Comment by Veen

There's a lot of, to put it lightly, bullshit in this blog article, starting with when openclaw was released (late November 2025, not January 25, 2026). The first bit of config — "listen: "0.0.0.0:8080" — is not the default. Default is loopback and it was when I first encounter this project at the end of December.

Essentially, the author has deliberately misconfigured an openclaw installation so it is as insecure as possible, changing the defaults and ignoring the docs to do so. Lied about what they've done and what the defaults are. Then "hacked" it using the vulnerability they created.

That said, there are definite risks to using something like openclaw and people who don't understand those risks are going to get compromised, but that doesn't justify blatant lying.