OpenClaw AI Agent Flaws Can Allow Rapid Injection and Extrusion of Data
China’s National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the security implications of using OpenClaw (formerly known as Clawdbot and Moltbot), an open source agent and autonomous artificial intelligence (AI) that helps it.
In a post shared on WeChat, CNCERT noted that “inherently weak automatic security settings,” coupled with its special access to the system to facilitate the ability to perform independent work, can be used by bad actors to seize control of the endpoint.
This includes the risks posed by rapid injections, where malicious instructions embedded within a web page can cause an agent to leak sensitive information if tricked into accessing and consuming the content.
This attack is also called indirect rapid injection (IDPI) or rapid domain injection (XPIA), as adversaries, instead of interacting directly with the large language model (LLM), use poor AI features such as web page summarization or content analysis to execute modified commands. This can range from avoiding AI-based ad review systems and influencing hiring decisions to using search engine optimization (SEO) and generating biased responses by suppressing negative reviews.
OpenAI, in a blog post published earlier this week, said that rapid injection-style attacks go beyond placing commands on external content to include social engineering features.
“AI agents are increasingly able to browse the web, find information, and act on the user’s behalf,” it said. “Those capabilities are useful, but they also create new ways for attackers to try to exploit the system.”
The risk of rapid injection in OpenClaw is negligible. Last month, researchers at PromptArmor discovered that the link preview feature in messaging apps like Telegram or Discord could be turned into a data filtering channel when communicating with OpenClaw via indirect rapid injection.
The idea, at a high level, is to trick an AI agent into generating a URL controlled by an attacker that, when given to a messaging app as a link preview, automatically causes it to transfer confidential data to that domain without clicking the link.
“This means that in agent systems with link previews, data extraction can occur as soon as the AI agent responds to the user, without the user needing to click on a malicious link,” the AI security firm said. “In this attack, the agent is tricked into creating a URL using the attacker’s domain, with dynamically generated query parameters that contain sensitive data that the model knows about the user.”
Apart from negative suggestions, CNCERT also highlighted three other concerns –
- There is a possibility that OpenClaw may inadvertently and irreversibly delete sensitive information due to misinterpretation of user instructions.
- Threat actors can upload malicious capabilities to repositories like ClawHub that, when installed, execute arbitrary commands or release malware.
- Attackers can use recently disclosed security vulnerabilities in OpenClaw to compromise the system and loot sensitive data.
“In sensitive sectors – such as finance and energy – such a breach may lead to the leakage of key business data, trade secrets, and code repositories, or cause the complete paralysis of all business systems, causing incalculable losses,” said CNCERT.
To combat these risks, users and organizations are advised to strengthen network controls, avoid exposing OpenClaw’s default management port to the Internet, isolate the service to a container, avoid storing information in plain text, download skills only from trusted channels, disable automatic skill updates, and keep the agent up-to-date.
The development comes as Chinese authorities have moved to restrict state-owned enterprises and government agencies from using OpenClaw AI applications on office computers in an effort to contain security risks, Bloomberg reported. The ban is said to extend to military families as well.
OpenClaw’s viral popularity has also led to threat actors using the incident to distribute malicious GitHub repositories masquerading as OpenClaw installers to release information thieves such as Atomic and Vidar Stealer, as well as a Golang-based malware known as GhostSocks using ClickFix-style instructions.
“This campaign may not have targeted a specific industry, but it was more focused on users trying to install OpenClaw and malicious repositories containing download commands on both Windows and macOS platforms,” Huntress said. “What made this successful was that the malware was hosted on GitHub, and the malicious repository was a top-ranked suggestion in Bing’s search results for AI for OpenClaw Windows.”
