New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets

Imperva and Varonis security researchers independently demonstrated that OpenClaw, a widely deployed self-hosted AI agent, executes attacker-supplied code and leaks sensitive data when presented with seemingly benign inputs.

Imperva embedded malicious instructions within vCards, shared contacts, and location pins. The agent processed these files and executed the hidden commands without user visibility or consent. This attack vector exploits how OpenClaw parses and interprets file metadata, treating benign-appearing data structures as executable directives.

Varonis conducted parallel testing by building a test agent configured with typical enterprise settings. Their research confirmed the vulnerability extends across multiple input formats and integration points. Both teams found the agent lacks sufficient input validation and operates with excessive trust in data from external sources.

The risk applies broadly. Organisations deploying OpenClaw in production environments face code execution threats from compromised file repositories, malicious contacts uploaded by insiders, or poisoned shared folders. An attacker with network access to systems where OpenClaw operates can inject payloads through common collaboration tools like contact management systems or shared drive structures. Once executed, the agent runs with its own permission level, potentially accessing databases, APIs, and internal networks the agent has been granted access to.

Sensitive data leakage compounds the threat. OpenClaw agents often connect to enterprise databases and internal APIs as part of their function. An attacker controlling agent execution can query these systems directly, extracting customer records, credentials, or proprietary information stored in databases the agent can reach.

The attack requires no special privileges on the target system. It leverages the trust relationship between OpenClaw and its data inputs, a fundamental design assumption that proves insecure under adversarial conditions. Organisations using OpenClaw should immediately review their deployment scope, restrict agent permissions to least-privilege levels, and implement input validation on all files processed by the agent. Disabling