OpenClaw AI Agent Flaws Could Allow Prompt Injection and Data Theft

The National Computer Network Emergency Response Technical Team (CNCERT) in China has warned about the security risks of using OpenClaw, an open-source and self-hosted AI agent that used to be called Clawdbot and Moltbot This article explores openclaw malicious repositories. . This includes risks from prompt injections, which are when bad instructions hidden in a web page can make the agent leak private information if it is tricked into accessing and consuming the content.

The attack is also called indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA). This is because attackers use harmless AI features like web page summarization or content analysis to run fake instructions instead of interacting directly with a large language model (LLM).

This can include getting around AI-based ad review systems and affecting hiring decisions, as well as search engine optimization (SEO) poisoning and getting biased responses by hiding bad reviews. In a blog post from earlier this week, OpenAI said that prompt injection-style attacks are getting more complicated. They now include social engineering as well as just putting instructions in external content.

Because OpenClaw has become so popular, hackers have used it to spread fake GitHub repositories that look like OpenClaw installers. These repositories are used to install information stealers like Atomic and Vidar Stealer, as well as a Golang-based proxy malware called GhostSocks that uses ClickFix-style instructions.

Huntress said, "The campaign didn't target a specific industry; it was aimed at people trying to install OpenClaw with the malicious repositories that had download instructions for both Windows and macOS." "The malware was hosted on GitHub, which helped this work. The bad repository became the top suggestion in Bing's AI search results for OpenClaw Windows."