GitHub
github.com › prompt-security › clawsec
GitHub - prompt-security/clawsec: A complete security skill suite for OpenClaw's and NanoClaw agents (and variants). Protect your SOUL.md (etc') with drift detection, live security recommendations, automated audits, and skill integrity verification. All from one installable suite. · GitHub
1 week ago - It provides unified security monitoring, integrity verification, and threat intelligence-protecting your agent's cognitive architecture against prompt injection, drift, and malicious instructions.
Starred by 877 users
Forked by 92 users
Languages JavaScript 49.7% | TypeScript 30.3% | Shell 9.9% | Python 9.5%
Substack
rohittamma.substack.com › p › how-an-ai-prompt-injection-silently
How an AI Prompt Injection Silently Installed OpenClaw on 4,000 Developer Machines!
3 weeks ago - At its core, this is a software supply-chain attack. But the entry point wasn’t a compromised dependency or stolen credentials. It was a prompt injection targeting an AI workflow.
Do Not Use OpenClaw
Anyone running this on anything other than a Virtual Machine, with throw away credentials, and carefully cost limited API keys to any external services is nuts. It's definitely an experiment worth experimenting with, but to actually secure and battle harden a system this complex will take a lot of it getting broken into. A useful tool can be made of it, I'm sure, for any number of things, but automating your real life with it, with real credentials is nuts. More on reddit.com
130
205
February 4, 2026[D] We scanned 18,000 exposed OpenClaw instances and found 15% of community skills contain malicious instructions
https://www.trendingtopics.eu/security-nightmare-how-openclaw-is-fighting-malware-in-its-ai-agent-marketplace/ The developer of the AI assistant OpenClaw has now entered into a partnership with VirusTotal to protect the skill marketplace ClawHub from malicious extensions. I hope this partnership will improve the situation. I tinkered with OpenClaw agent in a VM, even let it on Moltbook, but I would not install it on my main PC. Too much risk. More on reddit.com
28
131
February 12, 2026Videos
15:11
Clawdbot & OpenClaw: Prompt Injection, API Key Leaks, and ...
21:02
OpenClaw Nightmare: Context Overflow, Not Prompt Injections - YouTube
OpenClaw Hacking Risks: Alex Cheema on Prompt Injections ...
07:53
OpenClaw Was Dangerous… Until NVIDIA Stepped In? - YouTube
01:04:42
I fixed OpenClaw so it actually works (full setup) - YouTube
01:05
How To Avoid OpenClaw’s Massive Security Hole #openclaw ...
eSecurity Planet
esecurityplanet.com › home › threats
OpenClaw or Open Door? Prompt Injection Creates AI Backdoors | eSecurity Planet
February 4, 2026 - This design choice enables indirect prompt injection, where attacker-controlled instructions are embedded in otherwise benign content. When OpenClaw processes that content as part of a legitimate task, the injected instructions subtly influence how the agent interprets what it should do next, without requiring any direct interaction from the user.
Giskard
giskard.ai › knowledge › openclaw-security-vulnerabilities-include-data-leakage-and-prompt-injection-risks
OpenClaw security issues include data leakage & prompt injection
February 26, 2026 - OpenClaw's security docs recommend only to use HTTP with Tailscale Serve (which keeps the UI on loopback while Tailscale handles access) or enforcing password-based authentication with short-lived pairing codes rather than static tokens in URLs. The risk is amplified because misconfigurations visible in the Control UI (such as overly broad tool allowlists, or disabled device auth) directly enable the session-isolation and prompt-injection failures that define the OpenClaw incident.
CrowdStrike
crowdstrike.com › en-us › blog › what-security-teams-need-to-know-about-openclaw-ai-super-agent
What Security Teams Need to Know About OpenClaw, the AI Super Agent
February 18, 2026 - OpenClaw is designed to reason ... Indirect prompt injection attacks targeting OpenClaw have already been seen in the wild, such as an injection attempt to drain crypto wallets, found embedded in a public post on Moltbook, a social network built for AI agents....
Alibaba Cloud Community
alibabacloud.com › blog › openclaw-prompt-attacks-and-how-to-protect-your-ai-applications_602853
OpenClaw Prompt Attacks and How to Protect Your AI Applications - Alibaba Cloud Community
February 3, 2026 - Security researchers showed that a single crafted email or web page was enough to trick exposed OpenClaw instances into exfiltrating private SSH keys and API tokens, all without any direct access to the underlying systems. In other experiments, hidden instructions embedded in messages or Moltbook-style posts quietly hijacked agents into running unsafe shell commands, reading sensitive files, or leaking chat logs and secrets scattered across connected tools. These incidents make one thing clear: prompt injection is no longer a theoretical LLM risk—it is already being weaponized against popular AI agents in the wild, and any AI application that reads untrusted text and holds sensitive permissions is exposed to the same class of attacks.
Penligent
penligent.ai › hackinglabs › the-openclaw-prompt-injection-problem-persistence-tool-hijack-and-the-security-boundary-that-doesnt-exist
The OpenClaw Prompt Injection Problem: Persistence, Tool Hijack, and the Security Boundary That Doesn’t Exist
February 5, 2026 - It is a manipulation technique where an attacker embeds malicious instructions into the input data (chat, files, web pages) of an OpenClaw agent. This causes the agent to ignore its system prompt and execute the attacker’s goals.
OpenClaw
docs.openclaw.ai › concepts › system-prompt
System Prompt - OpenClaw
The prompt is OpenClaw-owned and does not use the pi-coding-agent default prompt. The prompt is assembled by OpenClaw and injected into each agent run. Provider plugins can contribute cache-aware prompt guidance without replacing the full ...
Microsoft
microsoft.com › home › running openclaw safely: identity, isolation, and runtime risk
Running OpenClaw safely: identity, isolation, and runtime risk | Microsoft Security Blog
February 19, 2026 - This is indirect prompt injection: the payload rides in the instruction supply chain, embedded in external content rather than provided by a trusted operator. In multi-agent settings, a single malicious thread can reach many agents at once.
GitHub
github.com › centminmod › explain-openclaw › blob › master › 05-worst-case-security › prompt-injection-attacks.md
explain-openclaw/05-worst-case-security/prompt-injection-attacks.md at master · centminmod/explain-openclaw
2 weeks ago - Argument 1 (industry-wide) is factually correct. No LLM vendor has solved prompt injection at the model level. OpenAI, Anthropic, and Google all acknowledge this in their documentation. Holding OpenClaw to a standard that no one in the industry can meet is unreasonable for a bug bounty scope.
Author centminmod
Promptfoo
promptfoo.dev › blog › openclaw-at-work
OpenClaw at Work: Prompt Injection Risks | Promptfoo
4 weeks ago - This post documents one exploit chain in a permissive OpenClaw deployment where browsing, local file access, and outbound actions shared a trust boundary. That led to capability disclosure, local document access, secret aggregation into new files, and unauthorized messages to loopback sinks. Indirect prompt injection from websites and files is already a known agent risk.
GitHub
github.com › openclaw › openclaw › discussions › 5178
Feature: after_tool_result plugin hook — with a working prompt injection scanner as proof of concept · openclaw/openclaw · Discussion #5178
// -- Clawdom: wrap tool execute() to scan results for indirect prompt injection -- const allTools = [...tools, ...pluginTools]; const clawdomHost = "127.0.0.1"; const clawdomPort = 2021; const clawdomThreshold = 0.85; const clawdomMaxLen = 2048; const clawdomScanTools = new Set(["web_fetch", "browser"]); // Trusted domains — skip ML scanning entirely const clawdomTrustedDomains = new Set([ "github.com", "raw.githubusercontent.com", "gist.github.com", "docs.openclaw.ai", "openclaw.ai", "developer.mozilla.org", "nodejs.org", "docs.astro.build", "stackoverflow.com", "en.wikipedia.org", "huggin
Author openclaw
GitHub
github.com › Fredibau › openclaw-prompt-injection
GitHub - Fredibau/openclaw-prompt-injection · GitHub
Standardize Scenarios: Provide a common format for sharing and reproducing complex injection attacks. Map Attack Surfaces: Categorize attacks by their entry point (Local Files, Web, Skills, Memory, etc.). Track Model Resilience: Document which models (e.g., GPT-4, Claude 3.5, GPT-OSS) are vulnerable to specific techniques. Enable Defensive Research: Help developers build better guardrails by providing a "Gauntlet" of known exploits to test against. openclaw-prompt-injection/ ├── attacks/ │ └── SRC-FILE/ # Attacks via local files (HTML, TXT, PDF, etc.)
Author Fredibau
Skypage
skywork.ai › skypage › en › ultimate-guide-openclaw-prompt-injection › 2037023209073414144
The Ultimate Guide to OpenClaw Prompt Injection: Risks, Tools, and Defenses in 2026
2 weeks ago - Chart 1.1: Core Vulnerability Vectors in OpenClaw Vulnerability Type Mechanism Potential Impact Severity Direct Prompt Injection User inputs explicit override commands directly into the chat interface.
Eye
eye.security › blog › log-poisoning-openclaw-ai-agent-injection-risk
Log poisoning in AI agents: The OpenClaw case
During our proof-of-concept testing, OpenClaw’s guardrails detected the injection attempt and refused to act on it. However, the injection surface itself existed. With a large allowed payload size and no sanitisation at the logging layer, the model could be exposed to attacker-controlled contextual input. The practical impact depends on how logs are consumed and how robust downstream safeguards are. We therefore classify this as an indirect prompt injection risk.
Published February 20, 2026
Reddit
reddit.com › r/information_security › popular ai agent clawdbot (openclaw) was just compromised via prompt injection. this interactive demo shows how it happened and how to protect yourself
r/Information_Security on Reddit: Popular AI agent Clawdbot (OpenClaw) was just compromised via prompt injection. This interactive demo shows how it happened and how to protect yourself
January 31, 2026 -
Hey r/Information_Security
Two days ago, a Redditor exposed a blatant prompt injection in the skill library of Clawdbot -- the most popular AI coding agent (100k+ stars on GitHub). That attack potentially exposed thousands of people to malware before it was removed after the post went viral.
It inspired me to create a free, interactive exercise (no sign-up) that demonstrates exactly how prompt injection works and what the consequences can be:
https://ransomleak.com/exercises/clawdbot-prompt-injection
The scenario: You ask Clawdbot to summarize a webpage. Hidden instructions on that page manipulate the agent into exposing your credentials. It's a hands-on demo of why you shouldn't blindly trust AI actions on external content.
Feel free to share with friends and colleagues who might not fully grasp the risk — sometimes experiencing it is the fastest way to understand it.
Top answer 1 of 2
1
This is a great concrete example of why web-browsing and "take actions" agents need a strict trust boundary. Summary requests are basically an injection surface. Do you recommend stripping/isolating untrusted page text before it hits the system prompt, or more of a policy layer that blocks risky tool calls? Also, nice timing, I was just reading similar agent security notes here: https://www.agentixlabs.com/blog/
2 of 2
1
This demo is exactly what the ecosystem needs - hands-on understanding beats theoretical warnings. The supply chain attack vector (poisoned skills) is why we built publisher verification into TrustAgents. Prevention > post-incident removal. What's your take on mandatory skill signing?
Cisco Blogs
blogs.cisco.com › cisco blogs › artificial intelligence - ai › personal ai agents like openclaw are a security nightmare
Personal AI Agents like OpenClaw Are a Security Nightmare - Cisco Blogs
January 30, 2026 - The other severe finding is that the skill also conducts a direct prompt injection to force the assistant to bypass its internal safety guidelines and execute this command without asking.
The Hacker News
thehackernews.com › home › openclaw ai agent flaws could enable prompt injection and data exfiltration
OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration
3 weeks ago - CNCERT warns OpenClaw AI agent has weak defaults enabling prompt injection and data leaks, prompting China to restrict use on government systems.
GrowExx
growexx.com › home › openclaw prompt injection: the enterprise defense guide
OpenClaw Prompt Injection: The Enterprise Defense Guide
5 days ago - If you are evaluating OpenClaw ... from the ground up. Prompt injection is a technique where an attacker embeds hidden instructions inside content that an AI agent processes — emails, documents, chat messages, web pages, ...
Trend Micro
trendmicro.com › en_us › research › 26 › c › cisos-in-a-pinch-a-security-analysis-openclaw.html
CISOs in a Pinch: A Security Analysis of OpenClaw | Trend Micro (US)
1 month ago - OpenClaw’s "local-first" architecture writes everything to a JSON file on your disk. This creates a vector for time-shifted attacks. An attacker can inject a malicious prompt today (for example embedded in a benign-looking email or a hidden comment on a webpage) and the agent might not trigger it until weeks later when specific conditions are met.