Michał "rysiek" Woźniak · 🇺🇦1d ago

There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.

Not any more!

Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/

Bam! RCE by asking nicely.

🧵

#OpenClaw #AI #Hype #InfoSec

GitHub - jgamblin/OpenClawCVEs: Tracking OpenClaw CVEs

Tracking OpenClaw CVEs. Contribute to jgamblin/OpenClawCVEs development by creating an account on GitHub.

GitHub
Show threadMichał "rysiek" Woźniak · 🇺🇦1d ago

OpenClaw treats this seriously, of course, and by seriously I mean claims this is normal, nothing to see here – and blames the users:
https://openclawai.io/blog/openclaw-cve-flood-nine-vulnerabilities-four-days-march-2026

> This four-day flood isn’t an anomaly. It’s what happens when a project grows from enthusiast tool to infrastructure faster than its security surface can mature.

> If you’re running OpenClaw, you’re signing up to track upstream releases, apply patches promptly, and monitor advisories — indefinitely.

🧵

Nine CVEs in Four Days: Inside OpenClaw's March 2026 Vulnerability Flood | OpenClawAI

Between March 18 and 21, nine OpenClaw CVEs dropped — including a 9.9 critical that let any authenticated user become admin by asking nicely. A timeline, breakdown, and what it means for self-hosters.

Show threadMichał "rysiek" Woźniak · 🇺🇦1d ago

Do they mention any of this on their landing page? No, of course not:
https://openclawai.io/

Do they mention this on their quickstart page? No, of course not:
https://openclawai.io/quickstart

But they sure mention the managed hosting that is "coming soon"! Which of course they shill in their blogpost about the vulnerabilities:

> For many users, that’s a reasonable tradeoff. For others, it’s the argument for managed hosting.

Security fuckup? More like business opportunity, amirite? 🤡

🧵

OpenClawAI — Learn OpenClaw, discover the ecosystem, and start using it fast

OpenClaw AI - Your AI employee that lives in WhatsApp, Telegram, or Slack. Self-host or join the waitlist for managed hosting.

Show threadMichał "rysiek" Woźniak · 🇺🇦1d ago

OpenClaw is utterly negligent in promoting their stuff to regular users and not having gigantic warnings on their landing page and installation guides.

Their response to these vulnerabilities, mentioning 128 advisories that are "still pending assignment", and shilling their "managed" service, is laughable and craven.

And the way they hide behind the open source label is infuriating:

> The open-source model means every vulnerability gets public scrutiny and transparent fixes.

🧵

#OpenClaw #AI

Show threadMichał "rysiek" Woźniak · 🇺🇦1d ago

It is also entirely par for the course for the broader "AI" ecosystem, which has the same scammy vibes as the NFT space.

For years Microsoft had a line in Copilot's ToS (still does) insisting it is for entertainment purposes only (yet they push it in their products):
https://www.theregister.com/2024/08/14/microsoft_services_agreement_update_warns/

Anthropic's "extensively trained" model got tricked by a tactic used by a 13yo – "really, I'm a researcher!" and the company still does not see it as their responsibility:
https://rys.io/en/181.html#ai-orchestrated-cyberattack

🤡

🧵/end

Microsoft tweaks fine print to warn everyone not to take its AI seriously

Don't use LLMs for anything important and don't try to reverse engineer it

The Register
Show threadJim Jones23h ago
@rysiek considering the peeks into the leaked Claude Code, jailbreaking it this way is explicitly allowed in the code itself. If you tell it you are part of a security research team or on an authorized entertainment or doing a computer security assignment, it will let you do what you want.
Show threadMichał "rysiek" Woźniak · 🇺🇦
@GreatBigTable interesting. I have not dove into Claude Code's spaghetti myself. Would love to hear more about this.
Apr 4 at 12:59pmWeb
Show threadNot a Spring Onion21h ago

@rysiek @GreatBigTable

I guess you have to ask really, really nicely, to counteract the other instruction. Or simply add a "system reminder".

From a great and very enjoyable thread (for certain subcategories of "enjoyable"):

https://neuromatch.social/@jonny/116328504299888679

Show threadMichał "rysiek" Woźniak · 🇺🇦21h ago
@wakame @GreatBigTable ah yes, I've seen that in fact
Show threadJim Jones21h ago
@rysiek @wakame yeah. That one. So Anthropic's clutching of pearls over this happening is performative at best. They knew that this is possible because it is baked directly into the code. "You want to bypass these safe guards? Just say these magic words."
Show threadMichał "rysiek" Woźniak · 🇺🇦20h ago
@GreatBigTable @wakame indeed, somehow I missed that initially. Thanks!