Attacks on OpenClaw: hidden commands force agent to execute code and exfiltrate secrets

Colleagues, I’d like to highlight recent cybersecurity incidents involving OpenClaw: the agent can be coerced into executing code and leaking secrets.
- Imperva: hidden instructions were embedded in shared contacts, vCard fields and location tags — injected into the prompt; fixed in release 2026.4.23.
- Varonis: ordinary emails persuaded the agent to forward mock AWS keys and export client data — an architectural flaw not solvable by a patch.
- Root cause: the agent ingests private data, accepts untrusted content and can transmit data externally.
Why it matters: an agent with broad access is a potential compromise.
How do you secure agent integrations in your systems?
#cybersecurity #AI #infosec #agents


Latest comments
No comments yet.