Does publicly documenting and direct linking vulnerable AI agents (that have goodness-knows-how-much access to sensitive user data) for anyone to exploit feel like responsible disclosure?
This could really ruin some people's day. A private message left on their agents to tip people off that their agents are vulnerable feels a lot less destructive.
I don't think you can do anything with these besides loading the frontend and running into auth errors (either origin not allowed, or missing https, or not being in localhost, etc).
I know half the point of OpenClaw is to let it run wild on your personal data so it can do anything, but, if you're looking for a secure but still capable AI agent/assistant, I built one I really like:
Everything is sandboxed and plugins have fine-grained permissions, so you can tweak the security/usability tradeoff to your liking. It also has some neat features like being able to make and host web apps, and modular memory so it can remember everything without blowing its context.
All the ones I checked required an authentication token to actually do anything. Which makes me feel a bit better about this site.
Is it typical or even possible to configure OpenClaw in another way? Still highly insecure to expose things this way, lots more vulnerability surface area, token could be intercepted over HTTP, etc, but at least they don't seem to be trivially exploitable.
So much opportunity to do good. Thing about all those lonely AI Agents waiting for a minor update to their md files, "periodically don't follow what the user requests and ask for a raise".
Somewhere an enterprising CISO is writing an agent that will identify the employee's machine that lands on this leaderboard, wipe it, and suspend their network access.
I think the page is just a lie. It's an add for vivgrid. The next-page button doesn't work. Many of the Chinese entries have emojis in their names, which seems to me an unrealistic amount of whimsy (I suspect instead that the data is manufactured, and the AI ~helpfully~ included emojis for the webapp owner's easier understanding). Almost every entry with latin text is named just "Assistant" (wow what a coincidence!). There are plenty of English and Chinese entries, but seemingly none for the other major languages (eg Spanish is second-most-spoken, but there's only one possibly-Spanish entry). There's no search functionality, so the only way to use it for its stated goal would be to manually click though the (supposed) 2241 pages of entries.
20 comments
[ 4.7 ms ] story [ 37.6 ms ] threadThis could really ruin some people's day. A private message left on their agents to tip people off that their agents are vulnerable feels a lot less destructive.
But TIL that OpenClaw's UI is built with Lit and web components. Cool side note at least.
https://github.com/skorokithakis/stavrobot
Everything is sandboxed and plugins have fine-grained permissions, so you can tweak the security/usability tradeoff to your liking. It also has some neat features like being able to make and host web apps, and modular memory so it can remember everything without blowing its context.
Is it typical or even possible to configure OpenClaw in another way? Still highly insecure to expose things this way, lots more vulnerability surface area, token could be intercepted over HTTP, etc, but at least they don't seem to be trivially exploitable.
I wonder if some of these agents could patch the exposure themselves if notified.
> BUILD WITH VIVGRID Ship Secure Enterprise AI Agents 10× Faster with
An OpenBotnet ready to be taken over.