I don't think enabling admin on open internet is a default behaviour by any means?
rvz
OpenClaw has over 400+ security issues and vulnerabilities. [0]
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
It does not need access to your full machine. It can literally run in a vps.
da_grift_shift
Wow. The advisories page is worthy of a post in itself.
throwatdem12311
Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).
This is bad.
Simon321
Only if your openclaw instance is publicly exposed on the internet... which is not the case for most people
causal
Until recently, this was default configuration
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
As if the non-Reddit links aren’t majority AI slop already.
dgellow
Flag then move to the next one
niwtsol
Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
mey
More than 25% of users seems like a pretty accurate "probably".
0cf8612b2e1e
1/5 rounds to “probably” when discussing security.
earnesti
The 135k instances is likely not true at all.
DrewADesign
It’s also only 65% of those that have zero authentication configured, according to that post (which I have done nothing to confirm or challenge at all… Frankly I wouldn’t touch OpenClaw with a ten foot… cable?) That said, I think it’s far more important to get people’s attention who might otherwise not realize how closely they need to pay attention to CVEs than it is to avoid hyperbole in headlines.
yonatan8070
This sounds like a classic case of "35% of statistics are made up"
petcat
I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
w10-1
Yes, if/since that user have no access to your apple id and keychain...
Not too much harder is using a VM:
With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)
With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).
txprog
This is why kernel-level sandboxing matters. I use a sandbox name greywall that enforce filesystem/network isolation at the syscall level (Landlock + Seccomp + eBPF on linux, sandbox-exec on mac).
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
Leomuck
Well, such things were to be expected.
It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance.
But at the same time, it's also quite cool that so many people can do interesting IT stuff now.
I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training.
Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something).
But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
paulhebert
Gonna be honest. I'd rather fight climate change than have people run LLMs unsecured
butlike
With your car example, you also assume the risk unto others. If your "chopper" of a car hits and kills someone else, and you survive, you're paying for the consequences of that. I don't think it's cool that untrained people can do interesting IT stuff now. I see it as a huge liability where some unsecured instance pwns the internet, then it's some 12 year old that gets marched in front of congress and everyone goes: "wtf?" There's essentially no accountability and the damage is still done.
sunaookami
Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...
browningstreet
[flagged]
_doctor_love
Assuming you're asking in good faith, IMHO the deeper story around OpenClaw is that it's the core piece of a larger pattern.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
sgillen
I've only been playing with it recently ... I have mine scraping for SF city meetings that I can attend and public comment to advocate for more housing etc (https://github.com/sgillen/sf-civic-digest).
It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
dyauspitr
Agent based chron jobs mostly that work with other agents. It’s really nice if you want to tell your computer to do something repeatedly or in confluence with many other agents in a very simple way. Like check my email for messages from Nadia and send me a notification and turn on all the lights in my driveway when she gets there without having to actually get into the nuts and bolts of implementing it. It’s actually really powerful and probably what Siri should be.
earnesti
I use it for a side project. I just put it on VPS, and then it edits the code and tests it. The nice thing is that I can use it on the go whenever I have spare moment. It is addictive, but way better addiction than social media IMO.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
franze
my claw controls my old M2 mac, mostly my claw uses Claude code to code
emptysongglass
I'm so tired of answering this question so I simply won't.
Your best way of finding if it's useful for you is to install it and explore, just like you would with any other software tool.
knights_gambit
I use it to manage a media server. And use natural language to download movies and series. Also I use to for homeassistant so I csn use natural language for vacuuming the house and things like that. I do use it for a number of other tasks but those are the most partical.
FrameworkFred
so far, I've used it to kill a bunch of time trying to get it to respond to "Hi @Kirk" in a private Slack channel.
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
rubslopes
I don't use this one, but a simpler one, also running on a vps. I communicate via telegram.
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
operatingthetan
I use it mostly for the crons, it runs a personal productivity system that tracks my tasks, provides nudges, talks through stuff etc. It's all stored in an Obsidian vault that syncs to my desktop. I don't use it to control email/calendars or other agents.
veganmosfet
I am experimenting prompt injection on OpenClaw [0][1], quite exciting.
I was asked by someone recently to try to set up an OpenClaw that would search for ordinances and other land registry information for all 3000+ counties/parishes in the USA to obtain and distill specific details on their support for building tiny homes.
steipete
OpenClaw creator here.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
nightpool
Can you speak a little bit more to the stats in the OP?
135k+ OpenClaw instances are publicly exposed
63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
just_once
Nvidia, ByteDance, Tencent and OpenAI?! Wow!
blks
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?
doctorpangloss
Listen to yourself.
consumer451
I could not stop myself from looking at this user's submissions history, looking for a ShowHN about Clawdbot. No such submission exists.
I think I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.
mvdtnz
My reply which was not an attack was detached from this sub thread as an attack. All I did was ask a clarifying question about why Telegram and Discord were specifically called out in this reply despite not being mentioned by the OP at all. I'd still like an answer to this question.
vasco
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
But coding is solved? Why do you need those guys if all they do is use claude code? Just have it solve it overnight. You forgot to prompt "make it secure pls"?
SeriousM
[flagged]
hyperlambda
[flagged]
machinecontrol
The root issue is that OpenClaw is 500K+ lines of vibe coded bloat that's impossible to reason about or understand.
Too much focus on shipping features, not enough attention to stability and security.
As the code base grows exponentially, so does the security vulnerability surface.
dyauspitr
[flagged]
williamstein
The current OpenClaw GitHub repo [1] contains 2.1 million lines of code, according to cloc, with 1.6M being typescript. It also has almost 26K commits.
If someone could forward the SSH port from my VPS to access my instance, I already had bigger problems.
n1tro_lab
[flagged]
jeremie_strand
[dead]
reenorap
The threads on that /r/sysadmin post sound exactly like every sysadmin I've ever worked with in my career.
rossjudson
With respect...Security through obscurity is dead. We are approaching the point where only formally verified (for security) systems can be trusted. Every possible attack will be attempted. Every opening will be exploited, and every useful combination of those exploits will be done.
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.
equasar
[flagged]
hmokiguess
[flagged]
rybosome
[flagged]
sbochins
[flagged]
8593376393
[dead]
gigel82
Good, hearty group right there. But how about Palantir, NSO Group, Flock and Axon? Aren't they lending a hand too?
ritcgab
Isn't OpenClaw itself a privilege escalation?
jeremie_strand
[dead]
redoh
[dead]
chatmasta
I’m surprised people are still using OpenClaw. I assumed they’d have switched to Nanoclaw or Nemoclaw. Is OpenClaw just that much better, or is it all inertia?
(I’ve never used any of them.)
Flere-Imsaho
I'm using Hermes. The same applies to all agents, don't give it free reign over all your stuff. Run it within a sandbox.
I don't think enabling admin on open internet is a default behaviour by any means?
rvz
OpenClaw has over 400+ security issues and vulnerabilities. [0]
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
It does not need access to your full machine. It can literally run in a vps.
da_grift_shift
Wow. The advisories page is worthy of a post in itself.
throwatdem12311
Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).
This is bad.
Simon321
Only if your openclaw instance is publicly exposed on the internet... which is not the case for most people
causal
Until recently, this was default configuration
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
As if the non-Reddit links aren’t majority AI slop already.
dgellow
Flag then move to the next one
niwtsol
Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
mey
More than 25% of users seems like a pretty accurate "probably".
0cf8612b2e1e
1/5 rounds to “probably” when discussing security.
earnesti
The 135k instances is likely not true at all.
DrewADesign
It’s also only 65% of those that have zero authentication configured, according to that post (which I have done nothing to confirm or challenge at all… Frankly I wouldn’t touch OpenClaw with a ten foot… cable?) That said, I think it’s far more important to get people’s attention who might otherwise not realize how closely they need to pay attention to CVEs than it is to avoid hyperbole in headlines.
yonatan8070
This sounds like a classic case of "35% of statistics are made up"
petcat
I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
w10-1
Yes, if/since that user have no access to your apple id and keychain...
Not too much harder is using a VM:
With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)
With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).
txprog
This is why kernel-level sandboxing matters. I use a sandbox name greywall that enforce filesystem/network isolation at the syscall level (Landlock + Seccomp + eBPF on linux, sandbox-exec on mac).
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
Leomuck
Well, such things were to be expected.
It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance.
But at the same time, it's also quite cool that so many people can do interesting IT stuff now.
I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training.
Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something).
But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
paulhebert
Gonna be honest. I'd rather fight climate change than have people run LLMs unsecured
butlike
With your car example, you also assume the risk unto others. If your "chopper" of a car hits and kills someone else, and you survive, you're paying for the consequences of that. I don't think it's cool that untrained people can do interesting IT stuff now. I see it as a huge liability where some unsecured instance pwns the internet, then it's some 12 year old that gets marched in front of congress and everyone goes: "wtf?" There's essentially no accountability and the damage is still done.
sunaookami
Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...
browningstreet
[flagged]
_doctor_love
Assuming you're asking in good faith, IMHO the deeper story around OpenClaw is that it's the core piece of a larger pattern.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
sgillen
I've only been playing with it recently ... I have mine scraping for SF city meetings that I can attend and public comment to advocate for more housing etc (https://github.com/sgillen/sf-civic-digest).
It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
dyauspitr
Agent based chron jobs mostly that work with other agents. It’s really nice if you want to tell your computer to do something repeatedly or in confluence with many other agents in a very simple way. Like check my email for messages from Nadia and send me a notification and turn on all the lights in my driveway when she gets there without having to actually get into the nuts and bolts of implementing it. It’s actually really powerful and probably what Siri should be.
earnesti
I use it for a side project. I just put it on VPS, and then it edits the code and tests it. The nice thing is that I can use it on the go whenever I have spare moment. It is addictive, but way better addiction than social media IMO.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
franze
my claw controls my old M2 mac, mostly my claw uses Claude code to code
emptysongglass
I'm so tired of answering this question so I simply won't.
Your best way of finding if it's useful for you is to install it and explore, just like you would with any other software tool.
knights_gambit
I use it to manage a media server. And use natural language to download movies and series. Also I use to for homeassistant so I csn use natural language for vacuuming the house and things like that. I do use it for a number of other tasks but those are the most partical.
FrameworkFred
so far, I've used it to kill a bunch of time trying to get it to respond to "Hi @Kirk" in a private Slack channel.
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
rubslopes
I don't use this one, but a simpler one, also running on a vps. I communicate via telegram.
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
operatingthetan
I use it mostly for the crons, it runs a personal productivity system that tracks my tasks, provides nudges, talks through stuff etc. It's all stored in an Obsidian vault that syncs to my desktop. I don't use it to control email/calendars or other agents.
veganmosfet
I am experimenting prompt injection on OpenClaw [0][1], quite exciting.
I was asked by someone recently to try to set up an OpenClaw that would search for ordinances and other land registry information for all 3000+ counties/parishes in the USA to obtain and distill specific details on their support for building tiny homes.
steipete
OpenClaw creator here.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
nightpool
Can you speak a little bit more to the stats in the OP?
135k+ OpenClaw instances are publicly exposed
63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
just_once
Nvidia, ByteDance, Tencent and OpenAI?! Wow!
blks
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?
doctorpangloss
Listen to yourself.
consumer451
I could not stop myself from looking at this user's submissions history, looking for a ShowHN about Clawdbot. No such submission exists.
I think I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.
mvdtnz
My reply which was not an attack was detached from this sub thread as an attack. All I did was ask a clarifying question about why Telegram and Discord were specifically called out in this reply despite not being mentioned by the OP at all. I'd still like an answer to this question.
vasco
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
But coding is solved? Why do you need those guys if all they do is use claude code? Just have it solve it overnight. You forgot to prompt "make it secure pls"?
SeriousM
[flagged]
hyperlambda
[flagged]
machinecontrol
The root issue is that OpenClaw is 500K+ lines of vibe coded bloat that's impossible to reason about or understand.
Too much focus on shipping features, not enough attention to stability and security.
As the code base grows exponentially, so does the security vulnerability surface.
dyauspitr
[flagged]
williamstein
The current OpenClaw GitHub repo [1] contains 2.1 million lines of code, according to cloc, with 1.6M being typescript. It also has almost 26K commits.
If someone could forward the SSH port from my VPS to access my instance, I already had bigger problems.
n1tro_lab
[flagged]
jeremie_strand
[dead]
reenorap
The threads on that /r/sysadmin post sound exactly like every sysadmin I've ever worked with in my career.
rossjudson
With respect...Security through obscurity is dead. We are approaching the point where only formally verified (for security) systems can be trusted. Every possible attack will be attempted. Every opening will be exploited, and every useful combination of those exploits will be done.
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.
equasar
[flagged]
hmokiguess
[flagged]
rybosome
[flagged]
sbochins
[flagged]
8593376393
[dead]
gigel82
Good, hearty group right there. But how about Palantir, NSO Group, Flock and Axon? Aren't they lending a hand too?
ritcgab
Isn't OpenClaw itself a privilege escalation?
jeremie_strand
[dead]
redoh
[dead]
chatmasta
I’m surprised people are still using OpenClaw. I assumed they’d have switched to Nanoclaw or Nemoclaw. Is OpenClaw just that much better, or is it all inertia?
(I’ve never used any of them.)
Flere-Imsaho
I'm using Hermes. The same applies to all agents, don't give it free reign over all your stuff. Run it within a sandbox.
> 4. System grants admin because it never checks if you are authorized to grant admin
Shipping at the speed of inference for real.
Really? Posting AI generated Reddit post with no sources or anything?
The CVE seems to be real.
The link mentions the CVE, here's the link https://nvd.nist.gov/vuln/detail/CVE-2026-33579
I don't think enabling admin on open internet is a default behaviour by any means?
OpenClaw has over 400+ security issues and vulnerabilities. [0]
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
[0] https://github.com/openclaw/openclaw/security
It does not need access to your full machine. It can literally run in a vps.
Wow. The advisories page is worthy of a post in itself.
Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).
This is bad.
Only if your openclaw instance is publicly exposed on the internet... which is not the case for most people
Until recently, this was default configuration
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
https://github.com/openclaw/openclaw/commit/5643a934799dc523...
[flagged]
As if the non-Reddit links aren’t majority AI slop already.
Flag then move to the next one
Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
More than 25% of users seems like a pretty accurate "probably".
1/5 rounds to “probably” when discussing security.
The 135k instances is likely not true at all.
It’s also only 65% of those that have zero authentication configured, according to that post (which I have done nothing to confirm or challenge at all… Frankly I wouldn’t touch OpenClaw with a ten foot… cable?) That said, I think it’s far more important to get people’s attention who might otherwise not realize how closely they need to pay attention to CVEs than it is to avoid hyperbole in headlines.
This sounds like a classic case of "35% of statistics are made up"
I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
Yes, if/since that user have no access to your apple id and keychain...
Not too much harder is using a VM:
With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)
With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).
This is why kernel-level sandboxing matters. I use a sandbox name greywall that enforce filesystem/network isolation at the syscall level (Landlock + Seccomp + eBPF on linux, sandbox-exec on mac).
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
Well, such things were to be expected. It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance. But at the same time, it's also quite cool that so many people can do interesting IT stuff now. I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training. Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something). But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
Gonna be honest. I'd rather fight climate change than have people run LLMs unsecured
With your car example, you also assume the risk unto others. If your "chopper" of a car hits and kills someone else, and you survive, you're paying for the consequences of that. I don't think it's cool that untrained people can do interesting IT stuff now. I see it as a huge liability where some unsecured instance pwns the internet, then it's some 12 year old that gets marched in front of congress and everyone goes: "wtf?" There's essentially no accountability and the damage is still done.
Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...
[flagged]
Assuming you're asking in good faith, IMHO the deeper story around OpenClaw is that it's the core piece of a larger pattern.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
I've only been playing with it recently ... I have mine scraping for SF city meetings that I can attend and public comment to advocate for more housing etc (https://github.com/sgillen/sf-civic-digest).
It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
Agent based chron jobs mostly that work with other agents. It’s really nice if you want to tell your computer to do something repeatedly or in confluence with many other agents in a very simple way. Like check my email for messages from Nadia and send me a notification and turn on all the lights in my driveway when she gets there without having to actually get into the nuts and bolts of implementing it. It’s actually really powerful and probably what Siri should be.
I use it for a side project. I just put it on VPS, and then it edits the code and tests it. The nice thing is that I can use it on the go whenever I have spare moment. It is addictive, but way better addiction than social media IMO.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
my claw controls my old M2 mac, mostly my claw uses Claude code to code
I'm so tired of answering this question so I simply won't.
Your best way of finding if it's useful for you is to install it and explore, just like you would with any other software tool.
I use it to manage a media server. And use natural language to download movies and series. Also I use to for homeassistant so I csn use natural language for vacuuming the house and things like that. I do use it for a number of other tasks but those are the most partical.
so far, I've used it to kill a bunch of time trying to get it to respond to "Hi @Kirk" in a private Slack channel.
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
I don't use this one, but a simpler one, also running on a vps. I communicate via telegram.
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
I use it mostly for the crons, it runs a personal productivity system that tracks my tasks, provides nudges, talks through stuff etc. It's all stored in an Obsidian vault that syncs to my desktop. I don't use it to control email/calendars or other agents.
I am experimenting prompt injection on OpenClaw [0][1], quite exciting.
[0] https://itmeetsot.eu/posts/2026-03-27-openclaw_webfetch/
[1] https://itmeetsot.eu/posts/2026-03-03-openclaw3/
I was asked by someone recently to try to set up an OpenClaw that would search for ordinances and other land registry information for all 3000+ counties/parishes in the USA to obtain and distill specific details on their support for building tiny homes.
OpenClaw creator here.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
Can you speak a little bit more to the stats in the OP?
135k+ OpenClaw instances are publicly exposed
63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
Nvidia, ByteDance, Tencent and OpenAI?! Wow!
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?
Listen to yourself.
I could not stop myself from looking at this user's submissions history, looking for a ShowHN about Clawdbot. No such submission exists.
I think I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.
My reply which was not an attack was detached from this sub thread as an attack. All I did was ask a clarifying question about why Telegram and Discord were specifically called out in this reply despite not being mentioned by the OP at all. I'd still like an answer to this question.
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
But coding is solved? Why do you need those guys if all they do is use claude code? Just have it solve it overnight. You forgot to prompt "make it secure pls"?
[flagged]
[flagged]
The root issue is that OpenClaw is 500K+ lines of vibe coded bloat that's impossible to reason about or understand.
Too much focus on shipping features, not enough attention to stability and security.
As the code base grows exponentially, so does the security vulnerability surface.
[flagged]
The current OpenClaw GitHub repo [1] contains 2.1 million lines of code, according to cloc, with 1.6M being typescript. It also has almost 26K commits.
[1] https://github.com/openclaw/openclaw
There are like 10 openclaw clones out there. If you prefer security over features, just pick up another one.
We detached this subthread from https://news.ycombinator.com/item?id=47629849 and marked it off-topic.
If someone could forward the SSH port from my VPS to access my instance, I already had bigger problems.
[flagged]
[dead]
The threads on that /r/sysadmin post sound exactly like every sysadmin I've ever worked with in my career.
With respect...Security through obscurity is dead. We are approaching the point where only formally verified (for security) systems can be trusted. Every possible attack will be attempted. Every opening will be exploited, and every useful combination of those exploits will be done.
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
Text of the post has been [removed]. Original saved here: https://web.archive.org/web/20260403163241/https://old.reddi...
Maybe the moderators removed it for being AI spam. The user’s entire post history besides this post are generated ads for their AI projects.
Thanks, we'll put that link in the toptext as well.
[dead]
[flagged]
The Ludditism in this thread, and the linked thread, is shocking.
Is it Ludditism to not want to get PWNed spending $3k a month?
[dead]
We need a new word for people who use the word ‘Luddite’ to refer to ‘reasonable concern over the reckless use of new technology’.
[flagged]
[dead]
[stub for offtopicness and general piling-on behavior, which we don't want on this site]
[[attacking project creators when they show up to discuss their work is particularly harmful; please don't ever do that here]]
[[[if you posted any of these, we'd appreciate it if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on]]]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
Guys, OpenClaw is a toy, that's it!
[flagged]
If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.
[flagged]
[flagged]
[flagged]
[flagged]
[dead]
Good, hearty group right there. But how about Palantir, NSO Group, Flock and Axon? Aren't they lending a hand too?
Isn't OpenClaw itself a privilege escalation?
[dead]
[dead]
I’m surprised people are still using OpenClaw. I assumed they’d have switched to Nanoclaw or Nemoclaw. Is OpenClaw just that much better, or is it all inertia?
(I’ve never used any of them.)
I'm using Hermes. The same applies to all agents, don't give it free reign over all your stuff. Run it within a sandbox.
https://github.com/nousresearch/hermes-agent
[dead]
> 4. System grants admin because it never checks if you are authorized to grant admin
Shipping at the speed of inference for real.
Really? Posting AI generated Reddit post with no sources or anything?
The CVE seems to be real.
The link mentions the CVE, here's the link https://nvd.nist.gov/vuln/detail/CVE-2026-33579
I don't think enabling admin on open internet is a default behaviour by any means?
OpenClaw has over 400+ security issues and vulnerabilities. [0]
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
[0] https://github.com/openclaw/openclaw/security
It does not need access to your full machine. It can literally run in a vps.
Wow. The advisories page is worthy of a post in itself.
Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).
This is bad.
Only if your openclaw instance is publicly exposed on the internet... which is not the case for most people
Until recently, this was default configuration
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
https://github.com/openclaw/openclaw/commit/5643a934799dc523...
[flagged]
As if the non-Reddit links aren’t majority AI slop already.
Flag then move to the next one
Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
More than 25% of users seems like a pretty accurate "probably".
1/5 rounds to “probably” when discussing security.
The 135k instances is likely not true at all.
It’s also only 65% of those that have zero authentication configured, according to that post (which I have done nothing to confirm or challenge at all… Frankly I wouldn’t touch OpenClaw with a ten foot… cable?) That said, I think it’s far more important to get people’s attention who might otherwise not realize how closely they need to pay attention to CVEs than it is to avoid hyperbole in headlines.
This sounds like a classic case of "35% of statistics are made up"
I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
Yes, if/since that user have no access to your apple id and keychain...
Not too much harder is using a VM:
With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)
With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).
This is why kernel-level sandboxing matters. I use a sandbox name greywall that enforce filesystem/network isolation at the syscall level (Landlock + Seccomp + eBPF on linux, sandbox-exec on mac).
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
Well, such things were to be expected. It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance. But at the same time, it's also quite cool that so many people can do interesting IT stuff now. I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training. Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something). But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
Gonna be honest. I'd rather fight climate change than have people run LLMs unsecured
With your car example, you also assume the risk unto others. If your "chopper" of a car hits and kills someone else, and you survive, you're paying for the consequences of that. I don't think it's cool that untrained people can do interesting IT stuff now. I see it as a huge liability where some unsecured instance pwns the internet, then it's some 12 year old that gets marched in front of congress and everyone goes: "wtf?" There's essentially no accountability and the damage is still done.
Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...
[flagged]
Assuming you're asking in good faith, IMHO the deeper story around OpenClaw is that it's the core piece of a larger pattern.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
I've only been playing with it recently ... I have mine scraping for SF city meetings that I can attend and public comment to advocate for more housing etc (https://github.com/sgillen/sf-civic-digest).
It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
Agent based chron jobs mostly that work with other agents. It’s really nice if you want to tell your computer to do something repeatedly or in confluence with many other agents in a very simple way. Like check my email for messages from Nadia and send me a notification and turn on all the lights in my driveway when she gets there without having to actually get into the nuts and bolts of implementing it. It’s actually really powerful and probably what Siri should be.
I use it for a side project. I just put it on VPS, and then it edits the code and tests it. The nice thing is that I can use it on the go whenever I have spare moment. It is addictive, but way better addiction than social media IMO.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
my claw controls my old M2 mac, mostly my claw uses Claude code to code
I'm so tired of answering this question so I simply won't.
Your best way of finding if it's useful for you is to install it and explore, just like you would with any other software tool.
I use it to manage a media server. And use natural language to download movies and series. Also I use to for homeassistant so I csn use natural language for vacuuming the house and things like that. I do use it for a number of other tasks but those are the most partical.
so far, I've used it to kill a bunch of time trying to get it to respond to "Hi @Kirk" in a private Slack channel.
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
I don't use this one, but a simpler one, also running on a vps. I communicate via telegram.
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
I use it mostly for the crons, it runs a personal productivity system that tracks my tasks, provides nudges, talks through stuff etc. It's all stored in an Obsidian vault that syncs to my desktop. I don't use it to control email/calendars or other agents.
I am experimenting prompt injection on OpenClaw [0][1], quite exciting.
[0] https://itmeetsot.eu/posts/2026-03-27-openclaw_webfetch/
[1] https://itmeetsot.eu/posts/2026-03-03-openclaw3/
I was asked by someone recently to try to set up an OpenClaw that would search for ordinances and other land registry information for all 3000+ counties/parishes in the USA to obtain and distill specific details on their support for building tiny homes.
OpenClaw creator here.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
Can you speak a little bit more to the stats in the OP?
135k+ OpenClaw instances are publicly exposed
63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
Nvidia, ByteDance, Tencent and OpenAI?! Wow!
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?
Listen to yourself.
I could not stop myself from looking at this user's submissions history, looking for a ShowHN about Clawdbot. No such submission exists.
I think I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.
My reply which was not an attack was detached from this sub thread as an attack. All I did was ask a clarifying question about why Telegram and Discord were specifically called out in this reply despite not being mentioned by the OP at all. I'd still like an answer to this question.
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
But coding is solved? Why do you need those guys if all they do is use claude code? Just have it solve it overnight. You forgot to prompt "make it secure pls"?
[flagged]
[flagged]
The root issue is that OpenClaw is 500K+ lines of vibe coded bloat that's impossible to reason about or understand.
Too much focus on shipping features, not enough attention to stability and security.
As the code base grows exponentially, so does the security vulnerability surface.
[flagged]
The current OpenClaw GitHub repo [1] contains 2.1 million lines of code, according to cloc, with 1.6M being typescript. It also has almost 26K commits.
[1] https://github.com/openclaw/openclaw
There are like 10 openclaw clones out there. If you prefer security over features, just pick up another one.
We detached this subthread from https://news.ycombinator.com/item?id=47629849 and marked it off-topic.
If someone could forward the SSH port from my VPS to access my instance, I already had bigger problems.
[flagged]
[dead]
The threads on that /r/sysadmin post sound exactly like every sysadmin I've ever worked with in my career.
With respect...Security through obscurity is dead. We are approaching the point where only formally verified (for security) systems can be trusted. Every possible attack will be attempted. Every opening will be exploited, and every useful combination of those exploits will be done.
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
Text of the post has been [removed]. Original saved here: https://web.archive.org/web/20260403163241/https://old.reddi...
Maybe the moderators removed it for being AI spam. The user’s entire post history besides this post are generated ads for their AI projects.
Thanks, we'll put that link in the toptext as well.
[dead]
[flagged]
The Ludditism in this thread, and the linked thread, is shocking.
Is it Ludditism to not want to get PWNed spending $3k a month?
[dead]
We need a new word for people who use the word ‘Luddite’ to refer to ‘reasonable concern over the reckless use of new technology’.
[flagged]
[dead]
[stub for offtopicness and general piling-on behavior, which we don't want on this site]
[[attacking project creators when they show up to discuss their work is particularly harmful; please don't ever do that here]]
[[[if you posted any of these, we'd appreciate it if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on]]]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
Guys, OpenClaw is a toy, that's it!
[flagged]
If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.
[flagged]
[flagged]
[flagged]
[flagged]
[dead]
Good, hearty group right there. But how about Palantir, NSO Group, Flock and Axon? Aren't they lending a hand too?
Isn't OpenClaw itself a privilege escalation?
[dead]
[dead]
I’m surprised people are still using OpenClaw. I assumed they’d have switched to Nanoclaw or Nemoclaw. Is OpenClaw just that much better, or is it all inertia?
(I’ve never used any of them.)
I'm using Hermes. The same applies to all agents, don't give it free reign over all your stuff. Run it within a sandbox.
https://github.com/nousresearch/hermes-agent
[dead]