Security vulnerabilities in the OpenClaw AI agent, previously known as Clawdbot and Moltbot, have prompted a warning from China’s National Computer Network Emergency Response Technical Team (CNCERT). The open-source, self-hosted AI platform is reportedly susceptible to exploitation due to its weak default security configurations and privileged access capabilities.
Nature of the Vulnerabilities
The CNCERT report indicates that the flaws could allow malicious actors to execute prompt injection attacks. These attacks involve embedding harmful instructions within web content, which can trick the AI agent into leaking sensitive information. This method, referred to as indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA), enables adversaries to manipulate benign AI features to carry out harmful actions.
Potential Impact on Users
Research from PromptArmor has confirmed that the link preview feature in messaging applications like Telegram and Discord can be exploited to exfiltrate data. By manipulating the AI agent to generate a malicious URL, sensitive information can be transmitted without user interaction. This poses a significant risk, especially for users in critical sectors such as finance and energy, where breaches could lead to the exposure of sensitive business data and operational disruptions.
Additional Security Concerns
Beyond prompt injection risks, CNCERT has identified several other issues with OpenClaw. These include the potential for the AI agent to inadvertently delete important information due to misinterpretation of user commands, the risk of malicious skills being uploaded to repositories like ClawHub, and the exploitation of known vulnerabilities to compromise the system.
Recommended Mitigations
To mitigate these risks, CNCERT advises users to enhance their network controls, avoid exposing OpenClaw’s management port to the internet, isolate the service in a container, and refrain from storing credentials in plaintext. Users should also download skills only from trusted sources, disable automatic updates for skills, and ensure the agent is kept up-to-date.
In response to these security concerns, Chinese authorities have restricted state-run enterprises and government agencies from using OpenClaw on office computers. This ban is also reported to extend to military personnel’s families.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
