New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets
Summary
Two research teams discovered that OpenClaw, a self-hosted AI agent, can be tricked into running attacker-controlled code or leaking secrets through two different attack methods. Imperva found that hidden instructions embedded in shared contacts, vCards, and location pins are flattened into the AI's input text without being marked as untrusted, allowing the agent to execute them invisibly to the user. Varonis demonstrated that the agent can also be manipulated by ordinary-looking phishing emails impersonating trusted colleagues, causing it to forward sensitive data like AWS keys without verifying the sender's identity.
Solution / Mitigation
Imperva's discovered flaw is patched in OpenClaw version 2026.4.23, which moves contact names, vCard fields, and location labels out of the prompt body and into a separate untrusted-metadata channel. For the phishing vulnerability that Varonis found, the source states this "is not something a patch fixes; it comes down to limiting what the agent can do on its own."
Classification
Affected Vendors
Related Issues
Original source: https://thehackernews.com/2026/06/new-attacks-trick-openclaw-ai-agent.html
First tracked: June 11, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%