There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.
-
There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.
Not any more!
Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/Bam! RCE by asking nicely.
🧵
-
There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.
Not any more!
Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/Bam! RCE by asking nicely.
🧵
OpenClaw treats this seriously, of course, and by seriously I mean claims this is normal, nothing to see here – and blames the users:
https://openclawai.io/blog/openclaw-cve-flood-nine-vulnerabilities-four-days-march-2026> This four-day flood isn’t an anomaly. It’s what happens when a project grows from enthusiast tool to infrastructure faster than its security surface can mature.
> If you’re running OpenClaw, you’re signing up to track upstream releases, apply patches promptly, and monitor advisories — indefinitely.
🧵
-
There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.
Not any more!
Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/Bam! RCE by asking nicely.
🧵
@rysiek What's more it's not just one bot. It's a bot platform that can be driven by markdown files. Just make a useful "skill", wait for it to propagate, then add a few malicious sentences to it.
People will pay for the tokens to send you their bitcoin wallets.
Edit:
This is by design, so even if OpenClaw is fully fixed and bug free the whole concept of it is based on trusting the content of all imported .md files forever. -
OpenClaw treats this seriously, of course, and by seriously I mean claims this is normal, nothing to see here – and blames the users:
https://openclawai.io/blog/openclaw-cve-flood-nine-vulnerabilities-four-days-march-2026> This four-day flood isn’t an anomaly. It’s what happens when a project grows from enthusiast tool to infrastructure faster than its security surface can mature.
> If you’re running OpenClaw, you’re signing up to track upstream releases, apply patches promptly, and monitor advisories — indefinitely.
🧵
Do they mention any of this on their landing page? No, of course not:
https://openclawai.io/Do they mention this on their quickstart page? No, of course not:
https://openclawai.io/quickstartBut they sure mention the managed hosting that is "coming soon"! Which of course they shill in their blogpost about the vulnerabilities:
> For many users, that’s a reasonable tradeoff. For others, it’s the argument for managed hosting.
Security fuckup? More like business opportunity, amirite?
🧵
-
Do they mention any of this on their landing page? No, of course not:
https://openclawai.io/Do they mention this on their quickstart page? No, of course not:
https://openclawai.io/quickstartBut they sure mention the managed hosting that is "coming soon"! Which of course they shill in their blogpost about the vulnerabilities:
> For many users, that’s a reasonable tradeoff. For others, it’s the argument for managed hosting.
Security fuckup? More like business opportunity, amirite?
🧵
@rysiek just to add some LULz: https://days-since-openclaw-cve.com/
-
@rysiek just to add some LULz: https://days-since-openclaw-cve.com/
@skyglobe kek.
-
There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.
Not any more!
Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/Bam! RCE by asking nicely.
🧵
@rysiek simultaneously the easiest and most expensive ever social engineering attempt ever
-
Do they mention any of this on their landing page? No, of course not:
https://openclawai.io/Do they mention this on their quickstart page? No, of course not:
https://openclawai.io/quickstartBut they sure mention the managed hosting that is "coming soon"! Which of course they shill in their blogpost about the vulnerabilities:
> For many users, that’s a reasonable tradeoff. For others, it’s the argument for managed hosting.
Security fuckup? More like business opportunity, amirite?
🧵
OpenClaw is utterly negligent in promoting their stuff to regular users and not having gigantic warnings on their landing page and installation guides.
Their response to these vulnerabilities, mentioning 128 advisories that are "still pending assignment", and shilling their "managed" service, is laughable and craven.
And the way they hide behind the open source label is infuriating:
> The open-source model means every vulnerability gets public scrutiny and transparent fixes.
🧵
-
OpenClaw is utterly negligent in promoting their stuff to regular users and not having gigantic warnings on their landing page and installation guides.
Their response to these vulnerabilities, mentioning 128 advisories that are "still pending assignment", and shilling their "managed" service, is laughable and craven.
And the way they hide behind the open source label is infuriating:
> The open-source model means every vulnerability gets public scrutiny and transparent fixes.
🧵
It is also entirely par for the course for the broader "AI" ecosystem, which has the same scammy vibes as the NFT space.
For years Microsoft had a line in Copilot's ToS (still does) insisting it is for entertainment purposes only (yet they push it in their products):
https://www.theregister.com/2024/08/14/microsoft_services_agreement_update_warns/Anthropic's "extensively trained" model got tricked by a tactic used by a 13yo – "really, I'm a researcher!" and the company still does not see it as their responsibility:
https://rys.io/en/181.html#ai-orchestrated-cyberattack 🧵/end
-
OpenClaw is utterly negligent in promoting their stuff to regular users and not having gigantic warnings on their landing page and installation guides.
Their response to these vulnerabilities, mentioning 128 advisories that are "still pending assignment", and shilling their "managed" service, is laughable and craven.
And the way they hide behind the open source label is infuriating:
> The open-source model means every vulnerability gets public scrutiny and transparent fixes.
🧵
@rysiek to a certain extent, I understand the attitude of “hey, this is just a hobby project, I made it for free, don’t expect *anything*”. I too dislike the entitled attitude of users of open source stuff.
*but* the moment this “toy project” became wildly popular, he should have taken down the website and put a big fat warning on GitHub to scare away people who are not experts (but have at least two brain cells). It’s this part that’s, as you said — utterly negligent.
-
@rysiek simultaneously the easiest and most expensive ever social engineering attempt ever
@c0dec0dec0de I believe it's called "vibe-scamming"
-
OpenClaw is utterly negligent in promoting their stuff to regular users and not having gigantic warnings on their landing page and installation guides.
Their response to these vulnerabilities, mentioning 128 advisories that are "still pending assignment", and shilling their "managed" service, is laughable and craven.
And the way they hide behind the open source label is infuriating:
> The open-source model means every vulnerability gets public scrutiny and transparent fixes.
🧵
@rysiek "OpenClaw is utterly negligent" is sufficient there
-
@rysiek to a certain extent, I understand the attitude of “hey, this is just a hobby project, I made it for free, don’t expect *anything*”. I too dislike the entitled attitude of users of open source stuff.
*but* the moment this “toy project” became wildly popular, he should have taken down the website and put a big fat warning on GitHub to scare away people who are not experts (but have at least two brain cells). It’s this part that’s, as you said — utterly negligent.
@radex he promoted it from the get go in a way that invited regular non-techies to use it, without ever putting any kind of warning.
It was utterly negligent basically from the moment the website went up.
-
@radex he promoted it from the get go in a way that invited regular non-techies to use it, without ever putting any kind of warning.
It was utterly negligent basically from the moment the website went up.
@rysiek Right, I haven't actually paid much attention, so I don't know. I'm just saying that in the culture where promoting/marketing hobby/open source projects is even a thing, I would forgive making that mistake initially - but I'd expect a quick reaction on first signs of popularity and/or pushback. (Which obviously *still* did not happen)
-
It is also entirely par for the course for the broader "AI" ecosystem, which has the same scammy vibes as the NFT space.
For years Microsoft had a line in Copilot's ToS (still does) insisting it is for entertainment purposes only (yet they push it in their products):
https://www.theregister.com/2024/08/14/microsoft_services_agreement_update_warns/Anthropic's "extensively trained" model got tricked by a tactic used by a 13yo – "really, I'm a researcher!" and the company still does not see it as their responsibility:
https://rys.io/en/181.html#ai-orchestrated-cyberattack 🧵/end
@rysiek that line's been there since 2024 based on earlier terms since 2023, even the Reg covered it https://www.theregister.com/2024/08/14/microsoft_services_agreement_update_warns/
-
There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.
Not any more!
Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/Bam! RCE by asking nicely.
🧵
@rysiek Yeah. Remember when "please forward this virus to your friends" was a dry joke?
-
There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.
Not any more!
Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/Bam! RCE by asking nicely.
🧵
@rysiek 5 nines but for open CVEs instead of digits in percentage availability
-
@rysiek that line's been there since 2024 based on earlier terms since 2023, even the Reg covered it https://www.theregister.com/2024/08/14/microsoft_services_agreement_update_warns/
@davidgerard ah, sorry! Fixing. The broader point stands.
-
@rysiek Yeah. Remember when "please forward this virus to your friends" was a dry joke?
@jmax "and delete your files"
-
It is also entirely par for the course for the broader "AI" ecosystem, which has the same scammy vibes as the NFT space.
For years Microsoft had a line in Copilot's ToS (still does) insisting it is for entertainment purposes only (yet they push it in their products):
https://www.theregister.com/2024/08/14/microsoft_services_agreement_update_warns/Anthropic's "extensively trained" model got tricked by a tactic used by a 13yo – "really, I'm a researcher!" and the company still does not see it as their responsibility:
https://rys.io/en/181.html#ai-orchestrated-cyberattack 🧵/end
@rysiek considering the peeks into the leaked Claude Code, jailbreaking it this way is explicitly allowed in the code itself. If you tell it you are part of a security research team or on an authorized entertainment or doing a computer security assignment, it will let you do what you want.
