WingNews logo WingNews
top | item 46761593

(no title)

xtagon | 1 month ago

Wild. There are 300 open Github issues. One of them is this (also AI generated) security report: https://github.com/clawdbot/clawdbot/issues/1796 claiming findings of hundreds of high-risk issues, including examples of hard coded, unencrypted OAuth credentials.

I am...disinclined to install this software.

discuss

order

Mic92|1 month ago

I skipped over the first few ones and haven't seen critical ones. The hardcoded oauth client secrets is basically present in any open-source or commercial app that is distributed to end users. It doesn't break the security of end users. It mainly allows other apps to impersonate this app, i.e. present itself as clawdbot, which is a moot point given anyone can just change /inject code into it.

xtagon|1 month ago

Yeah, I see what you're saying.

joe_91|1 month ago

Same.... I'll install it in a few months when all the major security bugs have been found and patched!

strangescript|1 month ago

If you read the PR, the bad issues are in a few extensions, not the bot itself. The unencrypted oAuth token isn't really a big deal. It should be fixed but its a "if this box is compromised" type thing. Given the nature of clawdbot, you are probably throwing it on a random computer/vps you don't really care about (I hope) without access to anything critical.

cmorgan31|1 month ago

You know, as the rest of us do, that someone has already thrown it loose in the same place where they store their banking information. Oh well, lessons will be learned about containers.

lmeyerov|1 month ago

they're 100% advocating to use it to do things, such as with all your accounts

barrenko|1 month ago

It also tells you a lot about latent demand.

xtagon|1 month ago

Perhaps. That was yesterday, today there's 650+, with hundreds being tagged as bugs.