OpenClaw treats this seriously, of course, and by seriously I mean claims this is normal, nothing to see here – and blames the users:
https://openclawai.io/blog/openclaw-cve-flood-nine-vulnerabilities-four-days-march-2026

> This four-day flood isn’t an anomaly. It’s what happens when a project grows from enthusiast tool to infrastructure faster than its security surface can mature.

> If you’re running OpenClaw, you’re signing up to track upstream releases, apply patches promptly, and monitor advisories — indefinitely.

🧵

Do they mention any of this on their landing page? No, of course not:
https://openclawai.io/

Do they mention this on their quickstart page? No, of course not:
https://openclawai.io/quickstart

But they sure mention the managed hosting that is "coming soon"! Which of course they shill in their blogpost about the vulnerabilities:

> For many users, that’s a reasonable tradeoff. For others, it’s the argument for managed hosting.

Security fuckup? More like business opportunity, amirite? 🤡

🧵

OpenClaw is utterly negligent in promoting their stuff to regular users and not having gigantic warnings on their landing page and installation guides.

Their response to these vulnerabilities, mentioning 128 advisories that are "still pending assignment", and shilling their "managed" service, is laughable and craven.

And the way they hide behind the open source label is infuriating:

> The open-source model means every vulnerability gets public scrutiny and transparent fixes.

🧵

#OpenClaw #AI

@rysiek to a certain extent, I understand the attitude of “hey, this is just a hobby project, I made it for free, don’t expect *anything*”. I too dislike the entitled attitude of users of open source stuff.

*but* the moment this “toy project” became wildly popular, he should have taken down the website and put a big fat warning on GitHub to scare away people who are not experts (but have at least two brain cells). It’s this part that’s, as you said — utterly negligent.