Comment by strangescript

9 hours ago

If you read the PR, the bad issues are in a few extensions, not the bot itself. The unencrypted oAuth token isn't really a big deal. It should be fixed but its a "if this box is compromised" type thing. Given the nature of clawdbot, you are probably throwing it on a random computer/vps you don't really care about (I hope) without access to anything critical.

3 comments

strangescript

xtagon 9 hours ago

You're talking about if a box is compromised, but to clarify, this is hard coded into the source in the repo, not an end-user's credentials (and it's a `client_id` and `client_secret`, not a token): https://github.com/clawdbot/clawdbot/blob/7187c3d06765c9d3a7...

cmorgan31 9 hours ago

You know, as the rest of us do, that someone has already thrown it loose in the same place where they store their banking information. Oh well, lessons will be learned about containers.

lmeyerov 8 hours ago

they're 100% advocating to use it to do things, such as with all your accounts