There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.
-
@rysiek I love how this landed right after the trive/litellm/axios thing where the take out is the exact opposite of “upgrade as soon as there is a new version”.
@marcink right?
Don't worry, as soon as OpenClaw gets hit by supply-chain attack, which they inevitably are going to, this will flip.
-
@GreatBigTable interesting. I have not dove into Claude Code's spaghetti myself. Would love to hear more about this.
I guess you have to ask really, really nicely, to counteract the other instruction. Or simply add a "system reminder".
From a great and very enjoyable thread (for certain subcategories of "enjoyable"):
jonny (good kind) (@jonny@neuromatch.social)
Attached: 3 images i love this. there's a mechanism to slip secret messages to the LLM that it is told to interpret as system messages. there is no validation around these of any kind on the client, and there doesn't seem to be any differentiation about location or where these things happen, so that seems like a nice prompt injection vector. this is how claude code reminds the LLM to not do a malware, and it's applied by just string concatenation. i can't find any place that gets stripped aside from when displaying output. it actually looks like all the system reminders get catted together before being send to the API. neat!
neurospace.live (neuromatch.social)
-
I guess you have to ask really, really nicely, to counteract the other instruction. Or simply add a "system reminder".
From a great and very enjoyable thread (for certain subcategories of "enjoyable"):
jonny (good kind) (@jonny@neuromatch.social)
Attached: 3 images i love this. there's a mechanism to slip secret messages to the LLM that it is told to interpret as system messages. there is no validation around these of any kind on the client, and there doesn't seem to be any differentiation about location or where these things happen, so that seems like a nice prompt injection vector. this is how claude code reminds the LLM to not do a malware, and it's applied by just string concatenation. i can't find any place that gets stripped aside from when displaying output. it actually looks like all the system reminders get catted together before being send to the API. neat!
neurospace.live (neuromatch.social)
@wakame @GreatBigTable ah yes, I've seen that in fact
-
@wakame @GreatBigTable ah yes, I've seen that in fact
-
@GreatBigTable @wakame indeed, somehow I missed that initially. Thanks!
-
There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.
Not any more!
Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/Bam! RCE by asking nicely.
🧵
@rysiek
If I were ever interested in experimenting with that kind of thing (I'm not), I would only do it in a virtual machine. To do otherwise is foolish. -
OpenClaw treats this seriously, of course, and by seriously I mean claims this is normal, nothing to see here – and blames the users:
https://openclawai.io/blog/openclaw-cve-flood-nine-vulnerabilities-four-days-march-2026> This four-day flood isn’t an anomaly. It’s what happens when a project grows from enthusiast tool to infrastructure faster than its security surface can mature.
> If you’re running OpenClaw, you’re signing up to track upstream releases, apply patches promptly, and monitor advisories — indefinitely.
🧵
@rysiek wow, they are so casual about authentication just not existing, I mean wow
-
@rysiek
If I were ever interested in experimenting with that kind of thing (I'm not), I would only do it in a virtual machine. To do otherwise is foolish.@sloanlance I really want to center OpenClaw's irresponsibility and negligence here though. They are actively promoting this to regular, non-techie people. And then when shit happens they blame the victim.
-
@marcink right?
Don't worry, as soon as OpenClaw gets hit by supply-chain attack, which they inevitably are going to, this will flip.
@rysiek But between this being openclaw and the insufferably LLM-ish tone of the blog post (pictured below) we can at least rest assured that there is a chance that no human being had to be involved in writing, editing, or reviewing these.
-
@rysiek But between this being openclaw and the insufferably LLM-ish tone of the blog post (pictured below) we can at least rest assured that there is a chance that no human being had to be involved in writing, editing, or reviewing these.
@marcink what a fantastic scene in that film.
-
@marcink what a fantastic scene in that film.
@rysiek If there is any silver lining to this LLM bubble is that it will provide way more than enough material for a sequel.
-
There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.
Not any more!
Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/Bam! RCE by asking nicely.
🧵
@rysiek it’s a shame we still act like people are doing great things when they publish stuff like this.
-
@rysiek it’s a shame we still act like people are doing great things when they publish stuff like this.
(assuming "stuff like this" is OpenClaw, not the openClawCVEs repo)
-
R relay@relay.infosec.exchange shared this topic
