OpenClaw privilege escalation vulnerability

4/3/2026 at 5:58:21 PM

OpenClaw creator here.

This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."

The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.

So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.

This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.

The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.

by steipete

4/3/2026 at 6:25:45 PM

Can you speak a little bit more to the stats in the OP?

* 135k+ OpenClaw instances are publicly exposed

* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain

Is this accurate? This is definitely a very different picture then the one you paint

by nightpool

4/4/2026 at 4:28:36 AM

That’s surprising, as the OpenClaw installation makes it pretty difficult to run without auth and explicit device pairing (I don’t even know if that’s possible).

by stingraycharles

4/4/2026 at 8:38:43 AM

The problem is that a lot of users of OpenClaw use a chatbot to set it up for them so it has a habit of killing safety features if it runs into roadblocks due to user requests. This makes installations super heterogeneous.

by bootsmann

4/4/2026 at 3:48:04 PM

I agree—it looks like the OP didn't provide any sources for these numbers either. That's why I would have hoped that the original maintainer had a better set of metrics to dispute them. It doesn't seem like he does though :(

by nightpool

4/4/2026 at 6:36:43 PM

Those numbers aren't in the CVE. You introduced them, attributed them to a source that doesn't contain them, and now you're disclaiming them. Where did they come from, and what was the goal of sharing them?

by ctoth

4/4/2026 at 10:14:01 PM

The numbers were in the post when I clicked through and when I made the comment. It looks like the HN moderators have since changed the link for the post to go to the CVE entry. However, my comment was about the reddit thread, not the CVE entry.

by nightpool

4/4/2026 at 6:44:22 PM

I’m not the person you’re talking to but the stats are copied from the second link in the post, the web archive one.

by pacificpendant

4/4/2026 at 1:55:29 PM

Honestly that seems like total guesswork. There's a lot of FUD going around, or people running portscans and assuming just because they detect a gateway on a port, that they can connect to it. That’s not the case.

by steipete

4/4/2026 at 3:48:31 PM

Definitely agree—that's why I hoped the openclaw maintainer would have been able to speak to those numbers and whether or not they were accurate.

by nightpool

4/4/2026 at 11:07:47 AM

[dead]

by jeremie_strand

4/3/2026 at 10:31:25 PM

> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.

What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?

by blks

4/4/2026 at 2:23:48 AM

If I am not mistaken steipete works for OpenAI now as part of OpenClaw being acquired by them back in February.

NVIDIA is contributing to the security of OpenClaw via NemoClaw.[0]

Not sure about ByteDance and Tencent.

0. https://www.nvidia.com/en-us/ai/nemoclaw/

by marscopter

4/4/2026 at 7:22:17 AM

[flagged]

by j16sdiz

4/4/2026 at 9:55:28 AM

And all American companies plant American malware in all software they work on.

by victorbjorklund

4/4/2026 at 9:25:41 AM

Can you point to any reputable reports or specific commits that suggest that these companies are trying to plant malware in OpenClaw?

Or did you just see "China" and decide it must be malicous?

(This is a rhetorical question, I already know it's the latter)

by RIMR

4/4/2026 at 1:54:37 PM

They both sponsor the OpenClaw Foundation and provide engineers to improve OpenClaw.

by steipete

4/4/2026 at 1:33:41 AM

Jensen mentioned on a podcast (sorry I don’t have a link on me, it was either the all in podcast or Lex Friedman) that they are helping support and harden on the security side, and that he considers it like the “iPhone moment”

Most of these larger players are interested in supporting anything that helps grow the ecosystem so broadly.

by thejarren

4/4/2026 at 1:55:16 AM

Nvidia is willing to do anything to keep the hype going - there's a desperation to find a 'killer app'.

by fg3fgq

4/3/2026 at 7:31:17 PM

Nvidia, ByteDance, Tencent and OpenAI?! Wow!

by just_once

4/4/2026 at 1:29:09 AM

Good, hearty group right there. But how about Palantir, NSO Group, Flock and Axon? Aren't they lending a hand too?

by gigel82

4/4/2026 at 2:15:13 PM

Always good to name drop a near universally hated group.

by just_once

4/4/2026 at 2:40:54 PM

Which one? NVIDIA? OpenAI? Bytedance?

by shaky-carrousel

4/4/2026 at 3:48:59 PM

yes

by bitdiffusion

4/4/2026 at 4:04:21 AM

My reply which was not an attack was detached from this sub thread as an attack. All I did was ask a clarifying question about why Telegram and Discord were specifically called out in this reply despite not being mentioned by the OP at all. I'd still like an answer to this question.

by mvdtnz

4/4/2026 at 9:35:39 AM

Just a heads up that everyone can still see the comment you made on your profile because it wasn't removed by moderator action. It was downvoted to oblivion because it was an attack on another user for using AI.

That user said that they use OpenClaw to scrape city meetings for context so that they can more efficiently participate in local politics. You then attacked them, accusing them of "leaving AI slop comments on public city meetings", which isn't what they said they were doing at all.

I see absolutely no problem in using AI to summarize large quantities of information (such as a collection of city meeting notes). Summarization is one of the places that AI really shines right now, and if it helps people wrap their head around what is happening in their communities, good!

I understand a healthy skepticm of AI. Everyone should have some degree of that. But maybe avoid the urge to publicly shame people for their use of AI, especially on a site like this where that won't be received well. Or, if you're going to offer criticism, show some tact.

by RIMR

4/4/2026 at 7:02:08 PM

You're referring to a different comment. This is the comment I left which was removed, word for word,

> What does Telegram/Discord have to do with anything? The OP never mentioned either of these software suites. In fact the only mention of Telegram anywhere in the entire thread is you copy-pasting this exact message.

by mvdtnz

4/4/2026 at 4:25:52 PM

[dead]

by turadg

4/4/2026 at 3:14:22 AM

[flagged]

by doctorpangloss

4/4/2026 at 3:19:42 AM

I point to the rules: https://news.ycombinator.com/newsguidelines.html

>Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.

>Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.

by delish

4/4/2026 at 3:58:03 AM

I could not stop myself from looking at this user's submission history, looking for a ShowHN about Clawdbot. No such submission exists.

I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.

by consumer451

4/4/2026 at 7:44:45 AM

The hype was entirely manufactured from day 1.

by ekianjo

4/4/2026 at 7:14:53 AM

[flagged]

by SeriousM

4/4/2026 at 9:08:42 AM

Relevant: https://days-since-openclaw-cve.com/

Currently we're at 1.8 CVEs per day since OpenClaw launched!

by tao_oat

4/4/2026 at 12:32:57 PM

That is genuinely horrifying. I wonder what the stats are for an average "artisan, hand-typed" project would be if it got as much attention as OpenClaw has. But 1.8 CVEs a day should scare any rational people away from the software... right? Surely?

by mattstir

4/4/2026 at 2:10:22 PM

I’m not an openclaw user or a vibe coder but - the use case of OpenClaw is “give me access to all of your data, programs and information, and I will make decisions and do stuff without asking you permission”. It’s the MO of the project. Even if it was perfectly designed, I think it would have more RCEs by the fact that the Venn diagram of use of the app and high risk areas are a perfect circle

by maccard

4/5/2026 at 3:47:53 AM

> the use case of OpenClaw is “give me access to all of your data, programs and information, and I will make decisions and do stuff without asking you permission”. It’s the MO of the project.

You say that, but you also say

> I’m not an openclaw user

Your first statement makes the second one rather obvious.

As I said some weeks ago, I've given up pointing out on HN: "Well, you could just not give it your data" only to be repeatedly told (by non-users) that the whole point is to give it all your data.

And the myth continues...

by BeetleB

4/5/2026 at 9:23:28 AM

The openclaw website[0] 's headline paragraph is:

> Clears your inbox, sends emails, manages your calendar, checks you in for flights. > All from WhatsApp, Telegram, or any chat app you already use.

The _entire point_ is "give me access to email, calendar, whatsapp, telegram, and I'll do your admin".

> "Well, you could just not give it your data"

This is the "you're holding it wrong"[1] argument

[0] https://openclaw.ai/.

[1] https://www.engadget.com/2010-06-24-apple-responds-over-ipho...

by maccard

4/5/2026 at 7:14:14 PM

> This is the "you're holding it wrong"[1] argument

But isn't that what you're doing?

Every single submission on HN has threads where people point out how it's useful to them without giving it access to much/any data. What is the benefit of pointing out what the homepage is saying other than to imply that we are holding it wrong?

And what does it say about you that you're going off based on marketing on a website rather than actual, competent tech users who actually weild the tool?

Until recently Gentoo boasted performance as a reason to use it. Yet as someone who's been in the community for over 20 years, I can assure you the majority of users didn't care about the performance and aren't optimizing their builds for it. Who cares what the site says?

by BeetleB

4/4/2026 at 7:09:48 PM

I'm OpenClaw user and I never would do that. You can do with OpenClaw that, but it is definitely not the only use case, and I would argue that not even the one that makes sense overall. Most people want to be careful which decisions you want to outsource and which not, and you can direct the AI to work however you prefer. Personally I have developed some projects with OpenClaw, and it does have very limited permissions.

by earnesti

4/3/2026 at 5:20:14 PM

OpenClaw has over 400+ security issues and vulnerabilities. [0]

Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?

Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.

[0] https://github.com/openclaw/openclaw/security

by rvz

4/4/2026 at 1:35:58 PM

Upvoted because, yup, it's insanity.

However:

> Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?

I'd say that it's a given that we live in a world when your LAN is infested with compromised and hostile devices: from phones (spying devices) to home automation (spying chinese webcams) to TVs (with the TV's microphone listening 24/7 to everything people are saying) to chinese routers (which, yup, have backdoors for the chinese state) to that corean soundbar to really whatever enshittied device the world of enshittified turds we live in can come up with.

It is a fact of life that compromised, insecure, backdoored and at times all three of these shall find their way to our homes and appartments...

And it shouldn't be an issue.

What I mean by this: machines could be scanning my local networks and even maybe determine that this box at this IP is running Linux and... It still should be able to do exactly jack fucking shit with that information.

We must all learn to secure our devices for the Internet of Insecure and Enshittified Things is moving forward at godspeed. And if you think OpenClaw on its own device on your LAN is bad, wait until all the companies that were already selling enshittifed devices since years realize they'll now be able to enshittify those even more by slapping OpenClaw (or the equivalent) on their devices.

These insecure turds are all going to get a big boost of insecuredness, this time AI powered.

I'd say: bring it on. I'm ready. We all should be.

by TacticalCoder

4/4/2026 at 5:22:40 AM

Wow. The advisories page is worthy of a post in itself.

by da_grift_shift

4/3/2026 at 5:23:12 PM

It does not need access to your full machine. It can literally run in a vps.

by nickthegreek

4/3/2026 at 6:33:27 PM

Most of the people using it probably don't even know what SSH is, let alone using a VPS to maintain a personal bot for them for years with no maintenance. They know Vercel and Supabase. They will run it on their local machine and just keep clicking yes to everything until they get the result they want.

by rob

4/3/2026 at 7:59:50 PM

That is not how the software works.. I take it you have no first hand knowledge with this stack? This isn't a double click the exe and you are off the races. The hostinger vps is actually the easiest way for a normie to get this running.

by nickthegreek

4/3/2026 at 7:25:47 PM

The thing is that if you want it to do useful things, you kinda have to give it access to some of your accounts.

by eloisant

4/3/2026 at 7:57:47 PM

This is not true. It is useful without having access to a single account of mine. My setup runs on its own accounts and hardware. Obviously it is not sending out emails from my inbox, but that is not a usecase of any value to me. And if it was, there are actually plenty of ways to do that safely as well.

If you think you need to give it the keys to your kingdoom to be useful, you are not actually experimenting with this stack but regurgitating the words of others. I really don't understand the mindset of comments like this.

by nickthegreek

4/4/2026 at 12:08:07 AM

What do you use it for

by johanyc

4/3/2026 at 5:28:43 PM

How do you think the vibe-coding layman audience is using OpenClaw?

by fraywing

4/3/2026 at 5:33:53 PM

Hostinger vps if youtube is any indication. Also its actually hard for a layman to run this software.

by nickthegreek

4/4/2026 at 5:31:27 AM

Based on the hype, a Mac mini.

by yoyohello13

4/3/2026 at 6:51:02 PM

"All you have to do is run the command `/yolo` to start your instance of OpenClaw."

/s

by butlike

4/3/2026 at 7:43:58 PM

Text of the post has been [removed]. Original saved here: https://web.archive.org/web/20260403163241/https://old.reddi...

by Meneth

4/3/2026 at 8:56:38 PM

Maybe the moderators removed it for being AI spam. The user’s entire post history besides this post are generated ads for their AI projects.

by frenchtoast8

4/3/2026 at 11:57:07 PM

Thanks, we'll put that link in the toptext as well.

by dang

4/3/2026 at 5:31:56 PM

I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.

It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.

by petcat

4/4/2026 at 4:35:31 AM

This is why kernel-level sandboxing matters. I use a sandbox name greywall that enforce filesystem/network isolation at the syscall level (Landlock + Seccomp + eBPF on linux, sandbox-exec on mac).

I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...

by txprog

4/4/2026 at 12:25:56 PM

I think it depends on your philosophical approach to agency or personas. Unix groups allowed individuals to share directories with various levels of access. The assumption was those were people. Agents are philosophically people in so far as they exercise agency. They can do things via the file system. They are just non organic agents. The basic Unix permission system can still work with them.

by gadflyinyoureye

4/4/2026 at 12:18:06 PM

The entire Von Neumann architecture is not suitable for agents.

Putting data and instructions in the same memory was always a bad idea - LLMs just took this to the extreme by making data and instructions the same thing.

by throwatdem12311

4/3/2026 at 6:55:08 PM

Yes, if/since that user have no access to your apple id and keychain...

Not too much harder is using a VM:

With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)

With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).

by w10-1

4/3/2026 at 7:05:58 PM

> Yes, if/since that user have no access to your apple id and keychain...

Right, these are system accounts. They don't have access to anything except their own home folder and whatever I put in their .bashrc. `sudo` is a pretty easy sandbox by itself and lets me manage their home folders, shell, and environment easily just with the typical Unix-isms. No need for mounting VM disks, persisting disk images, etc.

I don't need virtualization to let Claude Code run. I just let it run as a "claude" user.

by petcat

4/3/2026 at 5:43:09 PM

Well, such things were to be expected. It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance. But at the same time, it's also quite cool that so many people can do interesting IT stuff now. I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training. Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something). But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.

by Leomuck

4/3/2026 at 5:57:19 PM

Gonna be honest. I'd rather fight climate change than have people run LLMs unsecured

by paulhebert

4/3/2026 at 6:15:25 PM

Yeah... The bill is already being paid. I wonder how the life quality of my nephew (and other children) of 5 years old today will be in the near future..

by Xunjin

4/5/2026 at 8:06:22 AM

Decades, decades, telling us to save energy. Removing screensavers, replacing lightbulbs with ugly CFL first and color distorted LED lamps after. Trying to save energy to save the planet. And now, all of that to the toilet because some morons decided to play with talking robots.

Yesterday I did care. Today? Not so much. Welcome climate change, we fully deserve it.

by shaky-carrousel

4/5/2026 at 10:35:10 AM

You forgot cryptocurrency. At least some of this LLM stuff is genuinely useful.

by tdeck

4/4/2026 at 12:20:42 PM

The biggest problem is the people who don’t have the necessary IT understanding to secure such things are probably completely unaware this is even happening.

by throwatdem12311

4/3/2026 at 6:49:40 PM

With your car example, you also assume the risk unto others. If your "chopper" of a car hits and kills someone else, and you survive, you're paying for the consequences of that. I don't think it's cool that untrained people can do interesting IT stuff now. I see it as a huge liability where some unsecured instance pwns the internet, then it's some 12 year old that gets marched in front of congress and everyone goes: "wtf?" There's essentially no accountability and the damage is still done.

by butlike

4/3/2026 at 5:23:01 PM

Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y

by niwtsol

4/3/2026 at 5:32:46 PM

1/5 rounds to “probably” when discussing security.

by 0cf8612b2e1e

4/3/2026 at 5:37:54 PM

The 135k number appears to be pulled out of thin air? No idea where the 65% comes from. The command the post gives to list paired devices isn't correct. These are red flags.

by nickthegreek

4/3/2026 at 7:43:30 PM

It's pretty reasonable though, a lot of OpenClaw instances are hosted on a VPS, this is not unsafe.

My interpretation is that 135k instances are vulnerable, but of those there's more conditions that need to be met, specifically:

These need to be multi-user systems where there are users with 'basic pairing' privileges. Which I don't think is very common, most instances are single-user.

So way less than the 135k number. I think a more accurate title would have been "If you're running OpenClaw, you are probably vulnerable" but not "you probably got hacked", that's just outright false and there's no evidence that the exposed users were ALL hacked.

by TZubiri

4/3/2026 at 5:32:04 PM

More than 25% of users seems like a pretty accurate "probably".

by mey

4/3/2026 at 5:56:06 PM

You know you’re getting into zealot territory when people are arguing semantics over the headline pointing to a zero authentication admin access vulnerability CVE that affects a double-digit percentage of users.

by DrewADesign

4/4/2026 at 7:41:01 PM

Thank you for the reality check. I like to assume people are coming from a certain baseline on HN, but I sometimes forget that certain topics have a passionate user base represented.

by mey

4/4/2026 at 1:07:50 AM

I mean... the reddit OP's comments are obviously AI-generated. It's quite obvious who is being 'zealot" here.

by raincole

4/5/2026 at 2:32:49 AM

> It's quite obvious who is being 'zealot" here.

Nooope. Reread the thread from my comment up: they were arguing about whether that percentage of users warranted saying ‘probably’ in the headline. Nobody was even questioning the numbers at that point. Just people taking it at face value, getting defensive, and trying to minimize what it said.

by DrewADesign

4/3/2026 at 5:57:57 PM

Does it really? Digging up the data from example the 135k instances in the open reeks like bullshit, I would suspect several other claims are exaggerated as well.

by earnesti

4/3/2026 at 6:02:34 PM

> Digging up the data from example the 135k instances in the open reeks like bullshit, I would suspect several other claims are exaggerated as well.

Do you so stringently examine most CVEs? I’ll bet you don’t. Are you a big fan of this project? I’ll bet you are. Do you have any actual data to counter what they said or do you just sort of generally not vibe with it? If so, now would be a great time to break it out while this is still fresh. If not…

by DrewADesign

4/3/2026 at 6:27:07 PM

They are pointing out the data provided does not appear to be real. There is no credible link to this 135k number. They do not need to provide a number, as one does not appear to exist.

by nickthegreek

4/3/2026 at 8:11:39 PM

Well the post was removed so that’s not very promising on their part.

by DrewADesign

4/3/2026 at 5:40:06 PM

Today I learned nobody agrees on what the word "probably" means.

by peacebeard

4/3/2026 at 5:43:49 PM

Ya I thought it meant “more probable than not” ie 50+%.

Otherwise I would say “you may have been hacked” not “you probably have been hacked”.

by SequoiaHope

4/3/2026 at 5:45:22 PM

That is what it means. Unless you're losing an argument on the internet and you need a word to hide behind. ;)

by lwansbrough

4/3/2026 at 5:50:48 PM

You're probably right.

by zephen

4/3/2026 at 5:41:07 PM

Here's a statement that's about 3x as true then:

If you're running OpenClaw, you probably didn't get hacked in the last week.

by furyofantares

4/3/2026 at 5:35:33 PM

The 135k instances is likely not true at all.

by earnesti

4/3/2026 at 7:21:15 PM

This sounds like a classic case of "35% of statistics are made up"

by yonatan8070

4/4/2026 at 1:10:09 AM

Over 50% of people have a below average understanding of statistics.

by koolba

4/4/2026 at 1:03:15 AM

That's funny. In my study it was 70%. Nah, make that 85%.

by sdenton4

4/3/2026 at 5:40:13 PM

It’s also only 65% of those that have zero authentication configured, according to that post (which I have done nothing to confirm or challenge at all… Frankly I wouldn’t touch OpenClaw with a ten foot… cable?) That said, I think it’s far more important to get people’s attention who might otherwise not realize how closely they need to pay attention to CVEs than it is to avoid hyperbole in headlines.

by DrewADesign

4/3/2026 at 5:47:29 PM

Not if this is crying wolf and causing those same people to ignore the very real security risks with using OpenClaw.

by codechicago277

4/3/2026 at 5:49:29 PM

How is 20% of users getting pwned ”crying wolf” by any reasonable measure? This is a zero authentication admin access vulnerability.

by DrewADesign

4/3/2026 at 7:15:20 PM

Because 20% is not “probably got hacked” and overstates the problem for most users.

That doesn’t mean this isn’t a critical vulnerability, and I think it’s insane to run OpenClaw in its current state. But the current headline will burn your credibility, because 80% of users will be fine with no action, and they’ll take future security issues less seriously as a result.

by codechicago277

4/3/2026 at 7:16:20 PM

All the numbers you are using appear to be made up by the reddit poster. I say that as they provided no citation to them (for all I know they got them from an AI). I attempted to verify any of the numbers he used and could not. By exaggerating the numbers he is crying wolf.

by nickthegreek

4/3/2026 at 8:12:34 PM

Well the post was removed so it doesn’t lend a lot of support to their claims.

by DrewADesign

4/3/2026 at 7:06:48 PM

The threads on that /r/sysadmin post sound exactly like every sysadmin I've ever worked with in my career.

by reenorap

4/3/2026 at 5:21:14 PM

Only if your openclaw instance is publicly exposed on the internet... which is not the case for most people

by Simon321

4/3/2026 at 5:26:41 PM

Until recently, this was default configuration

Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263

https://github.com/openclaw/openclaw/commit/5643a934799dc523...

by causal

4/3/2026 at 5:28:56 PM

Since pretty much the beginning it wasn't and the documentation explicitly warned not to make it public, exposing it to the internet. It included information on how you can properly forward the gateway port to your machine without opening it up to the internet.

by charcircuit

4/3/2026 at 5:32:14 PM

Not true. So many people love to come out of the woodwork on these openclaw posts who have no first hand knowledge of the software. It is stunning.

by nickthegreek

4/3/2026 at 5:30:05 PM

I have used openclaw pretty long but at no point it has proposed doing anything like that.

by earnesti

4/5/2026 at 8:36:02 PM

It’s possible, and maybe even trivial, to hit a malicious website that tries to connect to the OpenClaw port on your local machine.

A malicious web page runs JavaScript that makes a fetch() or XMLHttpRequest to http://localhost:CLAWPORT — your browser executes that from your machine, so it bypasses your router/firewall entirely. If OpenClaw is listening on localhost with no auth, the browser just connects to it. Same-origin policy doesn’t save you because the request originates from your own machine.

by quietsegfault

4/3/2026 at 5:19:33 PM

I don't think enabling admin on open internet is a default behaviour by any means?

by earnesti

4/4/2026 at 6:54:43 AM

I’m surprised people are still using OpenClaw. I assumed they’d have switched to Nanoclaw or Nemoclaw. Is OpenClaw just that much better, or is it all inertia?

(I’ve never used any of them.)

by chatmasta

4/4/2026 at 7:37:59 AM

I'm using Hermes. The same applies to all agents, don't give it free reign over all your stuff. Run it within a sandbox.

https://github.com/nousresearch/hermes-agent

by Flere-Imsaho

4/4/2026 at 7:19:47 PM

which one is recommended? (on machine - oss)

by claude_sh_1959

4/4/2026 at 9:09:15 AM

NemoClaw is an OpenClaw security wrapper, not a replacement

by jbergqvist

4/4/2026 at 9:55:34 AM

It's shit, but most people don't know better

by awestroke

4/4/2026 at 10:21:57 AM

Which "claw" so you recommended?

by nkzd

4/4/2026 at 12:12:48 PM

None of them, but prefer ones written with engineering rigor and security in mind. Having an unvetted plugin ecosystem with code that runs unsandboxed is laughably naive

by awestroke

4/4/2026 at 12:19:27 PM

The one attached to your arm.

by throwatdem12311

4/10/2026 at 3:13:38 AM

[dead]

by azmz

4/4/2026 at 7:58:46 AM

[dead]

by huflungdung

4/4/2026 at 9:25:49 PM

Open Claw cannot be made "secure" by any normal definition of the word. Unless I'm very much mistaken, fundamentally it's a tool that lets LLMs do stuff.

So you take the output of an LLM, which is obviously impossibly to guarantee correct, and use that to choose a tool and execute it. Like, send an email or whatever. And you take the input for that LLM not only from prompts, and various files, but also your system and random stuff you download from the internet.

I am telling you people, this is lunacy. No good can come of this.

by plasticeagle

4/4/2026 at 2:29:26 AM

Isn't OpenClaw itself a privilege escalation?

by ritcgab

4/4/2026 at 9:32:33 AM

How could it be? Everything it does it does with its caller's privilege. It's not hacking your machine.

Run it as root it will have root caps, run it as ritcgab it will have ritcgab's caps. Same as every other program.

by vntok

4/3/2026 at 6:37:19 PM

If someone could forward the SSH port from my VPS to access my instance, I already had bigger problems.

by kube-system

4/4/2026 at 11:42:11 AM

Steinberger has a vested interest in protecting his, and OpenAIs reputation from the ramifications of serious in-the-wild exploits like this.

Or inviting any legal or regulatory scrutiny.

They don’t even read the code in any serious capacity so excuse me for not taking any assessment of the situation from him too seriously. Might as well just ask Claude Code to assess it yourself.

Welcome to the world vibe coding created. The fun is only just beginning.

by throwatdem12311

4/4/2026 at 4:46:19 PM

> Welcome to the world vibe coding created.

Hard disagree. Vibe coding isn't responsible for people not doing the slightest due diligence when running this (pardon my French) shit. You can vibe code stuff and keep it at a much higher quality. And you can check who did the vibecoding and how they approached it, so the burden also falls on the person running the stuff to understand what they're running. This isn't an enterprise level application that has a full team behind it that had an issue. This is a pandora's box vibecoded overnight for fun, full of stuff we don't even know about, that was opened the moment you touched it with a stick.

by lnenad

4/4/2026 at 5:10:56 PM

In my experience, most garden variety security problems stem from a) the developer not understanding the implications of something (maybe because they’re new, or operating outside of their usual domain,) or b) the developer not paying close enough attention to realize they did something they know is stupid. We’re only human.

Vibe coding obviously doesn’t make something insecure, per se, but saying it doesn’t reduce the attention paid to any given line of code, or encourage less knowledgeable people to write code, seems pretty dubious to me.

The Claude Code team is clearly competent and professional, yet they accidentally published the proprietary source code for one of the world’s hottest products. That’s like a Bank manager walking away with the keys in the door and alarm disarmed. When’s the last time you heard of a human team of developers doing that?

Again, I’m not saying that vibe coding necessarily creates unsafe code, but I don’t see how anyone could say vibe coding was devoid of security implications. I think this is an organizational/logistical problem that we’ll figure out at some point, but in think it’s going to be more of a C buffer overflow ‘figured out’ that never really goes away.

by DrewADesign

4/4/2026 at 8:24:04 PM

Very reasonable take, I agree 100%. But I don't you're putting any responsibility with users of the such very vibe coded apps. OpenClaw was primarily marketed towards devs and people in touch with IT. They should know better.

by lnenad

4/5/2026 at 2:07:45 AM

Sure. I reckon blaming the system for the intentional actions of a few is a great way to avoid individual accountability. Conversely, blaming many individuals for fundamental systemic or leadership problems is a great way to avoid accountability for leaders and systemic beneficiaries. It’s not rational to exclude either.

I’m also not sure that the distinction of dev makes much of a difference in this space because chatbot marketing works pretty damn hard to imply everybody is a prompt away from being a developer. How are those people going to know that they aren’t even qualified to make any given technical decision, let alone evaluate the output of a confident chatbot that’s magically writing programs for them?

by DrewADesign

4/4/2026 at 10:35:14 PM

Vibe coding means you don’t (or can’t) read the code. It does not mean anything an agent writes is vibe coded.. If you’re reviewing the code after the agent writes it, you aren’t vibe coding.

Steinberger has said he doesn’t look at (most) the code.

by throwatdem12311

4/4/2026 at 8:47:09 PM

“It’s not the cars! It’s not the guns! It’s not social media! It’s not vibe coding!”

Right. It’s always the people. They just tend to bodge things. All the time. So when there’s new foot guns, the inevitable will happen.

by whoamii

4/3/2026 at 5:11:05 PM

> 4. System grants admin because it never checks if you are authorized to grant admin

Shipping at the speed of inference for real.

by sva_

4/4/2026 at 6:43:08 AM

> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.

But coding is solved? Why do you need those guys if all they do is use claude code? Just have it solve it overnight. You forgot to prompt "make it secure pls"?

by vasco

4/4/2026 at 11:05:07 AM

They didn't say the "folks" from those companies were engineers! Maybe it's a group of PMs from Nvidia, ByteDance, Tencent and OpenAI that are working to harden the codebase.

by tdeck

4/4/2026 at 11:10:05 AM

nearly spit out my coffee, thank you!

by greenchair

4/4/2026 at 6:03:03 PM

ofc it's software engineers.

by steipete

4/6/2026 at 5:38:51 PM

[dead]

by yojimbo117

4/4/2026 at 7:03:18 AM

Coding is solved, but problems with code is not yet solved.

by rolisz

4/4/2026 at 11:05:54 AM

I think I'm pretty good at cooking, but still working on the part where it tastes like food and doesn't make you violently ill.

by tdeck

4/4/2026 at 8:47:54 AM

Surely you must realise the absurdity of that statement

by parchley

4/4/2026 at 1:40:52 PM

I am pretty sure they were being sarcastic.

by prerok

4/4/2026 at 2:39:39 PM

The Rubik’s cube is solved but the problem with some sides being multiple colors is not solved

by ex-aws-dude

4/4/2026 at 3:49:13 PM

> But coding is solved?

My belief, is the people who post this quote thinking it's some big win are the same people who are upset they can't post "stochastic parrot" anymore.

And we all saw how that went.

by BoiledCabbage

4/4/2026 at 1:27:53 PM

Who cares man, the sloppiest and shittiest software ever written has yet another CVE. This is not worth discussing.

by acedTrex

4/3/2026 at 7:24:44 PM

With respect...Security through obscurity is dead. We are approaching the point where only formally verified (for security) systems can be trusted. Every possible attack will be attempted. Every opening will be exploited, and every useful combination of those exploits will be done.

LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.

by rossjudson

4/3/2026 at 5:20:43 PM

Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).

This is bad.

by throwatdem12311

4/5/2026 at 1:25:30 AM

Why is it bad? I think they deserve what's getting to them. And frankly the AI hype needs an ugly episode to simmer things down.

by fg3fgq

4/3/2026 at 5:55:32 PM

Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...

by sunaookami

4/3/2026 at 6:15:46 PM

I've only been playing with it recently ... I have mine scraping for SF city meetings that I can attend and public comment to advocate for more housing etc (https://github.com/sgillen/sf-civic-digest).

It also have mine automatically grabs a spot at my gym when spots are released because I always forget.

I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.

by sgillen

4/3/2026 at 6:26:53 PM

>It also have mine automatically grabs a spot at my gym when spots are released because I always forget.

seems far more efficient/reliable to get codex/claude code to write and set up a bot that does this.

by gruez

4/3/2026 at 7:29:06 PM

>set up a bot that does this

But he already did this. With a bonus of it will continue to work in the future if something breaks or changes. Human time is more precious than computing resources nowadays.

by Sargos

4/5/2026 at 3:59:42 AM

> seems far more efficient/reliable to get codex/claude code to write and set up a bot that does this.

I think Simon Willison said it best some weeks ago: He's capable of writing a bot like this - both before and after LLMs came on the scene. However, the reality is he never wrote one, despite wanting to many times.

Yet in just 2-3 weeks of using OpenClaw[1], I did this a few times.

Recall a year or so ago in the early days of vibe coding when people kept saying "I don't need AI to write code. It does a crap job and I can do it myself. Who needs LLMs to do it?" - You'd get lots of people countering with "Oh, in a few weeks I've written lots of automations that I'd been thinking about for months/years - that I likely would never have written without AI coding tools".

The key is the lower barrier to producing something. OpenClaw is to using CC to write that bot as using CC was to writing code by hand. I can be doing work, shopping, etc and when an idea pops into my head, I casually send a note to my Claw instance (voice or text) asking it to look into it or try making it. It doesn't do a great job, but the expectations of success are similarly low. But when it does do precisely what you need it to: Oh boy, you're happy that it saved you time, etc.

[1] I no longer run it, for very boring reasons.

by BeetleB

4/3/2026 at 6:26:48 PM

[flagged]

by mvdtnz

4/3/2026 at 6:28:07 PM

No? The comment was admittedly ambiguous but if you go to repo it's far clearer:

>I use it to give me a weekly digest of what happened in my neighborhood and if there are any public hearings or trash pickups I might want to attend.

by gruez

4/3/2026 at 6:33:34 PM

that does not seem like something you need an 'autonomous' agent for.

by WhrRTheBaboons

4/3/2026 at 6:38:56 PM

What would you propose as an alternative?

Anything not relying on an LLM likely means having to write bespoke scripts. That's not really worth the time, especially when you want summaries and not having to skim things yourself.

Going from doing it manually on a regular basis to an autonomous agent turns a frequent 5-15 minute task into a 30 second one.

by Sohcahtoa82

4/3/2026 at 6:48:55 PM

> Anything not relying on an LLM likely means having to write bespoke scripts.

The very first line in your readme is "CivicClaw is a set of scripts and prompts" though? And almost the entire repo is a bunch of python scripts under a /scripts folder.

I looked at one randomly chosen script (scripts/sf_rec_park.py) and it's 549 lines of Python to fetch and summarise data that is available on an RSS feed ( https://sanfrancisco.granicus.com/ViewPublisher.php?view_id=... )

by mvdtnz

4/3/2026 at 7:03:22 PM

Parent isn't saying that bespoke scripts are bad, just that it's not worth their time to write them. The value of the bot is that it can do that for you.

by Gracana

4/3/2026 at 6:43:30 PM

They've created a public bulletin board for themselves, like a café's blackboard, or a city telephone pole.

by butlike

4/3/2026 at 6:39:24 PM

I use it for a side project. I just put it on VPS, and then it edits the code and tests it. The nice thing is that I can use it on the go whenever I have spare moment. It is addictive, but way better addiction than social media IMO.

The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.

by earnesti

4/4/2026 at 12:22:51 PM

I can do this with Claude Code from my phone. What’s the difference?

by throwatdem12311

4/3/2026 at 7:25:59 PM

I use it to manage a media server. And use natural language to download movies and series. Also I use to for homeassistant so I csn use natural language for vacuuming the house and things like that. I do use it for a number of other tasks but those are the most partical.

by knights_gambit

4/3/2026 at 8:03:33 PM

Good use cases, but I do want to point out that you can do all of that with HA itself. Are you using skills to talk to *arr services?

by nickthegreek

4/3/2026 at 6:35:55 PM

Agent based chron jobs mostly that work with other agents. It’s really nice if you want to tell your computer to do something repeatedly or in confluence with many other agents in a very simple way. Like check my email for messages from Nadia and send me a notification and turn on all the lights in my driveway when she gets there without having to actually get into the nuts and bolts of implementing it. It’s actually really powerful and probably what Siri should be.

by dyauspitr

4/4/2026 at 3:39:21 AM

I think this is close to the head of the nail. It kinda unlocks handling novelish asks that previous siri/alexa just couldnt handle. As long as a thing has well documented api spec then it instantly is usable. This makes the clawbot flow extraordinarily more useful.

I think devs are too focused on the technical what did u build with it.

For example. My brother runs a small recruiting agency. Super nontechnical. Out of nowhere he asks me about openclaw. Then with no help, he sets it up and uses it. Still no help, he has all kinds of nonsense hooked up and running blowing through tokens. He is blown away by it and wants to get it for all of his employees. He thinks about it in terms of cost per min running and not in tokens.

This is the sticky gooey value to whatever openclaw is doing.

by rustystump

4/3/2026 at 8:11:52 PM

I don't use this one, but a simpler one, also running on a vps. I communicate via telegram.

I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.

It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.

This is possible because it has access to my todoist and github and several other services.

by rubslopes

4/3/2026 at 8:22:44 PM

I use it mostly for the crons, it runs a personal productivity system that tracks my tasks, provides nudges, talks through stuff etc. It's all stored in an Obsidian vault that syncs to my desktop. I don't use it to control email/calendars or other agents.

by operatingthetan

4/4/2026 at 9:48:09 AM

I give it monumental tasks. For example, I will write massive markdown files describing all the features I want to see in an application, and I will use a standard AI chatbot to check my work and consider additional details. Finally, when I have everything written down, I upload it to OpenClaw and tell the agent to make it happen.

Sometimes it toils away for 2+ hours, spawning Claude Code instances, checking its work, testing the code, even using browser automation to make sure everything works the way it is supposed to if it's writing a webapp.

In the end, it consumes like $10-20 worth of tokens and spits out a functional application with everything I asked for.

Claude Code can do this on its own, to an extent, but there's something about getting OpenClaw to iterate through multiple sessions and testing everything to make sure it works the way I described that I really like. It completely offloads the process to the AI, and keeps me mostly out of the loop.

Is the code any good? Probably not. Am I at risk of being exploited by malware? Probably. But I have automated quite a lot of things with the software that OpenClaw builds for me, and I am careful to review the libraries it imports before running the code on any machine with actual access to anything I actually care about.

Personally, anyone using OpenClaw for the "it reads your emails" use case is crazy, because prompt injection is real, and you're basically inviting anyone who knows your email address to take a stab at pwning you, with full access to your personal life. I keep my instances on a VPS, behind a restrictive security group, and only accessible via Tailscale where it has zero access to anything on my tailnet. I only recently gave it its own email account (not mine!), but even then I am skeptical of doing so, and take efforts to prevent it from taking action on any email it receives (e.g., disabling the Heartbeat) because who knows what it'll end up doing. I mostly like that it can email me if I ask it to.

by RIMR

4/3/2026 at 8:51:23 PM

I was asked by someone recently to try to set up an OpenClaw that would search for ordinances and other land registry information for all 3000+ counties/parishes in the USA to obtain and distill specific details on their support for building tiny homes.

by qingcharles

4/4/2026 at 4:09:33 AM

What is OpenClaw doing here that Claude Desktop or Claude Code couldn't do?

by mvdtnz

4/4/2026 at 5:42:09 AM

Claude Desktop and Code are built for synchronous, human-in-the-loop interactions. Scraping 3000 janky municipal websites, you need a "fire-and-forget" background worker. Claw lets you kick off a massive job and just get a ping when it's done.

I'd also instantly hit Claude Desktop's rate limits with this I reckon. Since Claw uses APIs, you bypass those limits and can route the messy scraping to cheap models, saving expensive ones for the actual analysis. It also handles Playwright integration and state persistence out of the box so a crash doesn't wipe your progress.

If I'm wrong, I'm open to learning. I'm as new to this as everyone :)

by qingcharles

4/4/2026 at 8:11:35 AM

I would first automate everything with scripts, and only use an agent for the parts that require it.

For example you mentioned playwright? That can be automated. It doesn’t need to be a free form tool that the agent uses at will.

If that means the scripts need to be adopted to changes, then that’s a separate, controlled workflow.

This approach can save you a ton of tokens, increasee reliability and observability, and it saves compute as well.

Sometimes it‘s useful to let the agent do things fully agentic, so you can then iteratively extract the deterministic parts.

by dgb23

4/3/2026 at 8:24:39 PM

I am experimenting prompt injection on OpenClaw [0][1], quite exciting.

[0] https://itmeetsot.eu/posts/2026-03-27-openclaw_webfetch/

[1] https://itmeetsot.eu/posts/2026-03-03-openclaw3/

by veganmosfet

4/3/2026 at 9:55:37 PM

Awesome and very interesting posts, thanks for sharing! Always reminds me of the "lethal trifecta": https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

by sunaookami

4/4/2026 at 9:48:40 AM

You're welcome!

My main takeaway message is: models (even opus4.6) do not follow security "instructions" reliably. In OpenClaw, they added security warnings, tags, random IDs... None of these countermeasures work reliably. Even sandboxing can be escaped (not in the classical sense using vulnerabilities, but using multi-layered prompt injection payload with natural language only)[0]. As soon as untrusted content is injected in the context, do not trust any actions downstream.

[0] https://itmeetsot.eu/posts/2026-02-15-openclaw_sandbox/

by veganmosfet

4/4/2026 at 9:39:49 PM

What do you think about CaMeL and similar approaches?

https://simonwillison.net/2025/Apr/11/camel/

by cornholio

4/5/2026 at 7:20:47 AM

Good question.

CaMeL is imho safer, but hard to implement into modern agents like OpenClaw. Its core idea is that a privileged LLM plans from the (trusted) user request only, while a restricted interpreter executes that plan (and enforces policies). Untrusted content is parsed separately and is not fed back into the privileged LLM.

Modern agents are useful exactly because they run a feedback loop (observe, reason, adapt, use tools, repeat). CaMeL breaks that loop, which improves security but makes it a poor fit for highly general agents like OpenClaw.

by veganmosfet

4/3/2026 at 7:58:00 PM

so far, I've used it to kill a bunch of time trying to get it to respond to "Hi @Kirk" in a private Slack channel.

...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)

and I've treated it like it's already been compromised the whole time.

by FrameworkFred

4/3/2026 at 8:01:31 PM

So basically an eggdrop like we had in the 90s except, by the sounds of it, less useful and considerably less fun.

by globular-toast

4/3/2026 at 8:04:59 PM

Having this in a discord is actually like having an eggdrop on steroids. I would of lost my mind having this on efnet in the late 90s.

by nickthegreek

4/3/2026 at 6:44:28 PM

my claw controls my old M2 mac, mostly my claw uses Claude code to code

by franze

4/3/2026 at 7:26:16 PM

So you're using a different llm to control claude code to get around the Anthropic TOS about openclaw usage?

by operatingthetan

4/3/2026 at 7:47:10 PM

At this point I'm personally lost, unless GP's comment wasn't some sort of satire (which would be valid, this being a topic about AI).

by paganel

4/3/2026 at 6:05:58 PM

Assuming you're asking in good faith, IMHO the deeper story around OpenClaw is that it's the core piece of a larger pattern.

The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.

So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.

In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.

[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]

by _doctor_love

4/3/2026 at 6:28:12 PM

You're probably being downvoted because you didn't answer the question. The questioner specifically asked what people are using it for and you answered by describing your technical setup. What we want to know is, what are you actually achieving with this tool?

by mvdtnz

4/3/2026 at 6:28:04 PM

First words out of your mouth are to accuse OP of not seriously asking the question. Then you write paragraphs saying nothing much at all. You could have simply answered the question in a simple straightforward manner.

by PKop

4/3/2026 at 6:27:26 PM

So I neither downvoted nor upvoted you, but I think people may be downvoting, in addition to the fact that they just don't like the thing, based on the fact that you didn't directly answer the question. Specifically, what are you using it for, not what hypothetically it would be used for.

by j-bos

4/3/2026 at 8:18:59 PM

Man, all the replies to my comment. Do you guys know how to fucking read?

by _doctor_love

4/3/2026 at 8:50:32 PM

You have yet to answer the original question - what do you actually do with OpenClaw? A concrete example of something that actually happens, not a system architecture description.

by the_pwner224

4/3/2026 at 8:58:57 PM

Name 2 things you actually do with OpenClaw. And don't swear in your response.

by PKop

4/4/2026 at 12:48:38 PM

[dead]

by bongripper

4/3/2026 at 7:02:25 PM

[flagged]

by emptysongglass

4/3/2026 at 7:27:47 PM

[flagged]

by equasar

4/3/2026 at 7:29:51 PM

Why don't you try it yourself instead of making uninformed claims

by emptysongglass

4/3/2026 at 9:02:35 PM

Why would I do that? I am entirely good using LLMs like Claude building tools for me. There's no use case for OpenClawthat I am aware of can replace of what I have/need.

I think it makes my point strong, people who uses OpenClaw, might be lazy on how to do things properly with LLMs.

by equasar

4/3/2026 at 7:31:45 PM

[flagged]

by DonHopkins

4/3/2026 at 7:24:00 PM

Before I decide to shoot up smack, I like to ask junkies what the whole heroin experience is like, what they use it for, and how it has affected their lives.

Nina Hagen - Smack Jack

https://www.youtube.com/watch?v=nIDnN34ZZaE

>Smack Ist Dreck, Stop It Oder Verreck!

by DonHopkins

4/3/2026 at 7:31:09 PM

So you're comparing a generic tool you can tailor to your own needs to drugs?

This is exactly why I have zero interest in engaging with people over this topic.

by emptysongglass

4/3/2026 at 7:32:35 PM

[flagged]

by DonHopkins

4/3/2026 at 6:02:06 PM

[flagged]

by browningstreet

4/3/2026 at 6:15:39 PM

Obviously I already searched the web (not specifically HN I must admit) and there were always incredibly generic non-answers that ultimately say nothing (and they assume you have 3000$ per month or 2000 Mac Minis on your desk (hyperbole)).

by sunaookami

4/3/2026 at 6:24:45 PM

Incredibly, one of the responses you got already is exactly one of those replies that says nothing. There's a whole bunch of words that don't actually answer the question.

by ziml77

4/3/2026 at 6:26:43 PM

I think you’ve got your answer, then. If nobody can tell you what it’s really used for, it likely doesn’t have any real use cases.

by emp17344

4/3/2026 at 6:07:49 PM

yeah I don't normally say "read previous HN articles" but it has been asked at least once in every article here.

by freedomben

4/5/2026 at 9:59:15 AM

[dead]

by Serberus

4/3/2026 at 6:26:16 PM

The root issue is that OpenClaw is 500K+ lines of vibe coded bloat that's impossible to reason about or understand.

Too much focus on shipping features, not enough attention to stability and security.

As the code base grows exponentially, so does the security vulnerability surface.

by machinecontrol

4/3/2026 at 8:21:00 PM

We detached this subthread from https://news.ycombinator.com/item?id=47629849 and marked it off-topic.

by tomhow

4/4/2026 at 6:56:36 PM

I can't really think of a more on topic comment. The thread is about a security issue and the comment is about the quality of the codebase.

by globular-toast

4/4/2026 at 11:09:03 PM

The comment is a generic vent about the project’s codebase and development approach, not an effort to engage in curious conversation about this vulnerability. Also, I consider it to be in breach of the guidelines about fulmination, swipes/sneers, and curmudgeonliness.

by tomhow

4/5/2026 at 6:17:22 AM

The comment doesn't even seem to contain opinion. It's simply objectively true. Let's be honest, you just didn't like the way it was directly calling out the author for writing shitty software. Responsibility is a thing and the author is displaying none of it.

by globular-toast

4/5/2026 at 7:30:05 AM

I don’t know or care whether it’s “objectively true”. That style of commenting, i.e., “calling out the author” is not what HN is for, regardless of the truthfulness of the comment. You’ve been around long enough to know that. HN is for curious conversation between hackers, i.e., people who like to build things. Attacking people for building things in some kind of “wrong” way is not cool here. “Responsibility” is not mentioned in the guidelines but kindness is.

by tomhow

4/7/2026 at 12:03:46 PM

Isn't the development approach part of the reason that this exploit occurred? The creator openly admitted that they weren't properly reviewing code when describing the project previously. With no engineers who have domain knowledge of the app (because the developers are AI) that leaves a wide gap for exploits to appear.

I feel like just filtering this comment out is a mistake. I use AI, and I think there is a place for it, but if a colleague said "Here's a PR, I didn't even review it" I'd send it back and say "Well you better review it!"

How AI is used is 100% a topic for debate, ranging from "All AI is bad" to "there will be no coding, just vibes". You agree with this right? That there are a range of developers who believe different things all along this spectrum, and that for some developers un-reviewed code is the CAUSE of bad code.

by jamesjansson

4/3/2026 at 6:44:21 PM

The current OpenClaw GitHub repo [1] contains 2.1 million lines of code, according to cloc, with 1.6M being typescript. It also has almost 26K commits.

[1] https://github.com/openclaw/openclaw

by williamstein

4/4/2026 at 9:00:02 AM

wow, this repo seems to get something like 100 commits an hour based on just scrolling through the recent ones.

by asddubs

4/5/2026 at 1:18:44 PM

and none of them pass the hallucinated CI pipeline. I don't know if I want to drive flying cars if there's no guarantee of it not exploding in midair.

by MarchApril

4/3/2026 at 6:49:42 PM

There are like 10 openclaw clones out there. If you prefer security over features, just pick up another one.

by earnesti

4/3/2026 at 8:10:42 PM

They exist; are any of them secure?

by crustaceansoup

4/4/2026 at 5:34:17 AM

Or you can just make your own. The core pattern is not difficult to clone.

by yoyohello13

4/3/2026 at 6:33:30 PM

[flagged]

by dyauspitr

4/3/2026 at 6:35:40 PM

Aside from "exponentially" being hyperbolic, which part is unsubstantiated?

by Retr0id

4/4/2026 at 9:19:34 PM

That vibe coded automatically means it’s “bad”.

by dyauspitr

4/3/2026 at 6:38:31 PM

This is a vibe based comment. It’s a generic attack with no meat.

by pezo1919

4/4/2026 at 2:09:32 PM

[dead]

by jeremie_strand

4/4/2026 at 3:23:35 AM

[dead]

by redoh

4/3/2026 at 6:16:08 PM

[flagged]

by hyperlambda

4/3/2026 at 8:12:34 PM

[flagged]

by roangeller

4/3/2026 at 8:06:00 PM

[dead]

by RodMiller

4/4/2026 at 4:41:41 PM

[flagged]

by dfir-lab

4/3/2026 at 6:58:38 PM

[flagged]

by n1tro_lab

4/3/2026 at 7:01:50 PM

[dead]

by jeremie_strand

4/4/2026 at 12:03:07 AM

[stub for offtopicness and general piling-on behavior, which we don't want on this site]

[[attacking project creators when they show up to discuss their work is particularly harmful; please don't ever do that here]]

[[[if you posted any of these, we'd appreciate it if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on]]]

by dang

4/3/2026 at 7:50:27 PM

[flagged]

by rybosome

4/3/2026 at 11:53:26 PM

Please make your substantive points without crossing into personal attack. Your comment would be fine but for the paragraph in the middle where it does that.

https://news.ycombinator.com/newsguidelines.html

by dang

4/4/2026 at 12:41:51 AM

Understood, thanks.

by rybosome

4/4/2026 at 4:02:56 AM

Appreciated!

by dang

4/3/2026 at 6:18:34 PM

[flagged]

by plestik

4/3/2026 at 8:22:01 PM

We detached this subthread from https://news.ycombinator.com/item?id=47629849 and marked it off-topic.

by tomhow

4/3/2026 at 10:21:57 PM

Why?

by plestik

4/3/2026 at 10:55:29 PM

It breaks several guidelines:

Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.

Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.

Please don't fulminate. Please don't sneer.

Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.

The guidelines still apply, even if you feel negatively towards a project and its creator. Indeed it's even more important to make the effort to heed the guidelines for topics you feel negatively towards (after all, it's easy to be respectful about things we feel positively towards).

https://news.ycombinator.com/newsguidelines.html

by tomhow

4/4/2026 at 8:17:12 AM

Thanks for explaining, is this mostly about replying directly to the person involved in the project? Compared to e.g. a comment in a thread about OpenClaw without replying directly to the creator? Just trying to figure out where the line is, I do think snark is a valid form of criticism sometimes but it's your house after all.

by plestik

4/5/2026 at 1:15:12 AM

That comment would be a guidelines breach on HN, whether or not it was in reply to the project creator. It gives off just the kind of negativity that HN has always aimed to avoid. Even if we don't always succeed in avoiding it, the guidelines represent an ideal that we work to uphold every day.

> Just trying to figure out where the line is

It's not really about a line, it's about the qualitative style of discussion we’re here for. HN is for people who like to build things and work on interesting new projects, and have curious conversations about what they're building. Projects that are new and built in different ways than what has come before will always be easy to criticise from a position of conformity to historical conventions, but if we all thought that way, nothing new would ever be built.

> I do think snark is a valid form of criticism sometimes

Not on HN. Thoughtful criticism is fine, and the very first two words of the “In Comments” section of the guidelines are “be kind”.

> but it's your house after all

That's not how we think about it. We’re custodians of this place and our role is to keep it a healthy place for discussion among intellectually curious hackers. It takes daily work and effort to uphold the guidelines and keep the standards up so that it doesn’t become the hellscape of negativity that it's often stereotyped as being.

by tomhow

4/5/2026 at 3:37:23 PM

For me I think this veers dangerously close to tone policing. I don't think you have to always be extremely civil in the face of what you consider moral bankruptcy. But I can also understand that it creates a vicious cycle so I can appreciate your position here.

by plestik

4/5/2026 at 11:49:21 PM

Thanks for the discussion and (partially) understanding :)

The use of terms like “moral bankruptcy” is exactly what the guidelines ask us to avoid, indeed explicitly so with the phrase “Assume good faith”.

Part of the challenge of participating on HN is to be able to come into contact with people who see and do things differently (including building software projects in a way that's different from the way we consider proper) and find a way to recognize that they are still acting in good faith and deserving of basic courtesy.

by tomhow

4/3/2026 at 6:38:30 PM

> There used to be a time where people who shipped CVEs took accountability.

I see you haven't heard of Microsoft...

by inetknght

4/3/2026 at 7:44:10 PM

[flagged]

by orsorna

4/3/2026 at 7:03:15 PM

What time was that and who do we get to blame for Log4j?

by ua709

4/3/2026 at 6:24:54 PM

Have you met these AI companies yet?

by lp0_on_fire

4/3/2026 at 6:29:20 PM

[flagged]

by rob

4/3/2026 at 6:58:17 PM

- "OpenClaw, read the code"

- "You're absolutely right. One should read and understand their own code. I did, and it looks great"

by rdtsc

4/3/2026 at 7:48:06 PM

I'm critical of OpenClaw and even the author to some extent, but I prefer to have nuanced and compartmentalized conversations, on a thread about a specific vulnerability, it's much more productive to talk about the specific vulnerability rather than OpenClaw as a whole. Otherwise we would only have generic OpenClaw conversations and we would only be saying the same thing.

by TZubiri

4/3/2026 at 8:15:39 PM

The comment could have been more substantive but it isn't generic or tangential. Discussing a vulnerability ultimately means discussing the failures of process that allowed it to be shipped. Especially with these application-level logic bugs that static analyzers can't generally find, the most productive outcome (after the vulnerability is fixed) is to discuss what process changes we can make to avoid shipping the next vulnerability. I'm sure there's hardening that can be done in OpenClaw but the premise of OpenClaw is to integrate many different services - it has a really large attack surface, only so much can be done to mitigate that, so it's critical to create code review processes that catch these issues.

OpenClaw is probably entering a phase of it's life where prototype-grade YOLO processes (like what the tweet describes) aren't going to cut it anymore. That's not really a criticism, the product's success has over vaulted it's maturity, which is a fortunate problem to have.

by maxbond

4/3/2026 at 5:21:18 PM

[flagged]

by fraywing

4/3/2026 at 5:23:02 PM

But this is nothing to do with the agent being tricked. This is ordinary old-fashioned code being tricked!

by jstanley

4/3/2026 at 5:57:46 PM

But was the code written by an agent? It's agents all the way down

by paulhebert

4/3/2026 at 5:26:39 PM

[dead]

by fraywing

4/3/2026 at 7:15:52 PM

If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.

by bigstrat2003

4/3/2026 at 5:03:56 PM

[flagged]

by podgorniy

4/3/2026 at 5:18:36 PM

Your comment is obviously against the rules, but I read it as: Why are people not more careful? This is some unknown, app, with unknown, unvetted depths, and you only like it because other people say it's shiny and AI. It made you giddy, and you forgot that giving a tool permissions is an invitation to hackers. Well, you went ahead and ignored all common sense, and here we are.

by tgv

4/6/2026 at 10:24:48 AM

There are many "right" ways to read my comment. Reading it says more about reader than the writer.

And yes, most probably I violated some spoken/unspoken rules and ready to bear consequences.

--

Common sense abotu security has shifted significantly. You're (me including) with out common sense of security are in minority today. We're uncommon. Wait till people start questioning such stance.

--

I just was reading docs on plugin for toddlywiki which makes gives it multiuser support and lan accessibility. The level of awarness of the risks of opening your tw server (i't like 5-ish years ago) to LAN is almost read like a satire from where we're today.

by podgorniy

4/3/2026 at 6:36:01 PM

[flagged]

by popalchemist

4/3/2026 at 7:15:40 PM

[flagged]

by LucidLynx

4/3/2026 at 9:04:18 PM

[dead]

by ponector

4/3/2026 at 4:56:51 PM

[flagged]

by deadbabe

4/3/2026 at 6:51:54 PM

Hanlon's Razor

https://en.wikipedia.org/wiki/Hanlon%27s_razor

by butlike

4/3/2026 at 10:58:13 PM

That razor is poorly understood. It’s not malice if it can be explained by stupidity. In this case it’s not explained by stupidity, as the guy who made OpenClaw is very smart. Therefore, it can only be malice.

by deadbabe

4/3/2026 at 5:05:54 PM

In this case I'd say that it was made not to enable that, but in total disregard of its realistic uses and risks. In a sense this is less... deliberate poisoning, and more doing a bad job cutting heroin with fentanyl for distribution. Yeah the result is the same, but the cause is negligence to the point of parody rather than outright malice.

by EA-3167

4/3/2026 at 5:25:54 PM

Some people are so stupid it is indistinguishable from evil.

by throwatdem12311

4/3/2026 at 5:05:57 PM

What reason would Steinberger have for doing that? It was his hobby project.

by cactusplant7374

4/3/2026 at 5:19:36 PM

[dead]

by crazy5sheep

4/3/2026 at 5:25:00 PM

You can’t think of a single reason?

Intelligence asset.

Useful idiot.

Plenty of reasons.

by throwatdem12311

4/3/2026 at 5:22:14 PM

He doesn't need a reason. He could have been captured by intelligence after the fact.

by asdff

4/3/2026 at 10:35:53 PM

[dead]

by 8593376393

4/3/2026 at 7:27:32 PM

[flagged]

by hmokiguess

4/3/2026 at 5:47:45 PM

[flagged]

by neya

4/3/2026 at 9:07:10 PM

If you considered using it in the first place, reports of security vulnerabilities wouldn't concern you.

by imiric

4/3/2026 at 6:45:44 PM

“It’s OK to be hacked until everyone is getting hacked.”

by pezo1919

4/3/2026 at 6:23:03 PM

[flagged]

by mvdtnz

4/3/2026 at 7:25:23 PM

[flagged]

by equasar

4/3/2026 at 8:15:26 PM

You can't comment like this on Hacker News. The guidelines make it clear we're trying for better than this. https://news.ycombinator.com/newsguidelines.html

We detached this comment from https://news.ycombinator.com/item?id=47629849 and marked it off topic.

by tomhow

4/3/2026 at 8:16:02 PM

[flagged]

by sbochins

4/3/2026 at 11:49:54 PM

Please don't cross into personal attack. It destroys what this site is for, and you can always make your substantive points without it.

https://news.ycombinator.com/newsguidelines.html

by dang

4/4/2026 at 12:04:47 AM

Didn‘t know that pointing out a lack of accountability is seen as personal attack.

Who wants the fame must also take the blame.

Especially if they create a dangerous tool.

by croes

4/4/2026 at 12:08:27 AM

We don't want mobs on HN. There was very clearly a mob dynamic happening in the replies.

Edit: there was another case of this recently:

https://news.ycombinator.com/item?id=47576107

https://news.ycombinator.com/item?id=47576084

The point is that mob dynamics do more damage to the community than the threads add value, and protecting the community has to be the high-order bit.

by dang

4/3/2026 at 6:36:48 PM

Guys, OpenClaw is a toy, that's it!

by pym4n

4/4/2026 at 3:06:58 AM

[dead]

by jeremie_strand

4/3/2026 at 8:26:32 PM

[flagged]

by gloosx

4/4/2026 at 3:22:26 PM

[flagged]

by eager_learner

4/3/2026 at 5:18:20 PM

Really? Posting AI generated Reddit post with no sources or anything?

by gos9

4/3/2026 at 5:22:57 PM

The link mentions the CVE, here's the link https://nvd.nist.gov/vuln/detail/CVE-2026-33579

by hmokiguess

4/4/2026 at 12:01:28 AM

Thanks! We've changed the top URL to that from https://old.reddit.com/r/sysadmin/comments/1sbdw29/if_youre_..., but I'll put the latter in the toptext.

by dang

4/3/2026 at 6:01:03 PM

if would be good if we could have the submission including this link at the top

by dijksterhuis

4/3/2026 at 5:21:02 PM

The CVE seems to be real.

by tgv

4/3/2026 at 5:22:05 PM

[flagged]

by blharr

4/3/2026 at 5:39:18 PM

Flag then move to the next one

by dgellow

4/3/2026 at 5:26:43 PM

As if the non-Reddit links aren’t majority AI slop already.

by throwatdem12311

4/3/2026 at 8:23:57 PM

The Ludditism in this thread, and the linked thread, is shocking.

by throwpoaster

4/4/2026 at 5:45:27 AM

We need a new word for people who use the word ‘Luddite’ to refer to ‘reasonable concern over the reckless use of new technology’.

by yoyohello13

4/4/2026 at 7:02:57 AM

Yolos?

by mememememememo

4/3/2026 at 10:12:14 PM

Is it Ludditism to not want to get PWNed spending $3k a month?

by weakfish

4/4/2026 at 2:43:02 AM

Setting it up that way is a choice a user would have to make. Just set it up on an oauth or budgeted api and not be an idiot. Setup additional guardrails in OC if you think are necessary.

by nickthegreek

4/3/2026 at 11:05:34 PM

Yes.

All new technology has issues. Figure it out.

Especially if you're spending $3k per month on inference, have the model fix the agent.

I suppose the idea is to wait for someone else to productize it.

Lazy.

by throwpoaster

4/3/2026 at 10:56:21 PM

[dead]

by 8593376393