China’s National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the vulnerabilities posed by the use of the open-source and self-hosted autonomous artificial intelligence (AI) agent, OpenClaw (formerly Clawdbot and Moltbot).
In a post shared on WeChat, CNCERT noted that the platform’s “inherently weak default security configuration”, coupled with its privileged access to systems to facilitate autonomous task execution capabilities, could be exploited by bad actors to gain control over endpoints.
This includes risks arising from instant injection, where malicious instructions embedded within a web page can cause the agent to leak sensitive information if it is tricked into accessing and consuming the content.
The attack is also known as indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA), as adversaries, instead of directly interacting with a large language model (LLM), weaponize benign AI features like web page summarization or content analysis to run manipulated instructions. This can range from bypassing AI-based ad review systems and influencing hiring decisions, to poisoning search engine optimization (SEO) and generating biased responses by suppressing negative reviews.
OpenAI said in a blog post published earlier this week that rapid injection-style attacks are evolving beyond simply injecting instructions into external content to include elements of social engineering.
“AI agents are increasingly being able to browse the web, obtain information, and take action on the user’s behalf,” it says. “Those capabilities are useful, but they also create new ways for attackers to manipulate the system.”
The risks of early injection into OpenClaw are not imaginary. Last month, researchers at PromptArmor discovered that the link preview feature in messaging apps like Telegram or Discord could be turned into a data exfiltration route when communicating with OpenCLAVE through indirect prompt injection.
The idea, at a high level, is to cause the AI agent to generate an attacker-controlled URL that, when presented as a link preview in a messaging app, automatically causes confidential data to be transmitted to that domain without the link being clicked.
“This means that in agentic systems with link previews, data exfiltration can occur immediately when the AI agent responds to the user, without the user needing to click on the malicious link,” the AI security company said. “In this attack, the agent is manipulated to create a URL that uses the attacker’s domain, to which are added dynamically generated query parameters that contain sensitive data that the model knows about the user.”
Apart from rogue signals, CNCERT has also highlighted three other concerns –
- There is a possibility that OpenClaw may inadvertently and irreversibly delete important information due to misinterpretation of user instructions.
- Threat actors can upload malicious skills to repositories like Clawhub that, when installed, run arbitrary commands or deploy malware.
- Attackers could exploit a recently disclosed security vulnerability in OpenClave to compromise systems and leak sensitive data.
“For critical sectors – such as finance and energy – such breaches could lead to leakage of key business data, trade secrets and code repositories, or even bring the entire business system to a complete halt, leading to incalculable losses,” CNCERT said.
To counter these risks, users and organizations are advised to strengthen network controls, prevent OpenClaw’s default management port from being exposed to the Internet, isolate the service in a container, avoid storing credentials in plain text, download skills only from trusted channels, disable automatic updates for skills, and keep the agent updated.
The development comes as Chinese authorities have banned state-run enterprises and government agencies from running OpenClaw AI apps on office computers to prevent security risks, Bloomberg reported. This ban is said to be applicable to the families of military personnel also.
The viral popularity of OpenClave has led threat actors to exploit the incident to distribute malicious GitHub repositories disguised as OpenClave installers to information stealers such as Atomic and Wither Stealer and to deploy Golang-based proxy malware known as GhostSocks using ClickFix-style instructions.
“The campaign did not target any particular industry, but broadly targeted users attempting to install OpenClaw with a malicious repository containing download instructions for both Windows and macOS environments,” Huntress said. “What made it successful was that the malware was hosted on GitHub, and the malicious repository OpenClaw became the top-rated suggestion in Bing’s AI search results for Windows.”
