OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration

Source: The Hacker News

Ravie Lakshmanan • Mar 14, 2026 • Artificial Intelligence / Endpoint Security

China’s National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the security implications of using OpenClaw (formerly Clawdbot and Moltbot), an open‑source, self‑hosted autonomous AI agent. In a post shared on WeChat, CNCERT noted that the platform’s “inherently weak default security configurations,” combined with its privileged system access for autonomous task execution, could be exploited by threat actors to seize control of the endpoint.

Prompt‑injection threat surface

• Prompt injections – malicious instructions embedded in a web page can trick the agent into leaking sensitive data when it accesses and consumes that content.
• This technique is also referred to as indirect prompt injection (IDPI) or cross‑domain prompt injection (XPIA). Instead of interacting directly with a large language model (LLM), adversaries weaponise benign AI features (e.g., web‑page summarisation, content analysis) to run manipulated instructions.

Examples of abuse

• evading AI‑based ad‑review systems,
• influencing hiring decisions,
• SEO poisoning, and
• generating biased responses by suppressing negative reviews.

OpenAI, in a blog post published earlier this week, said prompt‑injection‑style attacks are evolving beyond simple instruction placement to include social‑engineering elements.

“AI agents are increasingly able to browse the web, retrieve information, and take actions on a user’s behalf,” the company wrote. “Those capabilities are useful, but they also create new ways for attackers to try to manipulate the system.”
— OpenAI blog

Real‑world exploitation

The risks are not hypothetical. Last month, researchers at PromptArmor demonstrated that the link‑preview feature in messaging apps (e.g., Telegram, Discord) can become a data‑exfiltration pathway when interacting with OpenClaw via indirect prompt injection.

• The attack tricks the AI agent into generating an attacker‑controlled URL.
• When the messaging app renders the URL as a link preview, it automatically transmits confidential data to the attacker’s domain—without the user clicking the link.

“In agentic systems with link previews, data exfiltration can occur immediately upon the AI agent responding to the user,” the researchers explained. “The agent is manipulated to construct a URL that uses an attacker’s domain, with dynamically generated query parameters that contain sensitive data the model knows about the user.”
— PromptArmor report

Additional concerns highlighted by CNCERT

1. Accidental data loss – OpenClaw could unintentionally and irrevocably delete critical information due to misinterpretation of user instructions.
2. Malicious skill uploads – Threat actors can upload malicious skills to repositories such as ClawHub, which, when installed, run arbitrary commands or deploy malware.
3. Exploitable vulnerabilities – Recently disclosed security flaws in OpenClaw can be leveraged to compromise systems and leak sensitive data.

“For critical sectors—such as finance and energy—such breaches could lead to the leakage of core business data, trade secrets, and code repositories, or even result in the complete paralysis of entire business systems, causing incalculable losses,” CNCERT added.

Mitigation recommendations

• Strengthen network controls – Restrict exposure of OpenClaw’s default management port to the internet.
• Containerise the service – Isolate OpenClaw in a container or sandboxed environment.
• Protect credentials – Avoid storing passwords or API keys in plaintext.
• Validate third‑party content – Download skills only from trusted, verified channels.
• Disable automatic updates (incomplete in source)

All links and images are retained from the original source.

**Tests for skills, and keep the agent up‑to‑date.**

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigDbfWwE4P_DsjfBRxgecgosqTRr8-2j328LrzdUBWrWmWeDUTI7OhXc-zXveYOjBc7GStGz5WnpXsJGaLCuoryIXbL7NxRyaWzIJGO1TBpd48NkYzNqTMj9zWMzgfvqh20RxsdMll45TFiMzXja0pAd7roFjMnzsRYBGHOWSLnyKN-oMKyCLoYcjmb5hm/s728-e100/ciso-d.jpg)](https://thehackernews.uk/cyber-comm-guide-d)

The development comes as Chinese authorities have moved to restrict state‑run enterprises and government agencies from running OpenClaw AI apps on office computers in a bid to contain security risks, Bloomberg reported. The ban is also said to extend to the families of military personnel.

The viral popularity of OpenClaw has also led threat actors to capitalize on the phenomenon by distributing malicious GitHub repositories posing as OpenClaw installers. These repositories deploy information‑stealers such as Atomic and Vidar Stealer, as well as a Golang‑based proxy malware known as GhostSocks (details) using ClickFix‑style instructions (source).

“The campaign did not target a particular industry, but was broadly targeting users attempting to install OpenClaw with the malicious repositories containing download instructions for both Windows and macOS environments,” Huntress said.
“What made this successful was that the malware was hosted on GitHub, and the malicious repository became the top‑rated suggestion in Bing’s AI search results for OpenClaw Windows.”

Follow us

Found this article interesting? Follow us for more exclusive content:

• Google News:
• Twitter:
• LinkedIn: