Mastodawn

"OpenClaw gives users yet another reason to be freaked out about security"

"The viral AI agentic tool let attackers silently gain admin unauthenticated access."

"For more than a month, security practitioners have been warning about the perils of OpenClaw, the viral AI agentic tool thats taken the development community by storm.

OpenClaw ... now boasts 347,000 stars on Github, by design takes control of a user’s computer..."

https://arstechnica.com/security/2026/04/heres-why-its-prudent-for-openclaw-users-to-assume-compromise/

#ai #threat #openclaw

OpenClaw gives users yet another reason to be freaked out about security

The viral AI agentic tool let attackers silently gain admin unauthenticated access.

Ars Technica

Show thread

normis

@kevinrns to be honest, this is wildly overblown. Most openclaw users are single users. This is a privilege escalation issue. Who gives limited openclaw access to somebody? I can't imagine the use case

Show thread

Kevin Russell 2d ago

@normis

In the miasma of stolen data, stolen credentials, and ethical pygmies stealing, manipulating and spying, overblown is over used.

"rated from 8.1 to 9.8 out of a possible 10 depending on the metric . . . "

“The practical impact is severe,” researchers from AI app-builder Blink wrote. “An attacker who already holds operator.pairing scope—the lowest meaningful permission in an OpenClaw deployment—can silently approve device pairing requests that ask for operator.admin scope.

Show thread

normis 2d ago

@kevinrns I'm not talking about the broader picture, but this specific CVE. Yes, what you quote is nothing that anyone does. Giving somebody limited access to his openclaw system.