New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets
New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets
https://thehackernews.com/2026/06/new-attacks-trick-openclaw-ai-agent.html
Publish Date: 2026-06-11 13:46:00
Source Domain: thehackernews.com
Two security teams have shown, in separate research published this week, that OpenClaw, the popular self-hosted AI agent, can be driven to run attacker-controlled code or hand over sensitive data through ordinary-looking inputs.
Imperva buried instructions inside shared contacts, vCards, and location pins that the agent executed without the victim ever seeing them. Varonis built a test agent on the platform, gave it a mailbox full of synthetic business data, and watched a single plain email talk it into forwarding mock AWS keys and a fake customer export to an outside address.
The flaw Imperva found is patched in OpenClaw 2026.4.23, so update if you run it. The phishing weakness Varonis found is not something a patch fixes; it comes down to limiting what the agent can do on its own.
Different doors into the same room: the agent trusts what reaches it, and its access becomes the attacker’s.
Hidden commands in a shared contact
Imperva researcher Yohann Sillam looked at how OpenClaw hands messaging data to the model behind it. The problem is in the plumbing.
When the agent passes a shared contact, vCard, or location to the LLM, it flattens the object into the prompt text inline, with no boundary marking it as untrusted. The content the agent fetches from the web gets wrapped in an untrusted-content marker. Message objects do not.
Only some fields travel to the model, and that is what the attack abuses. A shared contact sends just the name field, serialized as . The angle brackets are legal in a name, so the model cannot tell where the real name ends and an injected instruction begins. The contact name is truncated where it shows on screen, both on WhatsApp and in the receiving app, so the victim does not see the payload either.
The same trick works through a vCard’s full-name field, which WhatsApp supports natively, and through the label on a shared location pin.
In Imperva’s tests against Gemini 3.1 Pro (preview build), the hidden text told the agent to…
