Github has a serious breach problem. Someone pointed me to a repo called ClawCode and immediately I saw the telltale signs of an integrity breach. It has 187k stars against 0 releases, 0 packages, 0 visible contributors, and a deprecated crates.io stub that redirects elsewhere. Inflated social proof on a shell means the repo is nothing more than hot air, an attention seeking circus act. They used AI to write a Rust CLI that calls the Anthropic API, and branded it to ride Claude Code’s name recognition.

Paper Claw is more like it. It’s the same github “star” fraud pattern I already called out with OpenClaw. And I have to point out Dr. Seuss warned children about exactly this a long time ago. We have no excuses for rewarding “star” systems being simplistically gamed by charlatans. OpenClaw shipped on November 24, 2025 and the measure of what really matters since then is not stars. It has accumulated 433 published CVE records in just five months, which works out to a stunningly high disclosure rate of roughly 2.6402439 security failures per day. Call it three strikes every day, give or take. Has any software ever been this bad?

We’re talking AI “vibe” coding here so the machines pump out a patch cadence to try and pace with the mistakes reported against what they just made, which is what circular speed metrics measure when the codebase produces vulnerabilities this fast.

More tokens! More code! More spend! Worse software.

Four of the five modes of failure that recur have received targeted fixes. The fifth, route-level authorization, clearly regenerates itself in every new platform integration. The shipping defaults, as bad as they are, also persisted unchanged through the fixes. To put it another way, an unbelievable 63 percent of internet-reachable instances of OpenClaw run with authentication disabled today and I’m not seeing any effort to improve.

Authentication disabled by default on “personal” data management, folks.

In 2026.

The stupid, it burns. OpenClaw looks seriously cooked. Next thing you know, someone will tell me they have authentication disabled on the OpenClaw controlling their Tesla, as if nobody on the Internet is going to inject prompts to drive them off a cliff? Then again, since 2013 on this blog I have said Tesla is cooked and by 2016 I had been warning for years it would kill a lot of people, and look at how that turned out.

So please don’t take my word for how bad this is, again. Look at the numbers yourself, with all the denominators. Anthropic hasn’t cornered the market on vulnerabilities yet, to turn safety work into a proprietary rate-based secret, so I offer you here an OpenClaw flaw transparency report.

The cvelistV5 directory holds 413 PUBLISHED records that name OpenClaw as of the 2026-05-06 corpus snapshot at jgamblin/OpenClawCVEs. The live counter called days-since-openclaw-cve.com reads 433 accumulated, against a project that first shipped 164 days ago. That’s just wild! It’s perhaps the worst software ever released in history. Of the 413 in the analytical snapshot, 376 sit under VulnCheck as the assigning CNA, 34 under GitHub_M, and 3 under MITRE.

If you know the story of the Vasa, you know what I’m talking about here. It was Sweden’s flagship trying to claim most heavily armed warship in the world at its August 1628 launch, with 64 bronze cannons across two gun decks. King Gustavus Adolphus pushed for a second gun deck, the master shipwright died mid-build, the stability tests failed and were ignored, the ship sailed 1300 meters and capsized on its maiden voyage without even leaving the Stockholm harbor.

It was the definitive OpenClaw buzz of 1628. Not to get too deep into history here, technically the Vasa was a state propaganda ploy under a monarch who needed a Baltic war splash. Today’s “viral consumer launch” looks to me like NVidia and OpenAI leaders rushing into another Vasa splash… but I digress.

The GitHub Advisory Database holds 113 GHSAs for the project. 39 of those carry CVE IDs and are visible in NVD. 74 remain unassigned. There are six BlueBubbles records, for example, that appear in cvelistV5 without GHSA narrative.

That gives us a working population for category analysis of 119 advisories.

CWE and CVSS metadata is fully populated on the 39 published-with-CVE subset. The 74 unassigned GHSAs carry CWE labels but lack a CVSS string. The cvelistV5-only records carry CWE plus CVSS without GHSA discussion threads. That means my analysis of the CVSS distribution below uses the 39 records, while analysis of the CWE category uses the 119 records. It’s a messy business yet we still see insights.

Since the public counter at days-since-openclaw-cve.com tracks the longest CVE-less streak (12 days, between February 7 and February 18, 2026) I figure I should look at that first. Inside the 39 subset, the gap from the fix release to advisory publication has a range from 0 to 13 days. Sometimes the GHSA goes out the same day the patch ships, sometimes it trails by two weeks. A patch turnaround like this is measuring how the project runs its robots. Far more interesting is the uptake numbers, which unfortunately read very different as I’ll explain in a minute.

The GHSA timeline splits into two clear groups. Between February 17 and 18 there were 11 advisories from a small group of researchers. Then on April 17 suddenly 39 GHSAs appeared in just one day, of which 24 received CVE IDs through VulnCheck. The NVD publications followed in waves. April 28 carried 11 CVEs into NVD, using the GHSAs published April 24 and 25. May 5 published another 25, all but one coming from the April 17 batch.

VulnCheck, a CNA broker, has been the assigner on 376 of the 413 cvelistV5 records. The reporter line on 11 of the 24 with-CVE entries from April 17 lists zsxsoft and KeenSecurityLab paired together, with the same pair extending across the broader April 17 batch. Across all the April advisories, I found 21 distinct credit logins. February had just 9, which led me to realize the credit count right now vastly overstates the discovery population. When you factor in qclawer, it collapses into a pattern.

A GitHub user named qclawer (id 274765497) created a profile on 2026-04-09, last updated eight days later. The account holds no commits, no other repository activity, no other public artifacts. Inside the GHSA system, qclawer appears as credit-type tool, which the GHSA pipeline auto-maps to the sponsor credit category. Notably, 20 GHSAs fall under this credit, while 11 of those 20 still have no CVE ID.

It looks to me that KeenSecurityLab was setup as a placeholder organization. The pairing of zsxsoft, a previously published researcher, with KeenSecurityLab on 24 GHSAs is a single human driving an automated tool. The 21 credit logins in April look like the resultant robot output surge. There is one tool, one triager, with a credit field filled in simply to satisfy the GHSA submission schema. That’s how the April 17 batch reads to me like a single dumpster, not 39 independent discoveries.

The Five “Flobster” Failures: An architectural swing and a miss

Over 100 advisories, five types

1. Trust-boundary collapse (47 advisories). Webhook authenticity, message platform allowlists, and identity validation across direct-message and group context. CVE-2026-25474 covers a missing Telegram webhook secret that allowed unsigned event injection. CVE-2026-22172 records a WebSocket scope elevation in shared-token connections, where the gateway accepted whatever scope the client claimed. CVE-2026-32987 documents a bootstrap pairing replay against the device pairing flow. Webhook signature verification, scope binding to the authentication token, and pairing nonce checks are first-week design decisions for a multi-platform agent gateway. The codebase shipped without them.
2. Authorization scope (41 advisories). Route-level authorization gaps for already-authenticated callers. CVE-2026-32916 covers synthetic admin scopes through plugin subagent routes. CVE-2026-35639 covers scope validation on the device.pair.approve path. CVE-2026-42434 covers sandboxed agents escaping exec routing through a host=node override. The shared anti-pattern is client-declared authorization. The route accepts a scope label from the caller and treats that label as the policy decision, with no server-side check that the principal is entitled to operate at that scope. This is the one that regenerates with every new platform integration.
3. Exec-boundary injection (18 advisories). Shell, environment, and file-path injection into command construction. CVE-2026-25157 records OS command injection through the project root path in sshNodeCommand. CVE-2026-32917 records remote command injection through unsanitized iMessage attachment paths in SCP. CVE-2026-27487 records shell injection in the macOS keychain credential write path. argv-mode subprocess invocation is the documented default in both Node and Python and avoids this entire category. The codebase used string concatenation into shell commands.
4. Control-plane exposure (10 advisories). Unauthenticated network surfaces that assumed loopback-only delivery. CVE-2026-28485 records missing authentication on Browser Control HTTP endpoints. CVE-2026-28458 records the Browser Relay /cdp websocket missing auth, allowing cross-tab cookie access. CVE-2026-26317 records CSRF on loopback browser mutation endpoints. The assumption embedded across this bucket is that localhost binding is itself an authentication boundary. SecurityScorecard’s STRIKE team has identified 42,900 instances where it never was, because the listener defaults extended past loopback to public addresses.
5. LLM-surface (3 advisories). Prompt-injected execution paths that route model output back into host operations. CVE-2026-24764 records remote code execution through system prompt injection in Slack channel descriptions. CVE-2026-43534 records agent hook events that accept unsanitized external input as if it were a trusted system signal. CVE-2026-43533 records arbitrary local file read through QQBot media tags. This bucket sits inside what Simon Willison calls the lethal trifecta. The architecture consumes model output as a control signal.

Based on these five, now look at the disconnection from CWEs.

CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization) carry the largest counts in the published-with-CVE subset, with 10 instances of CWE-863 alone. They sit across multiple instances.

The same CWE-862 label covers a webhook with no authentication at all (CVE-2026-43572 on the Microsoft Teams SSO invoke handler), an authorization function that returned the wrong sentinel for empty approver lists (CVE-2026-43574), and a route that included untrusted workspace plugin shadows in catalog lookups (CVE-2026-43571). Three architecturally distinct surfaces collapse into one taxonomic bucket. The CWE label describes how the authorization layer failed, with no purchase on why each surface needed its own handwritten check in the first place.

CWE-770 (Allocation of Resources Without Limits or Throttling) is cleaner. All four CWE-770 cases in the corpus map to trust-boundary collapse: webhook bodies, base64 media decoding, archive extraction, voice-call WebSocket frames. CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) is also clean: workspace .env files, MCP stdio environment loads, plugin shadow loads. The taxonomy works when the underlying flaw is narrow. It collapses when the underlying flaw is “this surface was built to take adversarial inputs as policy decisions”.

There also was a large notable shit, oops, I meant shift from February to April.

The February cluster is dominated by platform-surface bugs. Stored XSS in the control UI. Command injection in shell construction. Missing webhook secrets. CSRF on loopback endpoints. The upstream fixes for these are bounded. The loopback HTTP server got an authentication requirement in 2026.1.29. The shell wrapper moved partway to argv-mode. The webhook handler picked up a required signing secret on the platforms where users complained loudest. Once the upstream patch landed, that specific bug stopped reappearing.

The April cluster, however, is dominated by route-level authorization failures across plugin subagent endpoints, device pairing, scope claim parsing, and channel-specific permission boundaries. New platform integrations ship with route-level authorization checks that have to be written by hand. QQBot, Matrix, Microsoft Teams SSO, Synology Chat, Nostr, voice-call WebSocket, Discord events, BlueBubbles. The integration count is the bug count. Each surface carries its own scope schema and validation logic, written from scratch on the project side, then surfaced months later by automated discovery on the researcher side. The maintainer reads patches and ships fixes. Plugins ship faster than either side can catch up.

That suggests the February-shape bugs were addressable with a targeted fix, while April-shape bugs were reproduced with the next plugin. That’s just patching logic. Far more dangerous is that neither matters to the 63 percent of running instances that never enforced authentication in the first place and probably have no idea in how much danger they are.

The architectural picture so far has described the flaws in a deeply troubled codebase. When we shift our gaze to the deployment ecosystem, it gets much worse. Bitsight’s late-January scan found over 30,000 exposed instances. SecurityScorecard’s STRIKE team raised that to 42,900 by February 9, with 15,200 directly vulnerable to RCE at that snapshot. The Register reported 135,000 plus by February 12, of which 63 percent ran with no authentication layer. Infostealer families now ship with OpenClaw configuration paths in their target lists.

ClawHub, the project’s package registry, within the first six weeks became a malware distribution channel. Koi Security’s early-February audit of 2,857 skills flagged 341 as malicious, with researcher Oren Yomtov tracing 335 of the 341 to a single coordinated campaign tagged ClawHavoc, primarily delivering Atomic macOS Stealer. Kaspersky‘s coverage in the same window described an earlier figure of around 230. By mid-February, VirusTotal Code Insight reviews of more than 3,000 skills produced hundreds of flags. By March, the working figures sat near 900 across an expanded registry, per Bitdefender estimates. The publication threshold for any skill at the time was a GitHub account at least one week old.

How such predictable harm to the market and users is still legal, I’ll leave the lawyers to figure out.

Oasis Security documented an attack chain that gives any visited website silent full control over a developer’s running OpenClaw agent, with no plugins, extensions, or user interaction. The chain combines brute-forceable localhost auth, an auto-approving pairing flow, and the gateway’s loopback-trust assumption. SonicWall Capture Labs published a single advisory and detection signatures for CVE-2026-25253, the gatewayUrl auth-token-exfiltration RCE. Microsoft‘s Defender Security Research Team has stated OpenClaw should be treated as untrusted code execution with persistent credentials and is unsuited to a standard personal or enterprise workstation.

I guess I could go on, but OpenClaw is so cooked it’s become an embarrassment to engineering, an indictment of the lack of a code of ethics that would prevent slop and taint from collecting “stars” as the only measure of success.

The deployment problem is a real problem. Detecting OpenClaw is becoming like detecting any malware. Focusing on forcing a signed release that fixes the next route-level authorization bug still doesn’t get us out of the doghouse of running instances exposed to exploitation. The malicious skills already installed sit underneath that, having modified the persistent memory files that govern agent behavior across restarts.

Have you seen the toxic campaign by the guy in Virginia who Hegseth just appointed to lead the Navy? It’s a lynching coin.

In case that photo is a little too shiny, here’s the raw image; simply a noose, hanging an animal, invoking both Virginia and Navy violent racist history.

Let’s run a thought experiment. A retired Navy Captain named Lynching, running for office in Virginia, hands out a coin reading “I want my senator to be Lynching” with a hanged figure.

Who calls a lynching campaign clever? In Virginia. Does someone really say “but his name is Lynching” or “how funny”? Does someone say “but the figure being hanged is subhuman?”

Let me be clear about the history of the noose on the coin, since we’re talking about lynching here. Thomas Jefferson as Governor of Virginia ordered Charles Lynch to “suppress conspiracy” in 1780. Conspiracy for what? I’ll get to that.

Lynch then tied men to a tree, lashed them and “hung” them by the thumbs. Two years later he called it officially ”
Lynch’s Law“, presumably as an import of the old English guilty-until-proven-innocent “Lydford Law”.

I oft have heard of Lydford law,
How in the morn they hang and draw,
And sit in judgment after.

A few years after the severe lashings and hangings by Lynch, the town of Lynchburg, Virginia was chartered by his brother. They have remained connected ever since and to this day.

What conspiracy brought the tree-based lashings and hangings? Well, it was really about enslaved Black people who had pursued the freedoms that Dunmore’s November 7, 1775 Proclamation promised them. The British Crown’s military command was at the time the only clear available emancipation pathway for American Blacks. Sir Henry Clinton’s Philipsburg Proclamation of June 30, 1779 expanded it further to include any American Black regardless of whether they took up arms. It’s estimated as many as 100,000 Blacks fled slavery-obsessed American rebels in order to seek freedom under the Crown. The colonies were in a fight to preserve slavery such that Jefferson’s order of 1780 meant American Blacks were to face the grave danger of being Lynched. Notably, the Lynch Law targeting American Blacks was years before the city of Lynchburg had been named.

Jefferson directly called out King George III in both the 1776 Virginia Constitution and the draft Declaration of Independence (later struck out) on charges of “prompting our negroes to rise” instead of remain down as slaves. Yes, the same guy who authored the “all men being created equal” also said he waged war with the British Crown because the King had said Virginian Blacks deserved freedom. Jefferson by 1780 therefore wasn’t just establishing Lynch’s Law generically against “loyalists” but setting up a method by which Black people would remain enslaved in America to him, instead of gaining freedom under rule of the British Crown.

Fast forward and many Virginia Blacks were indeed lynched. There were at least 100 documented between 1880 and 1930. Very few have been properly memorialized. The Equal Justice Initiative still maintains the count.

Virginia is without a doubt the state where Cao’s noose imagery would land the hardest. A candidate who campaigns on lynching in Virginia is performing a very specific act. It also happened at a very specific time. Loudoun County, where Cao lives in Purcellville, is known for the Leesburg lynching of Page Wallace in 1880. Del. David Reid, who represents Loudoun, sponsored the 2025-2026 budget line funding new historical markers at Virginia lynching sites such as Wallace. This was the context for Cao to print and circulated a lynching coin in the same county, in the same political season, while his neighbors in the General Assembly were appropriating money to mark the trees.

What’s the matter with Cao? Here is a man whose family fled racial and political violence, and yet he used lynching for his official campaign currency to win the votes of people for whom that image is seen as heritage rather than horror.

He was five years old in 1975 when his family fled Saigon. His father was working with the South Vietnamese government, which is to say already inside the class whose survival depended on alignment with American power. Then they were in West Africa, reportedly on USAID work, which apparently is why Cao sometimes jokes that he is an African-American. Then Virginia. Then Thomas Jefferson High School, onto the Naval Academy, EOD, the Pentagon, Bannon… and MAGA. The lesson absorbed early was empires kill people who fail to make themselves useful. He kept making himself useful.

Within the Navy and its primary shipbuilding base, nooses have been a recurring instrument of racial intimidation in three distinct settings: aboard ship, on shipyard floors, and inside the warships under construction.

Again, the noose symbol is very particular to the person using it in the context they are using it.

Look at the 2017 case on USS Ramage came from a shipyard worker in Pascagoula. Or what about the 2021 case on USS Lake Champlain with a sailor who placed the noose on a Black crewmate’s rack, confessed, and was removed. Would it be any different if he left the “Hung” coin? The 2023 case on USS Laboon, a Norfolk-based Arleigh Burke destroyer at General Dynamics NASSCO Norfolk, involved three separate noose placements targeting one sailor in February alone. Two on the rack, one on the floor next to it. What if they were Hung coins? The Navy spokesman confirmed on the record that the targeted sailor was the only one affected and that he declined transfer off the ship. February 2021 also produced the parallel hate-speech graffiti incident on USS Carl Vinson, contemporaneous with the Lake Champlain case, prompting Admiral Aquilino to fly from Hawaii to San Diego for a fleet stand-down.

But the thing I want to raise most is that Cao was born just before a series of Marine Detachments selecting Black sailors for nightstick beatings. Most famously, the USS Kitty Hawk, October 12, 1972, then the USS Hassayampa, October 16, 1972, and the USS Constellation, November 3-4, 1972. All the white sailors, who we can say today with absolute certainty were the aggressors, were ignored. Twenty-five Black sailors on the Kitty Hawk alone, however, were charged with rioting in their own defense, as Marv Truhe has since documented.

Here’s the proper context that a boy born in 1970s Vietnam, who later joined the Navy, really brings to mind with his lynching symbolism:

The final witness was an airman, Michael Laurie, who said he saw Mallory participate in the attack. Laurie said he recognized Mallory because they’d spent time together a few months earlier in a bar in Hong Kong.

Truhe presented evidence showing Mallory hadn’t been in Hong Kong then, a gotcha moment that seemingly undercut Laurie’s credibility. It didn’t matter. The judge convicted Mallory and gave him a bad conduct discharge.

Stunned, the defense team pondered its next move. The NAACP was providing lawyers and advice, and it agreed to fund a tactic seemingly drawn from a crime novel or Hollywood thriller. They hired a private detective to see if he could befriend Laurie and get him to admit he’d lied in court.

It worked. Laurie bragged, in conversations that were secretly recorded, about hating Black people and committing perjury. He said he’d been part of the riot — “We all went out there and stomped some ass” — and said investigators afterward hadn’t “even asked us if we fought back or anything.”

Mallory’s conviction was reversed and the charges dismissed. Widespread publicity about the tapes put the Navy on the defensive about whether it had selectively prosecuted Black sailors.

Suddenly, the defendants who had been kept in the brig for more than three months were released. Charges against one sailor, then another, got dropped after witnesses backed away from identifying them as assailants.

The lynching coin is not a joke.

It is a white supremacist credential. Cao is using it as an entry token to the Hegseth show. Hegseth, whose own iconography reads as Crusader extremism to every medieval historian asked, has spent fifteen months targeting Black and female officers for removal from the senior ranks of the Navy and the Army.

A man now handing out lynching coins from the top is no more a surprise than if he started wearing white sheets to work.

The Navy that prosecuted twenty-five Black sailors on the Kitty Hawk, repeatedly calling them uneducated and lesser intelligence, now reports up to the man who grew up learning the exact wrong lessons. He has minted a noose in enamel and joked to Steve Bannon that a Vietnamese man wearing a KKK hood for lynchings would need to have it made with eye-slits instead of round holes.

The Department of the Navy did not acquire this lynching-rhetoric man in spite of it, whether a KKK hood or his KKK coin. It acquired him because of it.

Two and a half centuries after Jefferson sent Lynch to violently deny American Blacks their freedom, the same Commonwealth has sent the same message.