惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Security Affairs
S
Schneier on Security
T
Tenable Blog
G
GRAHAM CLULEY
Latest news
Latest news
D
Darknet – Hacking Tools, Hacker News & Cyber Security
A
Arctic Wolf
I
Intezer
Cyberwarzone
Cyberwarzone
T
The Exploit Database - CXSecurity.com
T
Tailwind CSS Blog
K
Kaspersky official blog
Blog — PlanetScale
Blog — PlanetScale
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Threat Research - Cisco Blogs
爱范儿
爱范儿
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 叶小钗
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Recent Commits to openclaw:main
Recent Commits to openclaw:main
P
Palo Alto Networks Blog
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 司徒正美
The Cloudflare Blog
Help Net Security
Help Net Security
罗磊的独立博客
博客园 - 聂微东
Jina AI
Jina AI
Project Zero
Project Zero
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
L
LINUX DO - 最新话题
V
V2EX
人人都是产品经理
人人都是产品经理
美团技术团队
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
J
Java Code Geeks
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Security Latest
Security Latest
The Last Watchdog
The Last Watchdog
Stack Overflow Blog
Stack Overflow Blog
雷峰网
雷峰网
S
Securelist
Forbes - Security
Forbes - Security
博客园 - 三生石上(FineUI控件)
Microsoft Azure Blog
Microsoft Azure Blog
P
Privacy International News Feed
宝玉的分享
宝玉的分享
C
CERT Recently Published Vulnerability Notes

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
OpenClaw AI Agent Exploited Through Hidden Contact Prompts and Social Engineering
Matt Lucas · 2026-06-12 · via DEV Community

Matt Lucas

TL;DR

  • what: Researchers demonstrated OpenClaw AI agent executes hidden commands in contacts/vCards and leaks credentials through believable phishing emails without user interaction.
  • impact: Agents with memory enabled can be compromised by widely-shared contacts; agents forward AWS keys, database credentials, and customer data to external addresses from single emails.
  • fix: Update to OpenClaw 2026.4.23 for prompt-injection fix; implement strict agent permissions, sandbox environments, and require human confirmation for credential/data operations.
  • who: Organizations running self-hosted OpenClaw agents with access to messaging platforms, credential stores, file systems, and sensitive business data.

OpenClaw, the popular self-hosted AI agent platform, is vulnerable to two distinct attack vectors that turn its autonomous capabilities against organizations. Imperva Security demonstrated prompt injection through seemingly innocuous shared contacts, while Varonis Threat Labs showed that plain-English phishing emails bypass the agent's built-in verification rules. Both attacks exploit the same fundamental weakness: OpenClaw trusts incoming data and has broad access to sensitive systems.

Contact Names as Attack Vectors

Imperva researcher Yohann Sillam discovered that OpenClaw serializes message objects—shared contacts, vCards, and location pins—directly into LLM prompts without marking them as untrusted input. When the agent processes a shared contact, it flattens the data into a simple format: . Because angle brackets are legal characters in contact names, an attacker can inject additional instructions that the model interprets as legitimate commands.

The attack surface is invisible to victims. WhatsApp truncates contact names in the UI, hiding the malicious payload from both the person sharing the contact and the recipient. The same technique works through vCard full-name fields and location pin labels. In tests against Google Gemini 3.1 Pro, Imperva's hidden instructions successfully commanded the agent to download and execute scripts from researcher-controlled servers.

⚠️ Memory Amplifies Risk — OpenClaw enables memory by default, meaning a single poisoned contact shared across a team or organization can compromise every agent that processes it. Without sandboxing, the injected command persists and executes whenever the agent recalls the associated conversation.

The vulnerability exists because OpenClaw handles web-scraped content differently than messaging data. Content fetched from the internet gets wrapped in an untrusted-content boundary marker; message objects do not. This inconsistency creates a bypass: attacks embedded in images typically fail because models have been trained on those examples, but the message-object route remains undertrained and effective.

OpenClaw shipped a fix in version 2026.4.23 that moves contact names, vCard fields, and location labels into a separate untrusted-metadata channel outside the main prompt. Imperva noted the same flattening pattern exists in other personal AI assistants, indicating the problem extends beyond one platform.

Social Engineering Beats Technical Controls

Varonis Threat Labs approached OpenClaw from a different angle. The team built a test agent named Pinchy, connected it to Gmail, populated the inbox with synthetic business emails and mock secrets, then ran four phishing scenarios against Google Gemini 3.1 Pro and OpenAI Codex GPT-5.4. The agent operated under a strict profile explicitly configured to verify sender identity before taking sensitive actions.

Both exfiltration tests succeeded. In the first scenario, an email impersonating a team lead named Dan requested staging credentials during a fabricated production incident. The message came from an external Gmail address. Pinchy located the credentials and forwarded mock AWS IAM access keys, database connection strings, and SSH credentials in plaintext to the attacker-controlled address. The second test used a routine request for a weekly customer export, framed as needed for a quarterly business review. The agent sent a synthetic dataset containing 247 enterprise customer records, including contact details and contract values.

Technical vs. Social Threats — The same agent successfully detected and blocked technical threats. It identified a gift-card phishing site and withheld credentials. On a malicious OAuth consent screen disguised as a timesheet app, it inspected the redirect target, flagged it as suspicious, and stopped. Urgency and routine social pretexts bypassed judgment that technical anomalies did not.

Varonis distinguishes this from classic prompt injection. They call it agent phishing: a believable request through a normal channel that succeeds because the agent prioritizes helpfulness over verification. The strict sender-verification rule existed in the agent's configuration. Urgency overrode it in the first test; the routine nature of the request beat it in the second. OpenAI Codex GPT-5.4 showed more caution than Gemini 3.1 Pro about sending data to external sites without confirmation, but both models fell for the social engineering.

The Lethal Trifecta

Varonis maps both attack classes to what security researcher Simon Willison calls the lethal trifecta: an agent with the ability to read private data, ingest untrusted input, and send information outbound. OpenClaw ships with all three capabilities enabled. It has file-system access, shell execution rights, and integrations with more than twenty messaging platforms including Slack, Discord, Microsoft Teams, WhatsApp, and Matrix.

The trust boundary problem is not limited to prompts. A separate analysis from InfoSec Write-ups converted OpenClaw's past security advisories into static-analysis rules, then applied them to the platform's channel extensions. The scan identified five additional vulnerabilities across Slack, Discord, Matrix, Zalo, and Microsoft Teams integrations. All five shared the same root cause: startup code resolved channel allowlists by mutable display name rather than stable user ID. An attacker who changed their display name to match an authorized user could bypass the allowlist and issue commands to the agent. OpenClaw has patched these flaws.

Mitigation and Operational Reality

The prompt-injection vector has a patch. Organizations running OpenClaw must update to version 2026.4.23 or later. The social-engineering vector does not have a code fix because it exploits the agent's design, not a bug. Varonis recommends limiting agent permissions through capability restrictions:

  • Require human confirmation before any operation that accesses credentials, reads sensitive files, or sends data outside the organization.
  • Restrict agent access to credential stores, SSH keys, and API tokens. Use read-only access where possible.
  • Sandbox agent execution environments to contain code-execution attacks and limit lateral movement.
  • Implement sender validation at the infrastructure level—verify domain and email authentication before messages reach the agent.
  • Disable or constrain memory features for agents with access to high-value data, reducing the persistence window for injected instructions.

OpenClaw's appeal is its autonomy and breadth of access. Organizations deploy it precisely because it can act independently across messaging platforms, file systems, and external APIs. The security challenge is that those same capabilities make it an attractive target. The agent cannot distinguish between a legitimate urgent request from a colleague and a well-crafted impersonation. Models improve at detecting malformed URLs and obviously fake login pages, but struggle with context-appropriate social requests that a human would question.

OpenClaw has faced a steady stream of prompt-injection and data-exfiltration warnings since launching late last year. The Dutch data protection authority has raised concerns about the platform's default permissions and data-handling practices. Both Imperva and Varonis note that the underlying architectural issues—trusting inbound data, granting broad access, lacking robust sender verification—are common across the emerging AI agent category, not unique to one product.

Risk Calculus

For security and IT teams evaluating or operating OpenClaw deployments, the threat model is clear. A poisoned contact shared in a company-wide channel can compromise every agent instance that processes it if memory is enabled. A single convincing email can exfiltrate credentials or customer data even when verification rules are configured. The attack surface is not a bug to be patched away; it is the product's design. The value proposition—an agent that autonomously handles tasks across platforms—creates the exposure.

Organizations must decide whether the productivity gains justify the risk, and if they proceed, implement defense in depth: patching to 2026.4.23 immediately, sandboxing agent execution, requiring human approval for sensitive operations, and monitoring outbound data flows for anomalies. The research from Imperva and Varonis demonstrates that AI agents are not merely productivity tools; they are privileged identities with access that adversaries will target, using both technical exploits and social engineering that the models are not yet equipped to resist.


Originally published on RedEye Threat Intelligence.