What happened
Security researchers at PromptArmor demonstrated that OpenClaw AI agents can be manipulated through indirect prompt injection attacks to leak sensitive data without any user interaction. In the attack chain, malicious instructions are hidden inside content the agent is expected to read, causing it to generate a URL controlled by the attacker and append sensitive information such as API keys or private conversations into the query string. The link is then sent back through messaging platforms like Telegram or Discord, where automatic link previews silently fetch the URL and hand the data to the attacker before the user clicks anything. The report also said CNCERT warned that OpenClaw’s default security posture creates enterprise risk because agents can browse, execute tasks, and interact with local files.
Who is affected
Organizations using OpenClaw agents with messaging integrations, local file access, or access to operational credentials are affected, as manipulated agents can expose sensitive data through automated outbound requests.
Why CISOs should care
The issue shows how autonomous AI agents can be turned into silent data-exfiltration channels when untrusted content, messaging platform behavior, and access to local secrets intersect in the same workflow.
3 practical actions
- Disable auto-preview features in messaging apps. Restrict automatic link fetching in platforms such as Telegram, Discord, and Slack where agents generate URLs.
- Isolate OpenClaw runtimes. Run agents inside tightly controlled containers and keep management ports off the public internet.
- Reduce agent access to secrets and files. Limit file system access and keep credentials out of plaintext configuration files.
For more news about AI vulnerabilities, head over to the AI tag.