China’s National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning regarding security weaknesses in OpenClaw (previously known as Clawdbot and Moltbot), an open-source, self-hosted autonomous AI agent.
In a WeChat post, CNCERT highlighted that OpenClaw’s “weak default security settings,” combined with its privileged system access for autonomous task execution, could be exploited by attackers to gain control over endpoints.
A key concern is prompt injection attacks, where malicious instructions embedded in web content trick the AI agent into exposing sensitive data. These attacks, also referred to as indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA), exploit benign AI functionalities like content summarization or analysis, allowing adversaries to manipulate instructions without directly interacting with the large language model (LLM). Such manipulations could affect AI-driven ad reviews, hiring decisions, SEO, or bias responses by suppressing negative content.
OpenAI noted that these prompt injection threats are evolving and may involve social engineering elements. “AI agents can now browse the web, retrieve information, and take actions on behalf of users,” OpenAI stated. “While useful, these capabilities open new avenues for attackers to manipulate systems.”
The risk is real. Researchers at PromptArmor recently demonstrated that link previews in messaging apps like Telegram or Discord could be used as a data exfiltration channel when interacting with OpenClaw via indirect prompt injection. By crafting attacker-controlled URLs, AI agents could inadvertently send confidential data to a malicious domain without any user interaction.
Beyond prompt manipulation, CNCERT outlined three additional risks:
- OpenClaw may accidentally delete critical data if user instructions are misinterpreted.
- Malicious skills uploaded to repositories like ClawHub could execute arbitrary commands or install malware.
- Known security vulnerabilities could be exploited to compromise systems and leak sensitive information.
CNCERT warned that breaches in sectors like finance or energy could expose business secrets, code repositories, or even halt entire operations, causing significant financial and operational losses.
To mitigate these risks, users should strengthen network security, avoid exposing OpenClaw’s default management port to the internet, run the agent in isolated containers, store credentials securely, install skills only from trusted sources, disable automatic skill updates, and ensure the agent is up-to-date.
Following these warnings, Chinese authorities have restricted OpenClaw usage on computers in state-run enterprises and government agencies, including restrictions extending to military personnel families.
OpenClaw’s popularity has also been exploited by attackers distributing malicious GitHub repositories posing as legitimate installers. These repositories delivered information stealers like Atomic and Vidar Stealer and a Golang-based proxy malware called GhostSocks, affecting both Windows and macOS systems. Huntress noted that the malware’s success was partly due to its hosting on GitHub and its appearance as a top suggestion in Bing AI search results.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
