It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
seems far more efficient/reliable to get codex/claude code to write and set up a bot that does this.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
I think devs are too focused on the technical what did u build with it.
For example. My brother runs a small recruiting agency. Super nontechnical. Out of nowhere he asks me about openclaw. Then with no help, he sets it up and uses it. Still no help, he has all kinds of nonsense hooked up and running blowing through tokens. He is blown away by it and wants to get it for all of his employees. He thinks about it in terms of cost per min running and not in tokens.
This is the sticky gooey value to whatever openclaw is doing.
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
Sometimes it toils away for 2+ hours, spawning Claude Code instances, checking its work, testing the code, even using browser automation to make sure everything works the way it is supposed to if it's writing a webapp.
In the end, it consumes like $10-20 worth of tokens and spits out a functional application with everything I asked for.
Claude Code can do this on its own, to an extent, but there's something about getting OpenClaw to iterate through multiple sessions and testing everything to make sure it works the way I described that I really like. It completely offloads the process to the AI, and keeps me mostly out of the loop.
Is the code any good? Probably not. Am I at risk of being exploited by malware? Probably. But I have automated quite a lot of things with the software that OpenClaw builds for me, and I am careful to review the libraries it imports before running the code on any machine with actual access to anything I actually care about.
Personally, anyone using OpenClaw for the "it reads your emails" use case is crazy, because prompt injection is real, and you're basically inviting anyone who knows your email address to take a stab at pwning you, with full access to your personal life. I keep my instances on a VPS, behind a restrictive security group, and only accessible via Tailscale where it has zero access to anything on my tailnet. I only recently gave it its own email account (not mine!), but even then I am skeptical of doing so, and take efforts to prevent it from taking action on any email it receives (e.g., disabling the Heartbeat) because who knows what it'll end up doing. I mostly like that it can email me if I ask it to.
[0] https://itmeetsot.eu/posts/2026-03-27-openclaw_webfetch/
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
[[attacking project creators when they show up to discuss their work is particularly harmful; please don't ever do that here]]
[[[if you posted any of these, we'd appreciate it if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on]]]
I see you haven't heard of Microsoft...
- "You're absolutely right. One should read and understand their own code. I did, and it looks great"
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
* 135k+ OpenClaw instances are publicly exposed
* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?
NVIDIA is contributing to the security of OpenClaw via NemoClaw.[0]
Not sure about ByteDance and Tencent.
Most of these larger players are interested in supporting anything that helps grow the ecosystem so broadly.
That user said that they use OpenClaw to scrape city meetings for context so that they can more efficiently participate in local politics. You then attacked them, accusing them of "leaving AI slop comments on public city meetings", which isn't what they said they were doing at all.
I see absolutely no problem in using AI to summarize large quantities of information (such as a collection of city meeting notes). Summarization is one of the places that AI really shines right now, and if it helps people wrap their head around what is happening in their communities, good!
I understand a healthy skepticm of AI. Everyone should have some degree of that. But maybe avoid the urge to publicly shame people for their use of AI, especially on a site like this where that won't be received well. Or, if you're going to offer criticism, show some tact.
I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.
If you're running OpenClaw, you probably didn't get hacked in the last week.
But coding is solved? Why do you need those guys if all they do is use claude code? Just have it solve it overnight. You forgot to prompt "make it secure pls"?
My belief, is the people who post this quote thinking it's some big win are the same people who are upset they can't post "stochastic parrot" anymore.
And we all saw how that went.
Too much focus on shipping features, not enough attention to stability and security.
As the code base grows exponentially, so does the security vulnerability surface.
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
However:
> Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
I'd say that it's a given that we live in a world when your LAN is infested with compromised and hostile devices: from phones (spying devices) to home automation (spying chinese webcams) to TVs (with the TV's microphone listening 24/7 to everything people are saying) to chinese routers (which, yup, have backdoors for the chinese state) to that corean soundbar to really whatever enshittied device the world of enshittified turds we live in can come up with.
It is a fact of life that compromised, insecure, backdoored and at times all three of these shall find their way to our homes and appartments...
And it shouldn't be an issue.
What I mean by this: machines could be scanning my local networks and even maybe determine that this box at this IP is running Linux and... It still should be able to do exactly jack fucking shit with that information.
We must all learn to secure our devices for the Internet of Insecure and Enshittified Things is moving forward at godspeed. And if you think OpenClaw on its own device on your LAN is bad, wait until all the companies that were already selling enshittifed devices since years realize they'll now be able to enshittify those even more by slapping OpenClaw (or the equivalent) on their devices.
These insecure turds are all going to get a big boost of insecuredness, this time AI powered.
I'd say: bring it on. I'm ready. We all should be.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
Putting data and instructions in the same memory was always a bad idea - LLMs just took this to the extreme by making data and instructions the same thing.
Not too much harder is using a VM:
With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)
With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).
Right, these are system accounts. They don't have access to anything except their own home folder and whatever I put in their .bashrc. `sudo` is a pretty easy sandbox by itself and lets me manage their home folders, shell, and environment easily just with the typical Unix-isms. No need for mounting VM disks, persisting disk images, etc.
I don't need virtualization to let Claude Code run. I just let it run as a "claude" user.
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
https://github.com/openclaw/openclaw/commit/5643a934799dc523...
A malicious web page runs JavaScript that makes a fetch() or XMLHttpRequest to http://localhost:CLAWPORT — your browser executes that from your machine, so it bypasses your router/firewall entirely. If OpenClaw is listening on localhost with no auth, the browser just connects to it. Same-origin policy doesn’t save you because the request originates from your own machine.
(I’ve never used any of them.)
All new technology has issues. Figure it out.
Especially if you're spending $3k per month on inference, have the model fix the agent.
I suppose the idea is to wait for someone else to productize it.
Lazy.
Or inviting any legal or regulatory scrutiny.
They don’t even read the code in any serious capacity so excuse me for not taking any assessment of the situation from him too seriously. Might as well just ask Claude Code to assess it yourself.
Welcome to the world vibe coding created. The fun is only just beginning.
Hard disagree. Vibe coding isn't responsible for people not doing the slightest due diligence when running this (pardon my French) shit. You can vibe code stuff and keep it at a much higher quality. And you can check who did the vibecoding and how they approached it, so the burden also falls on the person running the stuff to understand what they're running. This isn't an enterprise level application that has a full team behind it that had an issue. This is a pandora's box vibecoded overnight for fun, full of stuff we don't even know about, that was opened the moment you touched it with a stick.
Vibe coding obviously doesn’t make something insecure, per se, but saying it doesn’t reduce the attention paid to any given line of code, or encourage less knowledgeable people to write code, seems pretty dubious to me.
The Claude Code team is clearly competent and professional, yet they accidentally published the proprietary source code for one of the world’s hottest products. That’s like a Bank manager walking away with the keys in the door and alarm disarmed. When’s the last time you heard of a human team of developers doing that?
Again, I’m not saying that vibe coding necessarily creates unsafe code, but I don’t see how anyone could say vibe coding was devoid of security implications. I think this is an organizational/logistical problem that we’ll figure out at some point, but in think it’s going to be more of a C buffer overflow ‘figured out’ that never really goes away.
Steinberger has said he doesn’t look at (most) the code.
Right. It’s always the people. They just tend to bodge things. All the time. So when there’s new foot guns, the inevitable will happen.
Currently we're at 1.8 CVEs per day since OpenClaw launched!
Run it as root it will have root caps, run it as ritcgab it will have ritcgab's caps. Same as every other program.
This is bad.
So you take the output of an LLM, which is obviously impossibly to guarantee correct, and use that to choose a tool and execute it. Like, send an email or whatever. And you take the input for that LLM not only from prompts, and various files, but also your system and random stuff you download from the internet.
I am telling you people, this is lunacy. No good can come of this.
Shipping at the speed of inference for real.
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
