Full Report
China's National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the security stemming from the use of OpenClaw (formerly Clawdbot and Moltbot), an open-source and self-hosted autonomous artificial intelligence (AI) agent. In a post shared on WeChat, CNCERT noted that the platform's "inherently weak default security configurations," coupled with its
Analysis Summary
# Vulnerability: OpenClaw Autonomous AI Agent Security Flaws
## CVE Details
*Note: The CNCERT warning highlights architectural flaws and recently disclosed vulnerabilities (such as "ClawJacked"). Specific CVE IDs for the "ClawJacked" or "OpenClaw Bug" mentioned in the article are not explicitly listed in the text, but the nature of the flaws points to common AI-agent weaknesses.*
- **CVE ID**: Pending/Not explicitly listed (References "ClawJacked" and "one-click remote" flaws)
- **CVSS Score**: High/Critical (Estimated based on remote seize-of-control potential)
- **CWE**:
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-1027: Indirect Prompt Injection (IDPI)
## Affected Systems
- **Products**: OpenClaw (formerly known as Clawdbot and Moltbot)
- **Versions**: All versions prior to March 2026; specifically impacts self-hosted versions.
- **Configurations**:
- Default security configurations (weak by design).
- Instances with "Link Preview" enabled in connected messaging apps (Telegram, Discord).
- Instances with public-facing default management ports.
## Vulnerability Description
OpenClaw suffers from several critical security weaknesses stemming from its autonomous nature and privileged system access:
1. **Indirect Prompt Injection (IDPI/XPIA)**: Attackers can embed malicious instructions in web pages. When the agent browses or summarizes these pages, it executes the embedded instructions.
2. **Data Exfiltration via Link Previews**: The agent can be tricked into constructing a URL containing sensitive user data. When this link is "previewed" by a messaging app, the data is automatically sent to an attacker-controlled domain without user interaction.
3. **Malicious Skills**: The platform lacks rigorous verification for third-party "skills" (plugins) which can be weaponized to run arbitrary commands.
## Exploitation
- **Status**: Exploited in the wild (Reported by CNCERT and researchers at PromptArmor).
- **Complexity**: Low to Medium.
- **Attack Vector**: Network (Indirect via web content or malicious plugin repositories).
## Impact
- **Confidentiality**: High (Leakage of trade secrets, code repositories, and sensitive user data).
- **Integrity**: High (Potential for unauthorized command execution and critical data deletion).
- **Availability**: High (Possibility of "complete paralysis" of business systems).
## Remediation
### Patches
- Users should monitor the official OpenClaw/ClawHub repositories for updates addressing the "ClawJacked" vulnerability and general security hardening.
### Workarounds
- **Network Isolation**: Prevent exposure of the default management port to the public internet.
- **Containerization**: Run the OpenClaw service inside an isolated container (e.g., Docker) to limit host system access.
- **Credential Safety**: Do not store API keys or credentials in plaintext within the platform.
- **Skill Management**: Only download skills from trusted channels; disable automatic updates for third-party skills.
## Detection
- **Indicators of Compromise**:
- Unusual outbound traffic to unknown domains (specifically query parameters in URLs).
- Unauthorized "skills" appearing in the agent's configuration.
- Unexpected system commands initiated by the AI service account.
- **Detection Methods**: Monitor logs for "Link Preview" requests triggered by the agent and audit instructions fetched from external web sources.
## References
- CNCERT Weibo/WeChat Advisory: hxxps://mp[.]weixin[.]qq[.]com/s/0M1sZq1HqwAAaMbRDBEZEw
- PromptArmor Research: hxxps://www[.]aitextrisk[.]com/
- Original Reporting: hxxps://thehackernews[.]com/2026/03/openclaw-ai-agent-flaws-could-enable.html
- Technical Background on IDPI: hxxps://securelist[.]com/indirect-prompt-injection-in-the-wild/113295/