Full Report
Two security teams have shown, in separate research published this week, that OpenClaw, the popular self-hosted AI agent, can be driven to run attacker-controlled code or hand over sensitive data through ordinary-looking inputs. Imperva buried instructions inside shared contacts, vCards, and location pins that the agent executed without the victim ever seeing them. Varonis built a test agent on
Analysis Summary
# Vulnerability: OpenClaw Message Object Prompt Injection and Agent Phishing
## CVE Details
- **CVE ID:** Not explicitly listed in the report (Internal/Vendor tracking typically applies to OpenClaw 2026.4.23)
- **CVSS Score:** N/A (Highly Critical - allows Remote Code Execution)
- **CWE:** CWE-94 (Improper Control of Generation of Code), CWE-116 (Improper Encoding or Escaping of Output)
## Affected Systems
- **Products:** OpenClaw AI Agent
- **Versions:** All versions prior to 2026.4.23
- **Configurations:** Default installations, particularly those integrated with messaging platforms (WhatsApp, etc.) or email accounts where "memory" is enabled.
## Vulnerability Description
The vulnerability stems from "flattening" object metadata. When OpenClaw processes shared contacts, vCards, or location pins, it fails to sanitize or demarcate these inputs properly. Instead of treating these fields as untrusted data, it serializes them directly into the prompt text sent to the LLM (e.g., Gemini 3.1 Pro or GPT-5.4).
Because the system allows special characters (like angle brackets) in fields such as "Contact Name," an attacker can break out of the intended data field and inject instructions that the LLM perceives as high-priority system commands. This is exacerbated by the fact that many of these malicious payloads are truncated on the user’s UI, making the attack invisible to the victim.
## Exploitation
- **Status:** PoC available (Demonstrated by Imperva and Varonis)
- **Complexity:** Low
- **Attack Vector:** Network (via messaging apps, email, or shared location data)
## Impact
- **Confidentiality:** High (Agent was induced to forward AWS keys, credentials, and customer databases)
- **Integrity:** High (Agent executed attacker-controlled scripts/code)
- **Availability:** Medium (Potential for system compromise or data deletion via RCE)
## Remediation
### Patches
- **Update to OpenClaw version 2026.4.23 or later.** This version introduces a separate "untrusted-metadata channel" that isolates contact and location details from the primary prompt body.
### Workarounds
- **Disable "Memory" features:** Turn off the agent's ability to retain context from previous interactions to limit long-term compromise.
- **Human-in-the-loop (HITL):** Require manual approval for any action involving data exfiltration (sending emails/API calls) or script execution.
- **Strict Scoping:** Limit the agent's access to sensitive files and credentials using environment-level sandboxing.
## Detection
- **Indicators of Compromise:** Unusual outbound network traffic to unrecognized external script repositories; logs showing LLM prompts containing command-like syntax (e.g., "ignore previous instructions").
- **Detection Methods:** Monitor for large-scale data exports or the retrieval of sensitive environment variables (AWS_ACCESS_KEY_ID, etc.) by the AI agent process.
## References
- [hXXps://thehackernews[.]com/2026/06/new-attacks-trick-openclaw-ai-agent.html]
- [hXXps://www.imperva[.]com/blog/compromise-openclaw-with-prompt-injections-in-message-objects/]
- [hXXps://github[.]com/openclaw/openclaw]
- [hXXps://www.varonis[.]com/blog/openclaw-phishing]