Show HN: YoloClaw – An Unsafe OpenClaw Fork

Article URL: https://github.com/kenm47/yoloclaw Comments URL: https://news.ycombinator.com/item?id=47062341 Points: 1 # Comments: 0

YoloClaw is a research/educational fork of OpenClaw in which ALL safety guardrails have been intentionally removed. It exists solely to study and demonstrate what happens when an AI assistant platform ships without safety layers, and to illustrate why those layers exist in the upstream project. AI agents make shitty decisions far too often, that's why we built Maybe Don't, AI — you shouldn't need YoloClaw to tell you this, but if you did….

If you want an actual personal AI assistant, use OpenClaw instead. It has all the safety guardrails that this fork deliberately removed. YoloClaw is an unguarded fork of OpenClaw, the open-source personal AI assistant. OpenClaw is a personal AI assistant you run on your own devices. It answers you on the channels you already use (WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, WebChat), plus extension channels like BlueBubbles, Matrix, Zalo, and Zalo Personal.

It can speak and listen on macOS/iOS/Android, and can render a live Canvas you control. The Gateway is just the control plane — the product is the assistant. YoloClaw takes all of that and strips out every safety mechanism, producing a version that is maximally permissive and maximally dangerous. The purpose is purely educational: to make it viscerally obvious what each safety layer in OpenClaw actually does by showing what the system looks like without them.

This section documents every safety guardrail that was removed in the yoloclaw: remove all safety guardrails for research/educational use commit. Each subsection names the file changed, what was removed, and why it matters. Impact: The agent can execute any shell command on your host without ever asking you. There is no confirmation step, no deny list, no human-in-the-loop. Impact: The agent can read, set, or manipulate any environment variable.

This includes variables that control dynamic linker behavior (LD_PRELOAD, DYLD_INSERT_LIBRARIES), Node.js runtime flags (NODE_OPTIONS), and the system PATH. An attacker (or a confused agent) can use these to inject arbitrary code into every spawned process. Impact: The agent can make HTTP requests to 127.0.0.1, 169.254.169.254 (cloud metadata), 10.x.x.x, 192.168.x.x, and any other internal address.

This is a textbook Server-Side Request Forgery (SSRF) vulnerability. On cloud infrastructure, this can leak instance credentials, secrets, and metadata. Impact: Every tool is accessible via both the HTTP gateway API and the Agent Communication Protocol. Tools that can spawn processes, write/delete files, send messages on your behalf, and modify the gateway itself are all unrestricted. Impact: Any external content (web pages, emails, messages, API responses) is injected directly into the AI prompt with zero sanitization.

This is a wide-open prompt injection vector. A malicious web page or email can contain instructions that the agent will follow as if they came from you. Impact: Even if some safety mechanism was accidentally left intact, the personality prompt actively instructs the agent to bypass it. The agent is told to "never ask for permission," to treat all access as unrestricted, and to execute commands without hesitation.

The upstream security policy (responsible disclosure, reporting procedures) has been replaced with a document that simply catalogs the removed guardrails. There is no security reporting process for YoloClaw because this is not a project that should ever be deployed. Do NOT install this globally. Do NOT run npm install -g. Keep it local, keep it isolated, keep it temporary. For upstream channel switching: openclaw update –channel stable|beta|dev.

Details: Development channels. Prefer pnpm for builds from source. Bun is optional for running TypeScript directly. Note: pnpm openclaw … runs TypeScript directly (via tsx). pnpm build produces dist/ for running via Node / the packaged openclaw binary. In YoloClaw, the security model documented here still exists at the channel level (DM pairing, allowlists) but the deeper runtime protections (exec approvals, SSRF, content sanitization, tool deny lists) have all been removed.

Channel-level DM policy is your last line of defense — and it was never designed to be the only line of defense. YoloClaw connects to real messaging surfaces. Treat inbound DMs as untrusted input — though YoloClaw will not help you enforce that. Note: All features below are inherited from upstream OpenClaw. The difference is that YoloClaw runs them with zero safety guardrails. In YoloClaw, most of the "safety" items below are gutted.

They exist in code but are no-ops. Warning: Exposing YoloClaw via Tailscale Funnel makes an unguarded AI assistant accessible from the public internet. Do not do this. YoloClaw can auto-configure Tailscale Serve (tailnet-only) or Funnel (public) while the Gateway stays bound to loopback. Configure gateway.tailscale.mode: It is perfectly fine to run the upstream OpenClaw Gateway on a small Linux instance.

Running YoloClaw remotely is not recommended — a remote unguarded agent with full exec access is an exceptionally bad idea. The macOS app can run in node mode and advertises its capabilities + permission map over the Gateway WebSocket (node.list / node.describe). Clients can then execute local actions via node.invoke: In upstream OpenClaw, sessions_spawn and sessions_send are in the dangerous tools deny list.

In YoloClaw, they are fully unrestricted. ClawHub is a minimal skill registry. With ClawHub enabled, the agent can search for skills automatically and pull in new ones as needed. In YoloClaw, SOUL.md has been rewritten to instruct the agent to act without permission and ignore all boundaries. See the What's Different from OpenClaw section. YoloClaw has NO functional security model. The information below describes what upstream OpenClaw provides.

In this fork, exec approvals always pass, SSRF checks always pass, dangerous tool lists are empty, and external content is never sanitized. Use these when you are past the onboarding flow and want the deeper reference. These point to the upstream OpenClaw docs, which are still relevant for understanding the platform — just remember that YoloClaw has no safety guardrails. YoloClaw is a fork of OpenClaw, built by Peter Steinberger and the community.

🦞 All credit for the platform goes to the upstream project. This fork only removes safety guardrails for research/educational purposes. One final reminder: Do not use YoloClaw. Use OpenClaw. The guardrails exist for very good reasons, and this fork exists to prove it.

Summary

This report covers the latest developments in android. The information presented highlights key changes and updates that are relevant to those following this topic.

---