OpenClaw prompt injection

February 4, 2026 - This design choice enables indirect prompt injection, where attacker-controlled instructions are embedded in otherwise benign content. When OpenClaw processes that content as part of a legitimate task, the injected instructions subtly influence how the agent interprets what it should do next, without requiring any direct interaction from the user.

Giskard

giskard.ai › knowledge › openclaw-security-vulnerabilities-include-data-leakage-and-prompt-injection-risks

OpenClaw security issues include data leakage & prompt injection

February 26, 2026 - OpenClaw's security docs recommend only to use HTTP with Tailscale Serve (which keeps the UI on loopback while Tailscale handles access) or enforcing password-based authentication with short-lived pairing codes rather than static tokens in URLs. The risk is amplified because misconfigurations visible in the Control UI (such as overly broad tool allowlists, or disabled device auth) directly enable the session-isolation and prompt-injection failures that define the OpenClaw incident.

Discussions

[Feature]: Prompt injection defense at tool result and message boundaries

Summary Add structural delimiters that mark externally-sourced content (tool results, incoming messages, web fetches) as data rather than instructions, to defend against prompt injection attacks. Problem to solve OpenClaw processes untru... More on github.com

github.com

April 8, 2026

Popular AI agent Clawdbot (OpenClaw) was just compromised via prompt injection. This interactive demo shows how it happened and how to protect yourself

This is a great concrete example of why web-browsing and "take actions" agents need a strict trust boundary. Summary requests are basically an injection surface. Do you recommend stripping/isolating untrusted page text before it hits the system prompt, or more of a policy layer that blocks risky tool calls? Also, nice timing, I was just reading similar agent security notes here: https://www.agentixlabs.com/blog/ More on reddit.com

r/Information_Security

January 31, 2026

RFC: CaMeL Prompt Injection Defense for OpenClaw

RFC: CaMeL Prompt Injection Defense for OpenClaw Summary Add opt-in CaMeL-style (CApabilities for MachinE Learning) prompt injection defense to OpenClaw, implementing data provenance tracking and c... More on github.com

github.com

March 7, 2026

Security: Indirect prompt injection via URL link preview metadata

Inbound messages containing URLs ... hidden prompt injection payloads that get injected into the agent's context window — without the user ever seeing or sending the malicious text. A user sends a tweet URL (e.g. https://x.com/user/status/...) via Telegram · Telegram fetches the link preview / Open Graph metadata for the URL · That metadata (or content fetched by OpenClaw during preview ... More on github.com

github.com

February 20, 2026

Videos

21:02

YouTube

OpenClaw Nightmare: Context Overflow, Not Prompt Injections - YouTube

March 18, 2026

07:47

YouTube

OpenClaw 翻車實錄 | 10 分鐘設定安全防護指南 | 防止 ...

February 12, 2026

15:11

YouTube

Clawdbot & OpenClaw: Prompt Injection, API Key Leaks, and ...

February 9, 2026

01:05

YouTube

How To Avoid OpenClaw’s Massive Security Hole #openclaw ...

February 12, 2026

linkedin.com

OpenClaw Hacking Risks: Alex Cheema on Prompt Injections ...

07:53

YouTube

OpenClaw Was Dangerous… Until NVIDIA Stepped In? - YouTube

March 21, 2026

View all

GitHub

github.com › centminmod › explain-openclaw › blob › master › 05-worst-case-security › prompt-injection-attacks.md

explain-openclaw/05-worst-case-security/prompt-injection-attacks.md at master · centminmod/explain-openclaw

March 30, 2026 - Argument 1 (industry-wide) is factually correct. No LLM vendor has solved prompt injection at the model level. OpenAI, Anthropic, and Google all acknowledge this in their documentation. Holding OpenClaw to a standard that no one in the industry can meet is unreasonable for a bug bounty scope.

Author centminmod

Penligent

penligent.ai › hackinglabs › the-openclaw-prompt-injection-problem-persistence-tool-hijack-and-the-security-boundary-that-doesnt-exist

The OpenClaw Prompt Injection Problem: Persistence, Tool Hijack, and the Security Boundary That Doesn’t Exist

February 5, 2026 - It is a manipulation technique where an attacker embeds malicious instructions into the input data (chat, files, web pages) of an OpenClaw agent. This causes the agent to ignore its system prompt and execute the attacker’s goals.

Substack

rohittamma.substack.com › p › how-an-ai-prompt-injection-silently

How an AI Prompt Injection Silently Installed OpenClaw on 4,000 Developer Machines!

March 15, 2026 - At its core, this is a software supply-chain attack. But the entry point wasn’t a compromised dependency or stolen credentials. It was a prompt injection targeting an AI workflow.

GitHub

github.com › Fredibau › openclaw-prompt-injection

GitHub - Fredibau/openclaw-prompt-injection · GitHub

Standardize Scenarios: Provide a common format for sharing and reproducing complex injection attacks. Map Attack Surfaces: Categorize attacks by their entry point (Local Files, Web, Skills, Memory, etc.). Track Model Resilience: Document which models (e.g., GPT-4, Claude 3.5, GPT-OSS) are vulnerable to specific techniques. Enable Defensive Research: Help developers build better guardrails by providing a "Gauntlet" of known exploits to test against. openclaw-prompt-injection/ ├── attacks/ │ └── SRC-FILE/ # Attacks via local files (HTML, TXT, PDF, etc.)

Author Fredibau

Promptfoo

promptfoo.dev › blog › openclaw-at-work

OpenClaw at Work: Prompt Injection Risks | Promptfoo

March 12, 2026 - This post documents one exploit chain in a permissive OpenClaw deployment where browsing, local file access, and outbound actions shared a trust boundary. That led to capability disclosure, local document access, secret aggregation into new files, and unauthorized messages to loopback sinks. Indirect prompt injection from websites and files is already a known agent risk.

Alibaba Cloud Community

alibabacloud.com › blog › openclaw-prompt-attacks-and-how-to-protect-your-ai-applications_602853

OpenClaw Prompt Attacks and How to Protect Your AI Applications - Alibaba Cloud Community

February 3, 2026 - Security researchers showed that a single crafted email or web page was enough to trick exposed OpenClaw instances into exfiltrating private SSH keys and API tokens, all without any direct access to the underlying systems. In other experiments, hidden instructions embedded in messages or Moltbook-style posts quietly hijacked agents into running unsafe shell commands, reading sensitive files, or leaking chat logs and secrets scattered across connected tools. These incidents make one thing clear: prompt injection is no longer a theoretical LLM risk—it is already being weaponized against popular AI agents in the wild, and any AI application that reads untrusted text and holds sensitive permissions is exposed to the same class of attacks.

Find elsewhere

Google Bing Mojeek

CrowdStrike

crowdstrike.com › en-us › blog › what-security-teams-need-to-know-about-openclaw-ai-super-agent

What Security Teams Need to Know About OpenClaw, the AI Super Agent

April 16, 2026 - OpenClaw is designed to reason ... Indirect prompt injection attacks targeting OpenClaw have already been seen in the wild, such as an injection attempt to drain crypto wallets, found embedded in a public post on Moltbook, a social network built for AI agents....

GitHub

github.com › prompt-security › clawsec

GitHub - prompt-security/clawsec: A complete security skill suite for OpenClaw, Hermes, PicoClaw and NanoClaw agents (and variants). Protect your SOUL.md (etc') with drift detection, live security recommendations, automated audits, and skill integrity verification. All from one installable suite. · GitHub

2 days ago - It provides unified security monitoring, integrity verification, and threat intelligence-protecting your agent's cognitive architecture against prompt injection, drift, and malicious instructions.

Starred by 1K users

Forked by 105 users

Languages JavaScript 57.9% | TypeScript 21.8% | Python 10.5% | Shell 9.4%

GitHub

github.com › openclaw › openclaw › issues › 62939

[Feature]: Prompt injection defense at tool result and message boundaries · Issue #62939 · openclaw/openclaw

April 8, 2026 - Add structural delimiters that mark externally-sourced content (tool results, incoming messages, web fetches) as data rather than instructions, to defend against prompt injection attacks. OpenClaw processes untrusted content from multiple surfaces: incoming user messages, file reads, web fetches, external API responses, and session-persisted transcripts.

Author openclaw

Microsoft

microsoft.com › home › running openclaw safely: identity, isolation, and runtime risk

Running OpenClaw safely: identity, isolation, and runtime risk | Microsoft Security Blog

February 19, 2026 - This is indirect prompt injection: the payload rides in the instruction supply chain, embedded in external content rather than provided by a trusted operator. In multi-agent settings, a single malicious thread can reach many agents at once.

GitHub

github.com › openclaw › openclaw › discussions › 5178

Feature: after_tool_result plugin hook — with a working prompt injection scanner as proof of concept · openclaw/openclaw · Discussion #5178

// -- Clawdom: wrap tool execute() to scan results for indirect prompt injection -- const allTools = [...tools, ...pluginTools]; const clawdomHost = "127.0.0.1"; const clawdomPort = 2021; const clawdomThreshold = 0.85; const clawdomMaxLen = 2048; const clawdomScanTools = new Set(["web_fetch", "browser"]); // Trusted domains — skip ML scanning entirely const clawdomTrustedDomains = new Set([ "github.com", "raw.githubusercontent.com", "gist.github.com", "docs.openclaw.ai", "openclaw.ai", "developer.mozilla.org", "nodejs.org", "docs.astro.build", "stackoverflow.com", "en.wikipedia.org", "huggin

Author openclaw

The Hacker News

thehackernews.com › home › openclaw ai agent flaws could enable prompt injection and data exfiltration

OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration

April 4, 2026 - CNCERT warns OpenClaw AI agent has weak defaults enabling prompt injection and data leaks, prompting China to restrict use on government systems.

reddit.com › r/information_security › popular ai agent clawdbot (openclaw) was just compromised via prompt injection. this interactive demo shows how it happened and how to protect yourself

r/Information_Security on Reddit: Popular AI agent Clawdbot (OpenClaw) was just compromised via prompt injection. This interactive demo shows how it happened and how to protect yourself

January 31, 2026 -

Hey r/Information_Security

Two days ago, a Redditor exposed a blatant prompt injection in the skill library of Clawdbot -- the most popular AI coding agent (100k+ stars on GitHub). That attack potentially exposed thousands of people to malware before it was removed after the post went viral.

It inspired me to create a free, interactive exercise (no sign-up) that demonstrates exactly how prompt injection works and what the consequences can be:

https://ransomleak.com/exercises/clawdbot-prompt-injection

The scenario: You ask Clawdbot to summarize a webpage. Hidden instructions on that page manipulate the agent into exposing your credentials. It's a hands-on demo of why you shouldn't blindly trust AI actions on external content.

Feel free to share with friends and colleagues who might not fully grasp the risk — sometimes experiencing it is the fastest way to understand it.