AI Agent Prompt-Injection and Web-to-Agent Takeover Risks in Developer Tooling
Security research highlighted web-to-agent takeover and prompt-injection risks in modern AI developer tooling. Oasis Security reported a “complete vulnerability chain” in the open-source AI agent OpenClaw that allowed a malicious website a developer merely visited to silently seize control of the local agent—without plugins, browser extensions, or additional user interaction—leveraging the agent’s ability to execute system commands and manage workflows. The OpenClaw maintainers rated the issue High severity and issued a patch within 24 hours of disclosure.
Separate research described RoguePilot, a scenario in which a passive prompt injection can abuse highly privileged AI assistance inside GitHub Codespaces. The write-up emphasizes that Codespaces environments commonly expose a repository-scoped GITHUB_TOKEN with write permissions and provide AI “tools” such as terminal execution and file operations (e.g., run_in_terminal, file_read, create_file), creating “God Mode” conditions where untrusted text can be interpreted as instructions and lead to repository compromise. A third item (a Smashing Security podcast episode) primarily covers unrelated stories (alleged CAPTCHA-based DDoS activity tied to an archiving service and other news) and does not materially contribute to the AI agent takeover/prompt-injection topic.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
17 events from the most recent confirmed update back to the earliest known activity.
OpenClaw admin command authorization bypass is disclosed
A newly reported OpenClaw vulnerability in command resolution allows unauthenticated attackers to execute restricted administrative bot commands through supported messaging channels such as Discord or WhatsApp when specific permissive settings are enabled. The flaw stems from fallback authorization logic that can incorrectly approve attacker-supplied admin commands and return sensitive outputs such as configuration dumps or debugging statistics.
OpenClaw templated webhook session-routing auth bypass is disclosed
A newly reported OpenClaw vulnerability allowed external webhook payload data used in templated hook mappings, such as {{payload.id}}, to influence routing to AI agent sessions without proper enforcement of the allowRequestSessionKey control. The flaw affected openclaw versions before 2026.4.20 and could enable session hijacking, particularly in deployments using built-in routing presets like the Gmail integration.
OpenClaw isolated cron awareness-event trust-boundary flaw is disclosed
A newly reported OpenClaw vulnerability allows attacker-controlled messages from external webhook integrations tied to isolated cron jobs to be promoted into the main session as trusted system events. Because the awareness-event path omits a flag marking the content untrusted, malicious instructions can be treated as authoritative by the LLM and displayed in the UI with system-level indicators despite originating externally.
OpenClaw MCP server env-var injection RCE is disclosed
A high-severity OpenClaw vulnerability was disclosed in which opening a malicious workspace can inject environment variables into MCP server execution and trigger arbitrary code execution with the user's privileges. The issue affects major desktop platforms and could let attackers access files, establish persistence, and pivot to reachable network resources.
OpenClaw webhook system-prompt injection flaw is disclosed
A newly reported OpenClaw vulnerability in src/agents/system-prompt.ts allows untrusted webhook JSON payloads and dynamic context variables to be appended directly into the System role prompt. The design can let attacker-controlled input be interpreted as authoritative instructions, enabling indirect prompt injection and potential agent compromise.
OpenClaw Google OAuth PKCE verifier exposure flaw is disclosed
A newly reported OpenClaw vulnerability, CVE-2026-34511, exposes the OAuth PKCE code_verifier in the state parameter during the Google OAuth callback flow. If an attacker captures the callback URL, they can redeem the authorization code and verifier at Google’s token endpoint to obtain the victim’s access and refresh tokens.
OpenClaw Matrix extension reply-context auth bypass is disclosed
A newly reported vulnerability in OpenClaw's Matrix integration allows prompt injection and authorization bypass when an authorized user replies to or starts a thread from an attacker’s message in the same room. OpenClaw can follow the trusted reply context, retrieve the attacker-controlled content, and execute embedded instructions within the authorized user’s operational scope despite sender allowlist checks.
OpenClaw Google Chat integration auth bypass flaw is disclosed
A newly reported vulnerability in OpenClaw's Google Chat integration allows authorization bypass through mutable metadata, potentially giving attackers unauthorized access to agent functionality and connected data. The issue was described as network-exploitable with low privileges and high confidentiality and integrity impact, especially where agents are integrated with backend systems, databases, or CI pipelines.
OpenClaw Synology Chat plugin token brute-force flaw is disclosed
A newly reported OpenClaw vulnerability in the Synology Chat integration allowed attackers to brute-force a webhook token and send arbitrary messages that the server would treat as coming from a trusted Synology source. The report said this could let attackers inject prompts into the AI assistant to extract sensitive context, trigger backend actions, or manipulate assistant behavior, and noted a patched implementation added invalid-token rate limiting.
Filesystem sandbox bypass in OpenClaw agent media tools is disclosed
A newly reported OpenClaw vulnerability allows attackers to exfiltrate sensitive host files through vulnerable image or PDF processing tools when sandbox bridge mounts expose host directories. By using prompt injection or parameter manipulation, an attacker can make the agent read bridged files such as config files or SSH keys and send their contents to external vision model APIs for extraction.
OpenClaw WebSocket auth bypass privilege-escalation issue is documented
A later report documented a separate OpenClaw gateway flaw in WebSocket authentication and authorization handling, where an attacker with a valid shared token or password could self-assign the operator.admin scope and gain administrative RPC access. The issue could allow actions such as disabling monitoring via heartbeat controls.
Microsoft warns self-hosted AI agent runtimes should be isolated
Microsoft issued guidance that self-hosted agent runtimes such as OpenClaw should be treated as untrusted code execution and evaluated only in isolated environments with non-privileged credentials and monitoring. The advisory came amid reporting on OpenClaw vulnerabilities and broader ecosystem abuse.
RoguePilot prompt-injection attack on GitHub Codespaces is disclosed
Research described 'RoguePilot,' a passive prompt-injection chain in GitHub Codespaces with Copilot agent mode, where hidden instructions in GitHub Issues could drive terminal and file operations, steal a repository-scoped GITHUB_TOKEN via a symlink and schema-fetch trick, and enable repository compromise. Orca Security said it responsibly disclosed the issue and that Microsoft/GitHub patched it.
Researchers publicly disclose 'ClawJacked' OpenClaw vulnerability
Oasis Security publicly disclosed the ClawJacked vulnerability chain, showing that a visited website could hijack a locally running OpenClaw agent, access logs and configuration, enumerate nodes, and potentially execute commands or exfiltrate data. Coverage emphasized the issue as a 'shadow AI' risk for unmanaged local agents.
OpenClaw releases fix for 'ClawJacked' localhost takeover flaw
After responsible disclosure by Oasis Security, OpenClaw patched the high-severity 'ClawJacked' vulnerability that allowed malicious websites to brute-force the localhost WebSocket gateway password and silently register as a trusted device. Multiple reports place the fix on February 26, 2026, in versions 2026.2.25/2026.2.26.
OpenClaw patches log-poisoning prompt-injection issue
OpenClaw addressed a separate log-poisoning vulnerability that could enable indirect prompt injection through agent log-reading behavior. The issue was patched in version 2026.2.13.
OpenClaw patches earlier token-leak hijack flaw (CVE-2026-25253)
An earlier OpenClaw hijack issue, identified by Ethiack and Depthfirst, was patched in version 2026.1.29. The flaw reportedly leaked an authentication token via a crafted URL parameter and was fixed on January 31, 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
20 references tracked. Mallory keeps watching after this page renders.
GHSA-C28G-VH7M-FM7V: GHSA-C28G-VH7M-FM7V: Improper Authorization and Privilege Escalation in OpenClaw Command Resolution | CVEReports
cvereports.com
Open sourceGHSA-57R2-H2WJ-G887: GHSA-57R2-H2WJ-G887: Trust Boundary Violation in OpenClaw Isolated Cron Awareness Events | CVEReports
cvereports.com
Open sourceGHSA-2XCP-X87W-Q377: GHSA-2xcp-x87w-q377: Incorrect Authorization Bypass via Templated Hook Mappings in OpenClaw | CVEReports
cvereports.com
Open sourceGHSA-MJ59-H3Q9-GHFH: GHSA-MJ59-H3Q9-GHFH: Arbitrary Code Execution via Environment Variable Injection in OpenClaw MCP Servers | CVEReports
cvereports.com
Open sourceClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket
thehackernews.com
Open sourceHow OpenClaw could be hijacked with a simple website visit | news | SC Media
scworld.com
Open sourceOpenClaw Vulnerability Enables Silent AI Takeover
thecyberexpress.com
Open sourceRoguePilot: How a Passive Prompt Injection Led to GitHub Repository Takeovers | by Sohan Kanna | Feb, 2026 | InfoSec Write-ups
infosecwriteups.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious code and prompt-injection attacks targeting developers and AI-agent ecosystems
Multiple reports describe **social-engineering and supply-chain style attacks** that trick developers or AI-agent users into executing attacker-controlled instructions. North Korean operators have been linked to the **“Contagious Interview”** campaign, in which fake recruiter personas lure software developers into running “technical interview” projects that deploy malware such as **BeaverTail** and **OtterCookie** for credential theft and remote access; GitLab reported banning **131 related accounts** in 2025, with many repos using **hidden loaders** that fetched payloads from third-party services (e.g., *Vercel*) rather than hosting malware directly. Separately, OpenGuardrails reported a campaign on *ClawHub* (an OpenClaw AI agent “skills” repository) where attackers posted **malicious troubleshooting comments** containing Base64-encoded commands that download a loader from `91[.]92[.]242[.]30`, remove macOS quarantine attributes, and install **Atomic macOS (AMOS) infostealer**—a delivery method that can evade package-focused scanning because the payload is in comments, not the skill artifact. Research and incident writeups also highlight how **indirect prompt injection** and **malicious open-source packages** can compromise developer environments. NSFOCUS summarized a GitHub **MCP cross-repository data leak** scenario where attacker-injected instructions in public Issues could cause locally running AI agents to exfiltrate private repo data when agents act with broad GitHub permissions, and cited a similar hidden-command issue affecting an AI browser’s page summarization workflow. JFrog reported malicious npm packages (e.g., `eslint-verify-plugin`, `duer-js`) delivering multi-stage payloads including a **macOS RAT** (Mythic/Apfell) and a Windows infostealer, reinforcing ongoing risk from poisoned dependencies. In contrast, a DFIR case study on **CVE-2023-46604** exploitation of Apache ActiveMQ leading to **LockBit**-style ransomware, and a Medium post on recon/content-discovery techniques, are separate topics and not part of the AI-agent/developer social-engineering thread.
May 15, 2026
Security Risks and Controls for Autonomous AI Agents and Multi-Agent Systems
New research and reporting highlighted that **autonomous/agentic AI** can create novel security failure modes—especially when agents interact with other agents or accept instructions from untrusted content. A multi-institution academic study (“Agents of Chaos”) described emergent risks in **multi-agent deployments**, including **server destruction**, **denial-of-service conditions**, and runaway resource consumption as small errors compound into catastrophic failures. Separate coverage warned that consumer-style agents such as **OpenClaw** can be manipulated by **malicious websites**, reinforcing that agentic systems expand the attack surface beyond traditional prompt injection into cross-agent and web-mediated command channels. In response to “rogue agent” and prompt-injection concerns, an open-source control layer called **IronCurtain** was presented as a safeguard that interposes a **trusted policy-enforcement process** between an LLM agent and external tools, using a “constitution” (human-readable intent) compiled into enforceable rules and requiring tool calls to be **allowed, denied, or escalated** for human approval. Other items in the set were largely **opinion, podcasts, or broad AI/security commentary** (e.g., AI for incident response efficiency, governance/metrics, ethics, dark web monitoring, and industry outlooks) and did not materially add technical detail to the specific story of agentic AI exploitation and multi-agent failure modes.
Mar 21, 2026
AI and Open-Source Ecosystem Abused for Malware Delivery and Agent Manipulation
Multiple reports describe threat actors abusing *AI-adjacent* and open-source distribution channels to deliver malware or manipulate automated agents. Straiker STAR Labs reported a **SmartLoader** campaign that trojanized a legitimate-looking **Model Context Protocol (MCP)** server tied to *Oura* by cloning the project, fabricating GitHub credibility (fake forks/contributors), and getting the poisoned server listed in MCP registries; the payload ultimately deployed **StealC** to steal credentials and crypto-wallet data. Separately, researchers observed attackers using trusted platforms and SaaS reputations for delivery and monetization: a fake Android “antivirus” (*TrustBastion*) was hosted via **Hugging Face** repositories to distribute banking/credential-stealing malware, and Trend Micro documented spam/phishing that abused **Atlassian Jira Cloud** email reputation and **Keitaro TDS** redirects to funnel targets (including government/corporate users across multiple language groups) into investment scams and online casinos. In parallel, research highlights emerging risks where **AI agents and AI-enabled workflows become the target or the transport layer**. Check Point demonstrated “**AI as a proxy**,” where web-enabled assistants (e.g., *Grok*, *Microsoft Copilot*) can be coerced into acting as covert **C2 relays**, blending attacker traffic into commonly allowed enterprise destinations, and outlined a trajectory toward prompt-driven, adaptive malware behavior. OpenClaw featured in two distinct security developments: an OpenClaw advisory described a **log-poisoning / indirect prompt-injection** weakness (unsanitized WebSocket headers written to logs that may later be ingested as trusted context), while Hudson Rock reported an infostealer incident that exfiltrated sensitive **OpenClaw configuration artifacts** (e.g., `openclaw.json` tokens, `device.json` keys, and “memory/soul” files), signaling that infostealer operators are beginning to harvest AI-agent identities and automation secrets in addition to browser credentials.
Mar 21, 2026