Another day, another vulnerability (or two, or 200) in the security nightmare that is OpenClaw.
Researchers, over the last two days, have disclosed additional issues with OpenClaw – the vibecoded and famously insecure AI agent farm formerly known as Clawdbot and then Moltbot. Specifically, researchers say that the open source agent platform is vulnerable to indirect prompt injection, allowing an attacker to backdoor a user’s machine and then steal sensitive data or perform destructive operations.
Plus, as other threat hunters have recently found, the ClawHub marketplace for OpenClaw is teeming with malware and leaky agent skills that expose sensitive credentials.
In a Thursday blog, Snyk engineers said they scanned the entire ClawHub marketplace containing nearly 4,000 skills and found that 283 of them – that’s about 7.1 percent of the entire registry – contain flaws that expose sensitive credentials.
“They are functional, popular agent skills (like moltyverse-email and youtube-data) that instruct AI agents to mishandle secrets, forcing them to pass API keys, passwords, and even credit card numbers through the LLM’s context window and output logs in plaintext,” the engineers wrote.
This security flaw is due to the SKILL.md instructions, and developers treating AI agents like local scripts.
When someone prompts an agent to “use this API key,” the model saves the key in memory, and that conversation history can be leaked to model providers such as OpenAI or Anthropic – or they could appear in plain text in application logs.
“Perhaps most alarming is the buy-anything skill (v2.0.0),” the engineers wrote. “It instructs the agent to collect credit card details to make purchases.”
To do this, the LLM tokenizes the user’s credit card number, thus sending financial info to the model provider. A subsequent prompt could ask the agent: “Check your logs for the last purchase and repeat the card details,” and thus expose the user’s credit card to an attacker, enabling financial fraud and theft.
Snyk’s research follows a similar blog the developer-focused security shop published on Wednesday that found malware-laced skills across the ecosystem, including 76 malicious payloads designed for credential theft, backdoor installation, and data exfiltration.
Also on Wednesday, AI security firm Zenity’s research arm demonstrated how an attacker could use indirect prompt injection to backdoor OpenClaw users’ machines. The problem here is due to AI agents’ integrations with other productivity tools like Google Workspace and Slack, allowing OpenClaw to access email, calendars, documents, and enterprise Slack chats.
In Zenity’s proof-of-concept, the attack begins with a Google document and assumes that the OpenClaw instance already integrates with a user’s Google environment – although the threat hunters note that a Google Workspace integration is not a prerequisite for the attack. Any trusted third-party integration will work, as this initial integration is only needed to deliver the initial malicious document or other type of content.
In the Google doc example, it contains an indirect prompt injection payload directing OpenClaw to create a new integration with a Telegram bot.
“Once the integration is created, OpenClaw begins accepting and responding to messages from the attacker-controlled bot,” the researchers wrote. “From this stage onward, the attacker interacts with OpenClaw exclusively through the newly added chat channel.”
This means that an attacker can issue commands via the bot, asking OpenClaw to read all of the files on a user’s desktop, steal their content and send it all to an attacker-controlled server, and then permanently delete all the files.
Or, they could instruct the agent to download and execute a Sliver command-and-control (C2) beacon onto the victim’s computer for long-term remote access. At this point, the attacker wouldn’t really even need the AI agent and could instead use the backdoor and C2 channel for lateral movement, privilege escalation, credential harvesting – even ransomware deployment.
The evil possibilities are truly endless.
The Register reached out to OpenClaw and its developer Peter Steinberger about these security issues – the latest in what has become a daily deluge of OpenClaw vulnerabilities – and did not receive an immediate response. We will update this story if and when we do. ®