[machinecontrol]

The root issue is that OpenClaw is 500K+ lines of vibe coded bloat that's impossible to reason about or understand.

Too much focus on shipping features, not enough attention to stability and security.

As the code base grows exponentially, so does the security vulnerability surface.

[tomhow]

We detached this subthread from https://news.ycombinator.com/item?id=47629849 and marked it off-topic.

[globular-toast]

I can't really think of a more on topic comment. The thread is about a security issue and the comment is about the quality of the codebase.

[tomhow]

The comment is a generic vent about the project’s codebase and development approach, not an effort to engage in curious conversation about this vulnerability. Also, I consider it to be in breach of the guidelines about fulmination, swipes/sneers, and curmudgeonliness.

[globular-toast]

The comment doesn't even seem to contain opinion. It's simply objectively true. Let's be honest, you just didn't like the way it was directly calling out the author for writing shitty software. Responsibility is a thing and the author is displaying none of it.

[tomhow]

I don’t know or care whether it’s “objectively true”. That style of commenting, i.e., “calling out the author” is not what HN is for, regardless of the truthfulness of the comment. You’ve been around long enough to know that. HN is for curious conversation between hackers, i.e., people who like to build things. Attacking people for building things in some kind of “wrong” way is not cool here. “Responsibility” is not mentioned in the guidelines but kindness is.

[jamesjansson]

Isn't the development approach part of the reason that this exploit occurred? The creator openly admitted that they weren't properly reviewing code when describing the project previously. With no engineers who have domain knowledge of the app (because the developers are AI) that leaves a wide gap for exploits to appear.

I feel like just filtering this comment out is a mistake. I use AI, and I think there is a place for it, but if a colleague said "Here's a PR, I didn't even review it" I'd send it back and say "Well you better review it!"

How AI is used is 100% a topic for debate, ranging from "All AI is bad" to "there will be no coding, just vibes". You agree with this right? That there are a range of developers who believe different things all along this spectrum, and that for some developers un-reviewed code is the CAUSE of bad code.

[williamstein]

The current OpenClaw GitHub repo [1] contains 2.1 million lines of code, according to cloc, with 1.6M being typescript. It also has almost 26K commits.

[1] https://github.com/openclaw/openclaw

[asddubs]

wow, this repo seems to get something like 100 commits an hour based on just scrolling through the recent ones.

[MarchApril]

and none of them pass the hallucinated CI pipeline. I don't know if I want to drive flying cars if there's no guarantee of it not exploding in midair.

[earnesti]

There are like 10 openclaw clones out there. If you prefer security over features, just pick up another one.

[crustaceansoup]

They exist; are any of them secure?

[yoyohello13]

Or you can just make your own. The core pattern is not difficult to clone.