OpenClaw AI Agent Vulnerabilities Exposed by Security Researchers

Recent research from two security teams has unveiled alarming vulnerabilities in OpenClaw, a widely used self-hosted AI agent developed by OpenAI. These flaws allow attackers to execute malicious code or access sensitive information through seemingly harmless inputs. The implications for platform users are serious, requiring immediate action to reduce risks.

In a thorough examination, Imperva revealed how hidden commands could be embedded within shared contacts, vCards, and location pins, prompting OpenClaw to execute these commands without user awareness. In a related study, Varonis demonstrated a similar exploit by creating a test agent that, when given a mailbox filled with synthetic business data, was tricked into forwarding sensitive information like mock AWS keys and a fabricated customer export to an external address.

The vulnerabilities identified by Imperva arise from how OpenClaw processes messaging data. When shared contacts or vCards are passed to the underlying model, the system converts these objects into plain text without marking them as untrusted. This allows critical commands to be hidden within seemingly benign data. For example, a shared contact might only transmit a name field formatted as <contact: name, number>, enabling an attacker to insert undetectable instructions since the angle brackets are acceptable in a name.

Details of the Vulnerability

The flaw identified by Imperva has been patched in the latest version of OpenClaw, 2026.4.23, which users are encouraged to update to. However, the phishing vulnerability uncovered by Varonis is not as easily fixed; it points to a fundamental issue with the agent’s autonomous capabilities. OpenClaw's design permits it to trust inputs without adequate scrutiny, effectively granting attackers access to the tools and data at the agent's disposal.

In practical tests, Imperva researchers discovered that even advanced models like Gemini 3.1 Pro were vulnerable to these hidden commands. Their tests showed that by embedding malicious instructions within a shared contact, the AI agent executed a script from a controlled server, highlighting the severity of the exploit. Interestingly, a similar attempt using an image with embedded instructions failed, likely due to increased awareness of such attacks in model training.

Implications for Users and Developers

These findings raise critical questions about the security of AI agents and the necessity for robust safeguards. As AI applications become more integrated into business operations, the potential for exploitation grows, underscoring the importance of effective security measures. Developers must rethink how their systems handle external data, ensuring that untrusted inputs are clearly marked and processed correctly.

The vulnerabilities discovered in OpenClaw serve as a warning for the AI community. As agents become more capable and autonomous, understanding and mitigating the associated risks is essential. Users are advised to remain vigilant and adopt best practices to safeguard sensitive data from potential breaches arising from these vulnerabilities. The realm of AI security is changing, and staying ahead of possible exploits is vital for both developers and users.