Mastodawn

There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.

Not any more!

Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/

Bam! RCE by asking nicely.

🧵

#OpenClaw #AI #Hype #InfoSec

GitHub - jgamblin/OpenClawCVEs: Tracking OpenClaw CVEs

Tracking OpenClaw CVEs. Contribute to jgamblin/OpenClawCVEs development by creating an account on GitHub.

GitHub

Show thread

Leszek

@rysiek What's more it's not just one bot. It's a bot platform that can be driven by markdown files. Just make a useful "skill", wait for it to propagate, then add a few malicious sentences to it.
People will pay for the tokens to send you their bitcoin wallets.
Edit:
This is by design, so even if OpenClaw is fully fixed and bug free the whole concept of it is based on trusting the content of all imported .md files forever.