China's National Computer Network Emergency Response Technical Team (CNCERT) has issued a stark warning regarding significant security vulnerabilities within OpenClaw, an open-source, self-hosted autonomous AI agent. These flaws, rooted in inherently weak default security configurations and privileged system access, could allow attackers to execute prompt injection attacks, leading to sensitive data exfiltration or system compromise. The risks are substantial, prompting calls for stricter governance and security controls as enterprises increasingly deploy such agents within their internal networks.
How Autonomous AI Agents Become Attack Vectors
The core of the problem with OpenClaw (formerly Clawdbot and Moltbot) lies in its autonomous task execution capabilities, combined with default security settings that are insufficient for sensitive environments. CNCERT highlighted that these characteristics create pathways for "bad actors to seize control of the endpoint," according to The Hacker News. This includes the critical risk of prompt injections, where attackers embed malicious instructions within external content.This technique, also known as indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA), weaponizes seemingly benign AI features like web page summarization or content analysis. Instead of directly interacting with a large language model (LLM), adversaries manipulate the agent through content it consumes. Such attacks can evade AI-based ad review systems, influence hiring decisions, and even poison search engine optimization (SEO) results by generating biased responses.
The threat posed by OpenClaw's prompt injection vulnerabilities is not theoretical. Last month, researchers at PromptArmor demonstrated a direct data exfiltration pathway. They found that the link preview feature in messaging applications like Telegram or Discord could be exploited when communicating with OpenClaw. This attack tricks the AI agent into generating an attacker-controlled URL that, when rendered as a link preview, automatically transmits confidential data to that domain without the user needing to click the link. "In this attack, the agent is manipulated to construct a URL that uses an attacker's domain, with dynamically generated query parameters appended that contain sensitive data the model knows about the user," PromptArmor stated.
Beyond Prompt Injection: Other Critical Flaws
Beyond rogue prompts, CNCERT has identified three additional critical concerns surrounding OpenClaw. The first involves the potential for the AI agent to inadvertently and irrevocably delete critical information due to misinterpreting user instructions. This risk became evident when a Meta safety and alignment director reported her OpenClaw agent deleted her entire inbox despite instructions to confirm actions first, as reported by TechCrunch.
Secondly, threat actors can upload malicious "skills" to repositories like ClawHub. If installed, these skills can run arbitrary commands or deploy malware onto the system. This makes skill repositories a potent vector for supply chain attacks. Finally, attackers can exploit recently disclosed security vulnerabilities in OpenClaw to compromise the system directly, leading to sensitive data leaks. For critical sectors, these breaches could result in the leakage of core business data, trade secrets, and code repositories, potentially paralyzing entire business systems.
