New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets

Two security teams have shown, in separate research published this week, that OpenClaw, the popular self-hosted AI agent, can be driven to run attacker-controlled code or hand over sensitive data through ordinary-looking inputs. Imperva buried instructions inside shared contacts, vCards, and location pins that the agent executed without the victim ever seeing them. Varonis built a test agent on

The reported research shows that the self-hosted OpenClaw AI agent can be coerced into executing attacker-controlled code and exposing sensitive data via seemingly benign content, such as vCards, shared contacts, location pins, and crafted URLs embedded in normal workflows. This aligns with other findings that OpenClaw is highly exposed to prompt injection and indirect prompt injection, including data exfiltration through link previews and remote code execution via crafted links and misconfigured gateways.[1][2][3] These are factual reports of real-world exploitation techniques against OpenClaw-like agents that automatically act on untrusted inputs. From a CyberSE.AI perspective, this underscores the need to redesign agent business logic to treat all external content as untrusted, add strict tool/use constraints and review layers, and continuously red-team agent behaviors so that hidden instructions in user data cannot silently trigger code execution or data leakage.