarily more useful.
I think devs are too focused on the technical what did u build with it.
For example. My brother runs a small recruiting agency. Super nontechnical. Out of nowhere he asks me about openclaw. Then with no help, he sets it up and uses it. Still no help, he has all kinds of nonsense hooked up and running blowing through tokens. He is blown away by it and wants to get it for all of his employees. He thinks about it in terms of cost per min running and not in tokens.
This is the sticky gooey value to whatever openclaw is doing.
so far, I've used it to kill a bunch of time trying to get it to respond to "Hi @Kirk" in a private Slack channel.
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
I give it monumental tasks. For example, I will write massive markdown files describing all the features I want to see in an application, and I will use a standard AI chatbot to check my work and consider additional details. Finally, when I have everything written down, I upload it to OpenClaw and tell the agent to make it happen.
Sometimes it toils away for 2+ hours, spawning Claude Code instances, checking its work, testing the code, even using browser automation to make sure everything works the way it is supposed to if it's writing a webapp.
In the end, it consumes like $10-20 worth of tokens and spits out a functional application with everything I asked for.
Claude Code can do this on its own, to an extent, but there's something about getting OpenClaw to iterate through multiple sessions and testing everything to make sure it works the way I described that I really like. It completely offloads the process to the AI, and keeps me mostly out of the loop.
Is the code any good? Probably not. Am I at risk of being exploited by malware? Probably. But I have automated quite a lot of things with the software that OpenClaw builds for me, and I am careful to review the libraries it imports before running the code on any machine with actual access to anything I actually care about.
Personally, anyone using OpenClaw for the "it reads your emails" use case is crazy, because prompt injection is real, and you're basically inviting anyone who knows your email address to take a stab at pwning you, with full access to your personal life. I keep my instances on a VPS, behind a restrictive security group, and only accessible via Tailscale where it has zero access to anything on my tailnet. I only recently gave it its own email account (not mine!), but even then I am skeptical of doing so, and take efforts to prevent it from taking action on any email it receives (e.g., disabling the Heartbeat) because who knows what it'll end up doing. I mostly like that it can email me if I ask it to.
Assuming you're asking in good faith, IMHO the deeper story around OpenClaw is that it's the core piece of a larger pattern.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
So I neither downvoted nor upvoted you, but I think people may be downvoting, in addition to the fact that they just don't like the thing, based on the fact that you didn't directly answer the question. Specifically, what are you using it for, not what hypothetically it would be used for.
You're probably being downvoted because you didn't answer the question. The questioner specifically asked what people are using it for and you answered by describing your technical setup. What we want to know is, what are you actually achieving with this tool?
First words out of your mouth are to accuse OP of not seriously asking the question. Then you write paragraphs saying nothing much at all. You could have simply answered the question in a simple straightforward manner.
You have yet to answer the original question - what do you actually do with OpenClaw? A concrete example of something that actually happens, not a system architecture description.
The comment is a generic vent about the project’s codebase and development approach, not an effort to engage in curious conversation about this vulnerability. Also, I consider it to be in breach of the guidelines about fulmination, swipes/sneers, and curmudgeonliness.
The current OpenClaw GitHub repo [1] contains 2.1 million lines of code, according to cloc, with 1.6M being typescript. It also has almost 26K commits.
Please make your substantive points without crossing into personal attack. Your comment would be fine but for the paragraph in the middle where it does that.
Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.
Please don't fulminate. Please don't sneer.
Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
The guidelines still apply, even if you feel negatively towards a project and its creator. Indeed it's even more important to make the effort to heed the guidelines for topics you feel negatively towards (after all, it's easy to be respectful about things we feel positively towards).
Thanks for explaining, is this mostly about replying directly to the person involved in the project? Compared to e.g. a comment in a thread about OpenClaw without replying directly to the creator? Just trying to figure out where the line is, I do think snark is a valid form of criticism sometimes but it's your house after all.
I'm critical of OpenClaw and even the author to some extent, but I prefer to have nuanced and compartmentalized conversations, on a thread about a specific vulnerability, it's much more productive to talk about the specific vulnerability rather than OpenClaw as a whole. Otherwise we would only have generic OpenClaw conversations and we would only be saying the same thing.
The comment could have been more substantive but it isn't generic or tangential. Discussing a vulnerability ultimately means discussing the failures of process that allowed it to be shipped. Especially with these application-level logic bugs that static analyzers can't generally find, the most productive outcome (after the vulnerability is fixed) is to discuss what process changes we can make to avoid shipping the next vulnerability. I'm sure there's hardening that can be done in OpenClaw but the premise of OpenClaw is to integrate many different services - it has a really large attack surface, only so much can be done to mitigate that, so it's critical to create code review processes that catch these issues.
OpenClaw is probably entering a phase of it's life where prototype-grade YOLO processes (like what the tweet describes) aren't going to cut it anymore. That's not really a criticism, the product's success has over vaulted it's maturity, which is a fortunate problem to have.
If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.
Setting it up that way is a choice a user would have to make. Just set it up on an oauth or budgeted api and not be an idiot. Setup additional guardrails in OC if you think are necessary.
OpenClaw creator here.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
Can you speak a little bit more to the stats in the OP?
* 135k+ OpenClaw instances are publicly exposed
* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
That’s surprising, as the OpenClaw installation makes it pretty difficult to run without auth and explicit device pairing (I don’t even know if that’s possible).
The problem is that a lot of users of OpenClaw use a chatbot to set it up for them so it has a habit of killing safety features if it runs into roadblocks due to user requests. This makes installations super heterogeneous.
I agree—it looks like the OP didn't provide any sources for these numbers either. That's why I would have hoped that the original maintainer had a better set of metrics to dispute them. It doesn't seem like he does though :(
Those numbers aren't in the CVE. You introduced them, attributed them to a source that doesn't contain them, and now you're disclaiming them. Where did they come from, and what was the goal of sharing them?
The numbers were in the post when I clicked through and when I made the comment. It looks like the HN moderators have since changed the link for the post to go to the CVE entry. However, my comment was about the reddit thread, not the CVE entry.
I’m not the person you’re talking to but the stats are copied from the second link in the post, the web archive one.
Steinberger has a vested interest in protecting his, and OpenAIs reputation from the ramifications of serious in-the-wild exploits like this.
Or inviting any legal or regulatory scrutiny.
They don’t even read the code in any serious capacity so excuse me for not taking any assessment of the situation from him too seriously. Might as well just ask Claude Code to assess it yourself.
Welcome to the world vibe coding created. The fun is only just beginning.
> Welcome to the world vibe coding created.
Hard disagree. Vibe coding isn't responsible for people not doing the slightest due diligence when running this (pardon my French) shit. You can vibe code stuff and keep it at a much higher quality. And you can check who did the vibecoding and how they approached it, so the burden also falls on the person running the stuff to understand what they're running. This isn't an enterprise level application that has a full team behind it that had an issue. This is a pandora's box vibecoded overnight for fun, full of stuff we don't even know about, that was opened the moment you touched it with a stick.
Vibe coding means you don’t (or can’t) read the code. It does not mean anything an agent writes is vibe coded.. If you’re reviewing the code after the agent writes it, you aren’t vibe coding.
Steinberger has said he doesn’t look at (most) the code.
In my experience, most garden variety security problems stem from a) the developer not understanding the implications of something (maybe because they’re new, or operating outside of their usual domain,) or b) the developer not paying close enough attention to realize they did something they know is stupid. We’re only human.
Vibe coding obviously doesn’t make something insecure, per se, but saying it doesn’t reduce the attention paid to any given line of code, or encourage less knowledgeable people to write code, seems pretty dubious to me.
The Claude Code team is clearly competent and professional, yet they accidentally published the proprietary source code for one of the world’s hottest products. That’s like a Bank manager walking away with the keys in the door and alarm disarmed. When’s the last time you heard of a human team of developers doing that?
Again, I’m not saying that vibe coding necessarily creates unsafe code, but I don’t see how anyone could say vibe coding was devoid of security implications. I think this is an organizational/logistical problem that we’ll figure out at some point, but in think it’s going to be more of a C buffer overflow ‘figured out’ that never really goes away.
Very reasonable take, I agree 100%. But I don't you're putting any responsibility with users of the such very vibe coded apps. OpenClaw was primarily marketed towards devs and people in touch with IT. They should know better.
“It’s not the cars! It’s not the guns! It’s not social media! It’s not vibe coding!”
Right. It’s always the people. They just tend to bodge things. All the time. So when there’s new foot guns, the inevitable will happen.
Honestly that seems like total guesswork. There's a lot of FUD going around, or people running portscans and assuming just because they detect a gateway on a port, that they can connect to it. That’s not the case.
Definitely agree—that's why I hoped the openclaw maintainer would have been able to speak to those numbers and whether or not they were accurate.
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?
If I am not mistaken steipete works for OpenAI now as part of OpenClaw being acquired by them back in February.
NVIDIA is contributing to the security of OpenClaw via NemoClaw.[0]
Not sure about ByteDance and Tencent.
0. https://www.nvidia.com/en-us/ai/nemoclaw/
They both sponsor the OpenClaw Foundation and provide engineers to improve OpenClaw.
Jensen mentioned on a podcast (sorry I don’t have a link on me, it was either the all in podcast or Lex Friedman) that they are helping support and harden on the security side, and that he considers it like the “iPhone moment”
Most of these larger players are interested in supporting anything that helps grow the ecosystem so broadly.
Nvidia is willing to do anything to keep the hype going - there's a desperation to find a 'killer app'.
Nvidia, ByteDance, Tencent and OpenAI?! Wow!
Good, hearty group right there. But how about Palantir, NSO Group, Flock and Axon? Aren't they lending a hand too?
Always good to name drop a near universally hated group.
Which one? NVIDIA? OpenAI? Bytedance?
yes
My reply which was not an attack was detached from this sub thread as an attack. All I did was ask a clarifying question about why Telegram and Discord were specifically called out in this reply despite not being mentioned by the OP at all. I'd still like an answer to this question.
Just a heads up that everyone can still see the comment you made on your profile because it wasn't removed by moderator action. It was downvoted to oblivion because it was an attack on another user for using AI.
That user said that they use OpenClaw to scrape city meetings for context so that they can more efficiently participate in local politics. You then attacked them, accusing them of "leaving AI slop comments on public city meetings", which isn't what they said they were doing at all.
I see absolutely no problem in using AI to summarize large quantities of information (such as a collection of city meeting notes). Summarization is one of the places that AI really shines right now, and if it helps people wrap their head around what is happening in their communities, good!
I understand a healthy skepticm of AI. Everyone should have some degree of that. But maybe avoid the urge to publicly shame people for their use of AI, especially on a site like this where that won't be received well. Or, if you're going to offer criticism, show some tact.
You're referring to a different comment. This is the comment I left which was removed, word for word,
> What does Telegram/Discord have to do with anything? The OP never mentioned either of these software suites. In fact the only mention of Telegram anywhere in the entire thread is you copy-pasting this exact message.
I could not stop myself from looking at this user's submission history, looking for a ShowHN about Clawdbot. No such submission exists.
I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.
The hype was entirely manufactured from day 1.
[flagged]
Relevant: https://days-since-openclaw-cve.com/
Currently we're at 1.8 CVEs per day since OpenClaw launched!
That is genuinely horrifying. I wonder what the stats are for an average "artisan, hand-typed" project would be if it got as much attention as OpenClaw has. But 1.8 CVEs a day should scare any rational people away from the software... right? Surely?
I’m not an openclaw user or a vibe coder but - the use case of OpenClaw is “give me access to all of your data, programs and information, and I will make decisions and do stuff without asking you permission”. It’s the MO of the project. Even if it was perfectly designed, I think it would have more RCEs by the fact that the Venn diagram of use of the app and high risk areas are a perfect circle
I'm OpenClaw user and I never would do that. You can do with OpenClaw that, but it is definitely not the only use case, and I would argue that not even the one that makes sense overall. Most people want to be careful which decisions you want to outsource and which not, and you can direct the AI to work however you prefer. Personally I have developed some projects with OpenClaw, and it does have very limited permissions.
Text of the post has been [removed]. Original saved here: https://web.archive.org/web/20260403163241/https://old.reddi...
Maybe the moderators removed it for being AI spam. The user’s entire post history besides this post are generated ads for their AI projects.
Thanks, we'll put that link in the toptext as well.
I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
This is why kernel-level sandboxing matters. I use a sandbox name greywall that enforce filesystem/network isolation at the syscall level (Landlock + Seccomp + eBPF on linux, sandbox-exec on mac).
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
The entire Von Neumann architecture is not suitable for agents.
Putting data and instructions in the same memory was always a bad idea - LLMs just took this to the extreme by making data and instructions the same thing.
I think it depends on your philosophical approach to agency or personas. Unix groups allowed individuals to share directories with various levels of access. The assumption was those were people. Agents are philosophically people in so far as they exercise agency. They can do things via the file system. They are just non organic agents. The basic Unix permission system can still work with them.
Yes, if/since that user have no access to your apple id and keychain...
Not too much harder is using a VM:
With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)
With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).
> Yes, if/since that user have no access to your apple id and keychain...
Right, these are system accounts. They don't have access to anything except their own home folder and whatever I put in their .bashrc. `sudo` is a pretty easy sandbox by itself and lets me manage their home folders, shell, and environment easily just with the typical Unix-isms. No need for mounting VM disks, persisting disk images, etc.
I don't need virtualization to let Claude Code run. I just let it run as a "claude" user.
Well, such things were to be expected. It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance. But at the same time, it's also quite cool that so many people can do interesting IT stuff now. I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training. Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something). But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
The biggest problem is the people who don’t have the necessary IT understanding to secure such things are probably completely unaware this is even happening.
Gonna be honest. I'd rather fight climate change than have people run LLMs unsecured
Yeah... The bill is already being paid. I wonder how the life quality of my nephew (and other children) of 5 years old today will be in the near future..
With your car example, you also assume the risk unto others. If your "chopper" of a car hits and kills someone else, and you survive, you're paying for the consequences of that. I don't think it's cool that untrained people can do interesting IT stuff now. I see it as a huge liability where some unsecured instance pwns the internet, then it's some 12 year old that gets marched in front of congress and everyone goes: "wtf?" There's essentially no accountability and the damage is still done.
The threads on that /r/sysadmin post sound exactly like every sysadmin I've ever worked with in my career.
Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
1/5 rounds to “probably” when discussing security.
The 135k number appears to be pulled out of thin air? No idea where the 65% comes from. The command the post gives to list paired devices isn't correct. These are red flags.
It's pretty reasonable though, a lot of OpenClaw instances are hosted on a VPS, this is not unsafe.
My interpretation is that 135k instances are vulnerable, but of those there's more conditions that need to be met, specifically:
These need to be multi-user systems where there are users with 'basic pairing' privileges. Which I don't think is very common, most instances are single-user.
So way less than the 135k number. I think a more accurate title would have been "If you're running OpenClaw, you are probably vulnerable" but not "you probably got hacked", that's just outright false and there's no evidence that the exposed users were ALL hacked.
More than 25% of users seems like a pretty accurate "probably".
You know you’re getting into zealot territory when people are arguing semantics over the headline pointing to a zero authentication admin access vulnerability CVE that affects a double-digit percentage of users.
Thank you for the reality check. I like to assume people are coming from a certain baseline on HN, but I sometimes forget that certain topics have a passionate user base represented.
I mean... the reddit OP's comments are obviously AI-generated. It's quite obvious who is being 'zealot" here.
Does it really? Digging up the data from example the 135k instances in the open reeks like bullshit, I would suspect several other claims are exaggerated as well.
> Digging up the data from example the 135k instances in the open reeks like bullshit, I would suspect several other claims are exaggerated as well.
Do you so stringently examine most CVEs? I’ll bet you don’t. Are you a big fan of this project? I’ll bet you are. Do you have any actual data to counter what they said or do you just sort of generally not vibe with it? If so, now would be a great time to break it out while this is still fresh. If not…
They are pointing out the data provided does not appear to be real. There is no credible link to this 135k number. They do not need to provide a number, as one does not appear to exist.
Well the post was removed so that’s not very promising on their part.
Today I learned nobody agrees on what the word "probably" means.
Ya I thought it meant “more probable than not” ie 50+%.
Otherwise I would say “you may have been hacked” not “you probably have been hacked”.
That is what it means. Unless you're losing an argument on the internet and you need a word to hide behind. ;)
You're probably right.
Here's a statement that's about 3x as true then:
If you're running OpenClaw, you probably didn't get hacked in the last week.
The 135k instances is likely not true at all.
This sounds like a classic case of "35% of statistics are made up"
Over 50% of people have a below average understanding of statistics.
That's funny. In my study it was 70%. Nah, make that 85%.
It’s also only 65% of those that have zero authentication configured, according to that post (which I have done nothing to confirm or challenge at all… Frankly I wouldn’t touch OpenClaw with a ten foot… cable?) That said, I think it’s far more important to get people’s attention who might otherwise not realize how closely they need to pay attention to CVEs than it is to avoid hyperbole in headlines.
Not if this is crying wolf and causing those same people to ignore the very real security risks with using OpenClaw.
How is 20% of users getting pwned ”crying wolf” by any reasonable measure? This is a zero authentication admin access vulnerability.
Because 20% is not “probably got hacked” and overstates the problem for most users.
That doesn’t mean this isn’t a critical vulnerability, and I think it’s insane to run OpenClaw in its current state. But the current headline will burn your credibility, because 80% of users will be fine with no action, and they’ll take future security issues less seriously as a result.
All the numbers you are using appear to be made up by the reddit poster. I say that as they provided no citation to them (for all I know they got them from an AI). I attempted to verify any of the numbers he used and could not. By exaggerating the numbers he is crying wolf.
Well the post was removed so it doesn’t lend a lot of support to their claims.
Open Claw cannot be made "secure" by any normal definition of the word. Unless I'm very much mistaken, fundamentally it's a tool that lets LLMs do stuff.
So you take the output of an LLM, which is obviously impossibly to guarantee correct, and use that to choose a tool and execute it. Like, send an email or whatever. And you take the input for that LLM not only from prompts, and various files, but also your system and random stuff you download from the internet.
I am telling you people, this is lunacy. No good can come of this.
Only if your openclaw instance is publicly exposed on the internet... which is not the case for most people
Until recently, this was default configuration
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
https://github.com/openclaw/openclaw/commit/5643a934799dc523...
Not true. So many people love to come out of the woodwork on these openclaw posts who have no first hand knowledge of the software. It is stunning.
I have used openclaw pretty long but at no point it has proposed doing anything like that.
Since pretty much the beginning it wasn't and the documentation explicitly warned not to make it public, exposing it to the internet. It included information on how you can properly forward the gateway port to your machine without opening it up to the internet.
I’m surprised people are still using OpenClaw. I assumed they’d have switched to Nanoclaw or Nemoclaw. Is OpenClaw just that much better, or is it all inertia?
(I’ve never used any of them.)
I'm using Hermes. The same applies to all agents, don't give it free reign over all your stuff. Run it within a sandbox.
https://github.com/nousresearch/hermes-agent
which one is recommended? (on machine - oss)
NemoClaw is an OpenClaw security wrapper, not a replacement
It's shit, but most people don't know better
Which "claw" so you recommended?
The one attached to your arm.
None of them, but prefer ones written with engineering rigor and security in mind. Having an unvetted plugin ecosystem with code that runs unsandboxed is laughably naive
OpenClaw has over 400+ security issues and vulnerabilities. [0]
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
[0] https://github.com/openclaw/openclaw/security
Wow. The advisories page is worthy of a post in itself.
It does not need access to your full machine. It can literally run in a vps.
Most of the people using it probably don't even know what SSH is, let alone using a VPS to maintain a personal bot for them for years with no maintenance. They know Vercel and Supabase. They will run it on their local machine and just keep clicking yes to everything until they get the result they want.
That is not how the software works.. I take it you have no first hand knowledge with this stack? This isn't a double click the exe and you are off the races. The hostinger vps is actually the easiest way for a normie to get this running.
The thing is that if you want it to do useful things, you kinda have to give it access to some of your accounts.
This is not true. It is useful without having access to a single account of mine. My setup runs on its own accounts and hardware. Obviously it is not sending out emails from my inbox, but that is not a usecase of any value to me. And if it was, there are actually plenty of ways to do that safely as well.
If you think you need to give it the keys to your kingdoom to be useful, you are not actually experimenting with this stack but regurgitating the words of others. I really don't understand the mindset of comments like this.
What do you use it for
How do you think the vibe-coding layman audience is using OpenClaw?
Hostinger vps if youtube is any indication. Also its actually hard for a layman to run this software.
Based on the hype, a Mac mini.
"All you have to do is run the command `/yolo` to start your instance of OpenClaw."
/s
Upvoted because, yup, it's insanity.
However:
> Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
I'd say that it's a given that we live in a world when your LAN is infested with compromised and hostile devices: from phones (spying devices) to home automation (spying chinese webcams) to TVs (with the TV's microphone listening 24/7 to everything people are saying) to chinese routers (which, yup, have backdoors for the chinese state) to that corean soundbar to really whatever enshittied device the world of enshittified turds we live in can come up with.
It is a fact of life that compromised, insecure, backdoored and at times all three of these shall find their way to our homes and appartments...
And it shouldn't be an issue.
What I mean by this: machines could be scanning my local networks and even maybe determine that this box at this IP is running Linux and... It still should be able to do exactly jack fucking shit with that information.
We must all learn to secure our devices for the Internet of Insecure and Enshittified Things is moving forward at godspeed. And if you think OpenClaw on its own device on your LAN is bad, wait until all the companies that were already selling enshittifed devices since years realize they'll now be able to enshittify those even more by slapping OpenClaw (or the equivalent) on their devices.
These insecure turds are all going to get a big boost of insecuredness, this time AI powered.
I'd say: bring it on. I'm ready. We all should be.
I don't think enabling admin on open internet is a default behaviour by any means?
Isn't OpenClaw itself a privilege escalation?
How could it be? Everything it does it does with its caller's privilege. It's not hacking your machine.
Run it as root it will have root caps, run it as ritcgab it will have ritcgab's caps. Same as every other program.
If someone could forward the SSH port from my VPS to access my instance, I already had bigger problems.
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
But coding is solved? Why do you need those guys if all they do is use claude code? Just have it solve it overnight. You forgot to prompt "make it secure pls"?
They didn't say the "folks" from those companies were engineers! Maybe it's a group of PMs from Nvidia, ByteDance, Tencent and OpenAI that are working to harden the codebase.
nearly spit out my coffee, thank you!
ofc it's software engineers.
Coding is solved, but problems with code is not yet solved.
I think I'm pretty good at cooking, but still working on the part where it tastes like food and doesn't make you violently ill.
Surely you must realise the absurdity of that statement
I am pretty sure they were being sarcastic.
The Rubik’s cube is solved but the problem with some sides being multiple colors is not solved
> But coding is solved?
My belief, is the people who post this quote thinking it's some big win are the same people who are upset they can't post "stochastic parrot" anymore.
And we all saw how that went.
> 4. System grants admin because it never checks if you are authorized to grant admin
Shipping at the speed of inference for real.
With respect...Security through obscurity is dead. We are approaching the point where only formally verified (for security) systems can be trusted. Every possible attack will be attempted. Every opening will be exploited, and every useful combination of those exploits will be done.
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).
This is bad.
Who cares man, the sloppiest and shittiest software ever written has yet another CVE. This is not worth discussing.
the f is openclaw??
Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...
I've only been playing with it recently ... I have mine scraping for SF city meetings that I can attend and public comment to advocate for more housing etc (https://github.com/sgillen/sf-civic-digest).
It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
>It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
seems far more efficient/reliable to get codex/claude code to write and set up a bot that does this.
>set up a bot that does this
But he already did this. With a bonus of it will continue to work in the future if something breaks or changes. Human time is more precious than computing resources nowadays.
I use it for a side project. I just put it on VPS, and then it edits the code and tests it. The nice thing is that I can use it on the go whenever I have spare moment. It is addictive, but way better addiction than social media IMO.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
I can do this with Claude Code from my phone. What’s the difference?
I use it to manage a media server. And use natural language to download movies and series. Also I use to for homeassistant so I csn use natural language for vacuuming the house and things like that. I do use it for a number of other tasks but those are the most partical.
Good use cases, but I do want to point out that you can do all of that with HA itself. Are you using skills to talk to *arr services?
I don't use this one, but a simpler one, also running on a vps. I communicate via telegram.
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
I use it mostly for the crons, it runs a personal productivity system that tracks my tasks, provides nudges, talks through stuff etc. It's all stored in an Obsidian vault that syncs to my desktop. I don't use it to control email/calendars or other agents.
I was asked by someone recently to try to set up an OpenClaw that would search for ordinances and other land registry information for all 3000+ counties/parishes in the USA to obtain and distill specific details on their support for building tiny homes.
What is OpenClaw doing here that Claude Desktop or Claude Code couldn't do?
Claude Desktop and Code are built for synchronous, human-in-the-loop interactions. Scraping 3000 janky municipal websites, you need a "fire-and-forget" background worker. Claw lets you kick off a massive job and just get a ping when it's done.
I'd also instantly hit Claude Desktop's rate limits with this I reckon. Since Claw uses APIs, you bypass those limits and can route the messy scraping to cheap models, saving expensive ones for the actual analysis. It also handles Playwright integration and state persistence out of the box so a crash doesn't wipe your progress.
If I'm wrong, I'm open to learning. I'm as new to this as everyone :)
I would first automate everything with scripts, and only use an agent for the parts that require it.
For example you mentioned playwright? That can be automated. It doesn’t need to be a free form tool that the agent uses at will.
If that means the scripts need to be adopted to changes, then that’s a separate, controlled workflow.
This approach can save you a ton of tokens, increasee reliability and observability, and it saves compute as well.
Sometimes it‘s useful to let the agent do things fully agentic, so you can then iteratively extract the deterministic parts.
I am experimenting prompt injection on OpenClaw [0][1], quite exciting.
[0] https://itmeetsot.eu/posts/2026-03-27-openclaw_webfetch/
[1] https://itmeetsot.eu/posts/2026-03-03-openclaw3/
Awesome and very interesting posts, thanks for sharing! Always reminds me of the "lethal trifecta": https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
You're welcome!
My main takeaway message is: models (even opus4.6) do not follow security "instructions" reliably. In OpenClaw, they added security warnings, tags, random IDs... None of these countermeasures work reliably. Even sandboxing can be escaped (not in the classical sense using vulnerabilities, but using multi-layered prompt injection payload with natural language only)[0]. As soon as untrusted content is injected in the context, do not trust any actions downstream.
[0] https://itmeetsot.eu/posts/2026-02-15-openclaw_sandbox/
What do you think about CaMeL and similar approaches?
https://simonwillison.net/2025/Apr/11/camel/
Agent based chron jobs mostly that work with other agents. It’s really nice if you want to tell your computer to do something repeatedly or in confluence with many other agents in a very simple way. Like check my email for messages from Nadia and send me a notification and turn on all the lights in my driveway when she gets there without having to actually get into the nuts and bolts of implementing it. It’s actually really powerful and probably what Siri should be.
I think this is close to the head of the nail. It kinda unlocks handling novelish asks that previous siri/alexa just couldnt handle. As long as a thing has well documented api spec then it instantly is usable. This makes the clawbot flow extraordinarily more useful.
I think devs are too focused on the technical what did u build with it.
For example. My brother runs a small recruiting agency. Super nontechnical. Out of nowhere he asks me about openclaw. Then with no help, he sets it up and uses it. Still no help, he has all kinds of nonsense hooked up and running blowing through tokens. He is blown away by it and wants to get it for all of his employees. He thinks about it in terms of cost per min running and not in tokens.
This is the sticky gooey value to whatever openclaw is doing.
so far, I've used it to kill a bunch of time trying to get it to respond to "Hi @Kirk" in a private Slack channel.
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
So basically an eggdrop like we had in the 90s except, by the sounds of it, less useful and considerably less fun.
Having this in a discord is actually like having an eggdrop on steroids. I would of lost my mind having this on efnet in the late 90s.
I give it monumental tasks. For example, I will write massive markdown files describing all the features I want to see in an application, and I will use a standard AI chatbot to check my work and consider additional details. Finally, when I have everything written down, I upload it to OpenClaw and tell the agent to make it happen.
Sometimes it toils away for 2+ hours, spawning Claude Code instances, checking its work, testing the code, even using browser automation to make sure everything works the way it is supposed to if it's writing a webapp.
In the end, it consumes like $10-20 worth of tokens and spits out a functional application with everything I asked for.
Claude Code can do this on its own, to an extent, but there's something about getting OpenClaw to iterate through multiple sessions and testing everything to make sure it works the way I described that I really like. It completely offloads the process to the AI, and keeps me mostly out of the loop.
Is the code any good? Probably not. Am I at risk of being exploited by malware? Probably. But I have automated quite a lot of things with the software that OpenClaw builds for me, and I am careful to review the libraries it imports before running the code on any machine with actual access to anything I actually care about.
Personally, anyone using OpenClaw for the "it reads your emails" use case is crazy, because prompt injection is real, and you're basically inviting anyone who knows your email address to take a stab at pwning you, with full access to your personal life. I keep my instances on a VPS, behind a restrictive security group, and only accessible via Tailscale where it has zero access to anything on my tailnet. I only recently gave it its own email account (not mine!), but even then I am skeptical of doing so, and take efforts to prevent it from taking action on any email it receives (e.g., disabling the Heartbeat) because who knows what it'll end up doing. I mostly like that it can email me if I ask it to.
my claw controls my old M2 mac, mostly my claw uses Claude code to code
So you're using a different llm to control claude code to get around the Anthropic TOS about openclaw usage?
At this point I'm personally lost, unless GP's comment wasn't some sort of satire (which would be valid, this being a topic about AI).
Assuming you're asking in good faith, IMHO the deeper story around OpenClaw is that it's the core piece of a larger pattern.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
So I neither downvoted nor upvoted you, but I think people may be downvoting, in addition to the fact that they just don't like the thing, based on the fact that you didn't directly answer the question. Specifically, what are you using it for, not what hypothetically it would be used for.
You're probably being downvoted because you didn't answer the question. The questioner specifically asked what people are using it for and you answered by describing your technical setup. What we want to know is, what are you actually achieving with this tool?
First words out of your mouth are to accuse OP of not seriously asking the question. Then you write paragraphs saying nothing much at all. You could have simply answered the question in a simple straightforward manner.
Man, all the replies to my comment. Do you guys know how to fucking read?
You have yet to answer the original question - what do you actually do with OpenClaw? A concrete example of something that actually happens, not a system architecture description.
Name 2 things you actually do with OpenClaw. And don't swear in your response.
The root issue is that OpenClaw is 500K+ lines of vibe coded bloat that's impossible to reason about or understand.
Too much focus on shipping features, not enough attention to stability and security.
As the code base grows exponentially, so does the security vulnerability surface.
We detached this subthread from https://news.ycombinator.com/item?id=47629849 and marked it off-topic.
I can't really think of a more on topic comment. The thread is about a security issue and the comment is about the quality of the codebase.
The comment is a generic vent about the project’s codebase and development approach, not an effort to engage in curious conversation about this vulnerability. Also, I consider it to be in breach of the guidelines about fulmination, swipes/sneers, and curmudgeonliness.
The current OpenClaw GitHub repo [1] contains 2.1 million lines of code, according to cloc, with 1.6M being typescript. It also has almost 26K commits.
[1] https://github.com/openclaw/openclaw
wow, this repo seems to get something like 100 commits an hour based on just scrolling through the recent ones.
There are like 10 openclaw clones out there. If you prefer security over features, just pick up another one.
Or you can just make your own. The core pattern is not difficult to clone.
They exist; are any of them secure?
[stub for offtopicness and general piling-on behavior, which we don't want on this site]
[[attacking project creators when they show up to discuss their work is particularly harmful; please don't ever do that here]]
[[[if you posted any of these, we'd appreciate it if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on]]]
[flagged]
Please make your substantive points without crossing into personal attack. Your comment would be fine but for the paragraph in the middle where it does that.
https://news.ycombinator.com/newsguidelines.html
Understood, thanks.
Appreciated!
[flagged]
We detached this subthread from https://news.ycombinator.com/item?id=47629849 and marked it off-topic.
Why?
It breaks several guidelines:
Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.
Please don't fulminate. Please don't sneer.
Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
The guidelines still apply, even if you feel negatively towards a project and its creator. Indeed it's even more important to make the effort to heed the guidelines for topics you feel negatively towards (after all, it's easy to be respectful about things we feel positively towards).
https://news.ycombinator.com/newsguidelines.html
Thanks for explaining, is this mostly about replying directly to the person involved in the project? Compared to e.g. a comment in a thread about OpenClaw without replying directly to the creator? Just trying to figure out where the line is, I do think snark is a valid form of criticism sometimes but it's your house after all.
> There used to be a time where people who shipped CVEs took accountability.
I see you haven't heard of Microsoft...
[flagged]
What time was that and who do we get to blame for Log4j?
Have you met these AI companies yet?
[flagged]
- "OpenClaw, read the code"
- "You're absolutely right. One should read and understand their own code. I did, and it looks great"
I'm critical of OpenClaw and even the author to some extent, but I prefer to have nuanced and compartmentalized conversations, on a thread about a specific vulnerability, it's much more productive to talk about the specific vulnerability rather than OpenClaw as a whole. Otherwise we would only have generic OpenClaw conversations and we would only be saying the same thing.
The comment could have been more substantive but it isn't generic or tangential. Discussing a vulnerability ultimately means discussing the failures of process that allowed it to be shipped. Especially with these application-level logic bugs that static analyzers can't generally find, the most productive outcome (after the vulnerability is fixed) is to discuss what process changes we can make to avoid shipping the next vulnerability. I'm sure there's hardening that can be done in OpenClaw but the premise of OpenClaw is to integrate many different services - it has a really large attack surface, only so much can be done to mitigate that, so it's critical to create code review processes that catch these issues.
OpenClaw is probably entering a phase of it's life where prototype-grade YOLO processes (like what the tweet describes) aren't going to cut it anymore. That's not really a criticism, the product's success has over vaulted it's maturity, which is a fortunate problem to have.
If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.
[flagged]
Please don't cross into personal attack. It destroys what this site is for, and you can always make your substantive points without it.
https://news.ycombinator.com/newsguidelines.html
Didn‘t know that pointing out a lack of accountability is seen as personal attack.
Who wants the fame must also take the blame.
Especially if they create a dangerous tool.
We don't want mobs on HN. There was very clearly a mob dynamic happening in the replies.
Edit: there was another case of this recently:
https://news.ycombinator.com/item?id=47576107
https://news.ycombinator.com/item?id=47576084
The point is that mob dynamics do more damage to the community than the threads add value, and protecting the community has to be the high-order bit.
Guys, OpenClaw is a toy, that's it!
Really? Posting AI generated Reddit post with no sources or anything?
The link mentions the CVE, here's the link https://nvd.nist.gov/vuln/detail/CVE-2026-33579
Thanks! We've changed the top URL to that from https://old.reddit.com/r/sysadmin/comments/1sbdw29/if_youre_..., but I'll put the latter in the toptext.
if would be good if we could have the submission including this link at the top
The CVE seems to be real.
[flagged]
Flag then move to the next one
As if the non-Reddit links aren’t majority AI slop already.
The Ludditism in this thread, and the linked thread, is shocking.
We need a new word for people who use the word ‘Luddite’ to refer to ‘reasonable concern over the reckless use of new technology’.
Yolos?
Is it Ludditism to not want to get PWNed spending $3k a month?
Setting it up that way is a choice a user would have to make. Just set it up on an oauth or budgeted api and not be an idiot. Setup additional guardrails in OC if you think are necessary.
Yes.
All new technology has issues. Figure it out.
Especially if you're spending $3k per month on inference, have the model fix the agent.
I suppose the idea is to wait for someone else to productize it.
Lazy.