Peter here from OpenClaw. For context, here’s why our post reads the way it does:
Boris from Claude Code said publicly on Twitter that CLI-style usage is allowed. We took that seriously and invested time building around that guidance. I even changed the defaults, so when using the cli we're automatially disabling features that use excessive tokens like the heartbeat feature. But in practice, Anthropic still blocks parts of our system prompt, so the actual behavior today does not match what was communicated publicly.
They since seemed to changed their classifier as people hack around it, as it is trivial to do so with a few renames. I'm not playing that game so it's in a weird limbo where it should work in theory but doesn't in practice.
Honestly that seems like total guesswork. There's a lot of FUD going around, or people running portscans and assuming just because they detect a gateway on a port, that they can connect to it. That’s not the case.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
(OP) You know if I link to a half-finished project, people would take it apart as many don't understand the nuance between crap and simply not done yet. But if you follow me on twitter it'll take you a few minutes to figure out. I'm two months in, even with AI, shipping good stuff takes time.
There's an Expo app, two Tauri apps, a cli, a chrome extension.
The admin part to help debug and test features is EXTREMELY detailed and around 40k LOC alone.
(OP) the current projec is closed source. If you look at my cli tools, that's pure slop, all I care is that it works, so reviewing that code for sure will show some weird stuff. Does it matter? It's a tool to fetch logs form a server. I run it locally. As long as is does that reliably, idk about the code.
Boris from Claude Code said publicly on Twitter that CLI-style usage is allowed. We took that seriously and invested time building around that guidance. I even changed the defaults, so when using the cli we're automatially disabling features that use excessive tokens like the heartbeat feature. But in practice, Anthropic still blocks parts of our system prompt, so the actual behavior today does not match what was communicated publicly.
https://x.com/bcherny/status/2041035127430754686
They since seemed to changed their classifier as people hack around it, as it is trivial to do so with a few renames. I'm not playing that game so it's in a weird limbo where it should work in theory but doesn't in practice.