New OpenClaw AI Attacks Trick Agents Into Leaking Secrets

Michael Miller · 2026-06-11

Two security teams have shown, in separate research published this week, that OpenClaw, the popular self-hosted AI agent, can be driven to run attacker-controlled code or hand over sensitive data through ordinary-looking inputs. ### How the Attacks Work Imperva buried instructions inside shared contacts, vCards, and location pins that the agent executed without the victim ever seeing them. Varonis built a test agent on OpenClaw and found similar weaknesses. These aren't complex exploits—they're clever social engineering attacks that take advantage of how the AI processes data. The key insight is that OpenClaw trusts inputs from shared files and collaborative tools. An attacker can hide commands in a contact's notes or a map pin's description. When the agent reads that data, it follows the hidden instructions without alerting the user. ### What Makes This Dangerous You might think, "Well, I'd notice if my agent started acting weird." But that's the scary part—the attacks happen silently. The agent runs code or sends data in the background while you go about your day. By the time you notice, your secrets are already gone. Here's what attackers can do: - Steal API keys and passwords stored in the agent's memory - Exfiltrate internal documents and customer data - Execute arbitrary commands on the host system - Plant backdoors for persistent access ### Who's at Risk If you use OpenClaw in a business setting, you're in the crosshairs. The agent often has access to sensitive systems—databases, cloud services, internal APIs. That makes it a prime target for attackers looking to pivot deeper into your network. But it's not just enterprises. Developers and researchers who self-host OpenClaw for personal projects should also be concerned. A compromised agent can leak your personal credentials or inject malware into your development environment. ### Protecting Yourself The good news is that these attacks aren't unstoppable. Here are practical steps you can take right now: - **Limit data sources**: Don't let your agent automatically process shared files from untrusted collaborators - **Audit agent actions**: Enable logging and review what your agent does, especially when it accesses new data - **Use sandboxing**: Run OpenClaw in a container with restricted permissions - **Update regularly**: The OpenClaw team is aware of these issues and working on patches ### The Bigger Picture This research highlights a growing problem with AI agents: they're too trusting. We build them to help us, but we forget that bad actors can abuse that helpfulness. The same features that make agents useful—autonomous decision-making, access to tools, ability to parse varied inputs—also make them vulnerable. Think of it like giving a smart assistant the keys to your house. You'd want to check who's knocking before letting them in. These attacks show that OpenClaw is letting strangers in without looking through the peephole. ### What's Next Both Imperva and Varonis have shared their findings with the OpenClaw team. Expect security updates in the coming weeks. In the meantime, treat your agent like any other critical system—monitor it, lock it down, and don't trust it with data from unknown sources. The takeaway? AI agents are powerful tools, but they're not magic. They need the same security hygiene as any other software. Stay vigilant, and don't assume your agent will protect itself.