Peter here from OpenClaw. For context, here’s why our post reads the way it does:
Boris from Claude Code said publicly on Twitter that CLI-style usage is allowed. We took that seriously and invested time building around that guidance. I even changed the defaults, so when using the cli we're automatially disabling features that use excessive tokens like the heartbeat feature. But in practice, Anthropic still blocks parts of our system prompt, so the actual behavior today does not match what was communicated publicly.
They since seemed to changed their classifier as people hack around it, as it is trivial to do so with a few renames. I'm not playing that game so it's in a weird limbo where it should work in theory but doesn't in practice.
A lot of people have spent a considerable amount of time building out "claude -p" workflows trusting Anthropic because of those same Tweet assurances outside of OpenClaw.
It seems with the new "--bare" flag they are introducing, a huge rug pull is coming as they plan to deprecate -p for unlimited users.
The docs now read:
> "Bare mode skips OAuth and keychain reads. Anthropic authentication must come from ANTHROPIC_API_KEY or an apiKeyHelper in the JSON passed to --settings. Bedrock, Vertex, and Foundry use their usual provider credentials. --bare is the recommended mode for scripted and SDK calls, and will become the default for -p in a future release."
Hope I am reading this wrong or this is clarified.
It seems clear that Anthropic wants users pay API rates for tokens when use in a programatic way, and not subscriber rates for tokens when used from code. As a user, I want to pay the subscription rates with -p, but it seems they want to block that.
I've commented elsewhere about just having simple rate limits tied to oauth tokens. This should not be that hard.
There is one simple policy: Subscriptions are for use on human scale of comprehension. API Keys are for everything else.
Anthropic can have a machine/bot get rate limited and people can build workflows using `claude -p` or something even better (like an SDK) , all the while using their OAuth tokens for max/pro.
Peter, while we are on the subject of clarifying what is and isn't allowed I have a question: has OpenAI clearly communicated about precisely where one is supposed to be able to use their Codex quota? For instance, as far as I understand, it is allowed to use it with OpenClaw, but does it extend to any other coding harness? Say I have an app (potentially a paid one) and want my users to use their Codex quota in it, is it permitted to do? As you can probably imagine that would unlock a lot of uses cases given smaller actors can't subsidize as much token costs, but unfortunately, and maybe expectedly due to the nature of subscriptions, I have not been able to find any answer regarding this.
I'm not sure they have "officially" said anything but they do allow Codex OAuth login for 3rd party coding agents: pi, opencode, etc. Employees on twitter have explicitly approved this.
That matches what I have seen, but I think I remember reading a tweet that had mentioned those "developing in the open" (not an exact citation, just based on what I remember), which made me wonder if it meant they considered this allowed only for open source software, or if they were intending to be much more permissive, essentially considering users can use their quotas wherever they want, or maybe even completely different rules, again I feel there could be more transparency regarding all of that.
Looks like they are trying to correct course now, but they’ve already lost the trust, and with the new lower limits, it’s probably not worth using it in OpenClaw
I mean surely you can understand the the difficulty of their position, right? It's as if Waymo offered a subsidized, subscription based plan that models a certain type of ridership as typical but then people start scheduling rides on a timer with no one in it, far outside the original use case of "Get me from point A to point B". And of course the line between what is acceptable is quite fuzzy. You could imagine it being seen as okay to send a rider-less Waymo to pick up groceries occasionally - but not to schedule one every single day at 4:30PM to pick up a single ice cream cone.
You can argue that this is unfair and they should provide clearer guidance. Well - as soon as they do people find ways to skirt the letter of the rules to once again take advantage of the economics of the subscription model. So should they just scrap the entire plan? Ruin it for people who are using it as it was intended (coding agent, light experimentation/headless use outside of that)? That doesn't seem right either.
I think HN needs a regular reminder that most things sold are commodities -without limits or re-use. Coal and wheat have no DRMs.
This kind of thing is the exception.
Subsidized subscriptions work to distort the power of the market. The more successful they are (in destroying competition), the worse it leaves consumers.
While i get the individual steps that leads them to this "difficult position", I think i'll just keep telling everybody to cancel their sub and make sure to not get locked in.
> Most things are sold as commodities without limits or re-use.
This is somehow doubly wrong. Not only are most economic goods NOT commodities, there are plenty of economic analogs to AI subscriptions (streaming, telecom, gyms, buffets) and none of them operate as "unlimited with no restrictions on re-use". Really just terribly misinformed way of thinking here.
In most parts of the world telecom & gyms are commodities - America is 'further ahead' in letting companies distort markets without regulation.
But i think you misunderstood the scope of my claim. We can argue whether its 30% or 70% of an average paycheck is spend on fungible things and per line item how much of it is fungible and not - but I was also including all the B2B sales.
Companies that let themselves become entirely dependent on specific suppliers do worse.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
Can you speak a little bit more to the stats in the OP?
* 135k+ OpenClaw instances are publicly exposed
* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
That’s surprising, as the OpenClaw installation makes it pretty difficult to run without auth and explicit device pairing (I don’t even know if that’s possible).
The problem is that a lot of users of OpenClaw use a chatbot to set it up for them so it has a habit of killing safety features if it runs into roadblocks due to user requests. This makes installations super heterogeneous.
I agree—it looks like the OP didn't provide any sources for these numbers either. That's why I would have hoped that the original maintainer had a better set of metrics to dispute them. It doesn't seem like he does though :(
Those numbers aren't in the CVE. You introduced them, attributed them to a source that doesn't contain them, and now you're disclaiming them. Where did they come from, and what was the goal of sharing them?
The numbers were in the post when I clicked through and when I made the comment. It looks like the HN moderators have since changed the link for the post to go to the CVE entry. However, my comment was about the reddit thread, not the CVE entry.
Honestly that seems like total guesswork. There's a lot of FUD going around, or people running portscans and assuming just because they detect a gateway on a port, that they can connect to it. That’s not the case.
> We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?
Jensen mentioned on a podcast (sorry I don’t have a link on me, it was either the all in podcast or Lex Friedman) that they are helping support and harden on the security side, and that he considers it like the “iPhone moment”
Most of these larger players are interested in supporting anything that helps grow the ecosystem so broadly.
My reply which was not an attack was detached from this sub thread as an attack. All I did was ask a clarifying question about why Telegram and Discord were specifically called out in this reply despite not being mentioned by the OP at all. I'd still like an answer to this question.
Just a heads up that everyone can still see the comment you made on your profile because it wasn't removed by moderator action. It was downvoted to oblivion because it was an attack on another user for using AI.
That user said that they use OpenClaw to scrape city meetings for context so that they can more efficiently participate in local politics. You then attacked them, accusing them of "leaving AI slop comments on public city meetings", which isn't what they said they were doing at all.
I see absolutely no problem in using AI to summarize large quantities of information (such as a collection of city meeting notes). Summarization is one of the places that AI really shines right now, and if it helps people wrap their head around what is happening in their communities, good!
I understand a healthy skepticm of AI. Everyone should have some degree of that. But maybe avoid the urge to publicly shame people for their use of AI, especially on a site like this where that won't be received well. Or, if you're going to offer criticism, show some tact.
You're referring to a different comment. This is the comment I left which was removed, word for word,
> What does Telegram/Discord have to do with anything? The OP never mentioned either of these software suites. In fact the only mention of Telegram anywhere in the entire thread is you copy-pasting this exact message.
Hi, creator of OpenClaw.
Do you really want to try to explain those bugs every single time?
You know that openclaw is a security mess. AI is made to solve problems and a harness is just another one to beeach/solve.
(OP) You know if I link to a half-finished project, people would take it apart as many don't understand the nuance between crap and simply not done yet. But if you follow me on twitter it'll take you a few minutes to figure out. I'm two months in, even with AI, shipping good stuff takes time.
Having scrolled through several pages of your complaining about idiots on HN or discussing a yet another AI tool, I guess this is it: https://sweetistics.com/ ? Something you couldn't link in the article for some reason?
I've scrolled bit more. I think in the past 50-100 tweets you only wrote thee talking about this, one of them proudly showing a mistake (invalid tweets containing the same text): https://x.com/steipete/status/1978229441802162548
So, I have to follow you on twitter and sift through garbage indistinguishable from all such "look how great is codex" and "this is my shamanic ritual that works I promise" to maybe see something you work on.
No thank you. I will make my judgement from the long-form article you posted.
And, as I said: depending on actual functionality, after burning $1000 a month on tokens you may actually have a fully functioning app in React + Typescript with little human supervision. I might do the same for anything Twitter-related because I couldn't be arsed to work with Twitter or Twitter APIs.
There's an Expo app, two Tauri apps, a cli, a chrome extension.
The admin part to help debug and test features is EXTREMELY detailed and around 40k LOC alone.
Yeah, I read the post. Telling me that there's a chrome extension and some apps tells me nothing. Saying that the code is 1/3 tests is...something, but it's not exceptional, by any means.
I've got an code base I've been writing from scratch with LLMs, its of equivalent LOC and testing ratio, and my experiences trusting the models couldn't be more different. They routinely emit hot garbage.
(OP) the current projec is closed source. If you look at my cli tools, that's pure slop, all I care is that it works, so reviewing that code for sure will show some weird stuff. Does it matter? It's a tool to fetch logs form a server. I run it locally. As long as is does that reliably, idk about the code.
Boris from Claude Code said publicly on Twitter that CLI-style usage is allowed. We took that seriously and invested time building around that guidance. I even changed the defaults, so when using the cli we're automatially disabling features that use excessive tokens like the heartbeat feature. But in practice, Anthropic still blocks parts of our system prompt, so the actual behavior today does not match what was communicated publicly.
https://x.com/bcherny/status/2041035127430754686
They since seemed to changed their classifier as people hack around it, as it is trivial to do so with a few renames. I'm not playing that game so it's in a weird limbo where it should work in theory but doesn't in practice.
reply