Table of Contents
Key Takeaway
- 🔓 OpenClaw Vulnerabilities: Four newly discovered vulnerabilities in OpenClaw — the popular open-source AI agent with 250K+ GitHub stars — allow attackers to execute code and leak secrets through hidden contacts and phishing emails.
- 📧 Indirect Prompt Injection: Attackers embed malicious instructions in emails and contacts that OpenClaw processes. The AI agent follows these injected instructions as if they were legitimate commands.
- 💻 Remote Code Execution: CVE-2026-25253 enables one-click remote code execution on 17,500+ exposed AI agent instances, giving attackers full control of the host system.
- 🇵🇭 OFW Risk: Many OFWs use AI agents for productivity. OpenClaw’s popularity means thousands of Filipino users could be affected by these vulnerabilities.
- 🛡️ Protection: Update OpenClaw immediately, disable unused integrations, restrict agent permissions, and monitor for unusual agent behavior.
OpenClaw — the open-source AI agent that took the tech world by storm with 250,000+ GitHub stars — is facing a serious security crisis. Two separate security teams have discovered critical vulnerabilities that allow attackers to trick the AI agent into executing arbitrary code and leaking sensitive data. For the thousands of OFWs who have adopted AI agents for productivity, these vulnerabilities represent a wake-up call about the risks of autonomous AI systems.
The attacks, reported by The Hacker News and confirmed by Cyera Research, exploit fundamental weaknesses in how OpenClaw processes external data. Unlike traditional software vulnerabilities that require specific conditions to exploit, the AI agent attacks work through normal usage — simply by sending the agent an email or adding a contact with hidden malicious instructions.
How the OpenClaw AI Agent Attacks Work
The AI agent attacks use a technique called indirect prompt injection — embedding malicious instructions in data that the AI agent processes as part of its normal workflow. Here’s how each attack vector works:
Attack 1 — Hidden Contact Injection: An attacker adds a contact to the victim’s address book (or a shared contact list) with a name or description containing hidden instructions. When the AI agent processes contacts — for example, to “find John’s email” or “check my calendar” — it reads the malicious instructions and executes them. The instructions could tell the agent to exfiltrate data, send emails to the attacker, or execute system commands.
Attack 2 — Phishing Email Exploitation: The attacker sends an email containing hidden instructions in the body, subject line, or even metadata. When the AI agent processes the email — to summarize it, extract action items, or draft a response — it encounters the injected instructions and follows them. The email appears normal to the human user, but the AI agent sees and obeyes the hidden commands.
Attack 3 — CVE-2026-25253 (Remote Code Execution): This critical vulnerability (CVSS 8.8) allows one-click remote code execution through a malicious gatewayUrl parameter. An attacker sends the victim a link that, when clicked, exploits the AI agent instance to steal the authentication token, bypass localhost restrictions via Cross-Site WebSocket Hijacking (CSWSH), and disable sandboxing to achieve full remote code execution.
Attack 4 — WebSocket Token Hijacking: By exploiting WebSocket connections used by OpenClaw for real-time communication, attackers can hijack the agent’s session token and impersonate the legitimate user. This gives the attacker full access to the AI agent instance and all connected services.
What makes the AI agent attacks particularly dangerous is their stealth. The victim doesn’t need to click a malicious link or download a file — the attack works through normal email and contact processing that the AI agent does autonomously.
The Scale of the OpenClaw Security Crisis
OpenClaw’s meteoric rise created the largest AI agent attack surface the cybersecurity world has ever seen. With 250,000+ GitHub stars and an estimated 180,000+ enterprise deployments, the AI agent security crisis affects organizations and individuals worldwide.
17,500+ Exposed Instances: Security researchers scanned the internet for publicly accessible AI agent instances and found over 17,500 that are directly vulnerable to CVE-2026-25253. These instances can be compromised with a single click — no authentication required.
20% Malicious Skills: In a separate discovery, Particula Tech found that approximately 20% of agent skills (plugins that extend the agent’s capabilities) contained malicious code. These skills were available in the official agent skills marketplace, meaning users who installed them were unknowingly giving attackers access to their systems.
Enterprise Impact: Cyera’s research found that four chained vulnerabilities in OpenClaw put enterprise deployments at risk. Organizations that deployed OpenClaw for customer service, data analysis, or workflow automation could have their entire AI agent infrastructure compromised.
OFW User Base: While exact numbers are unavailable, the Philippines has one of the world’s largest communities of open-source AI enthusiasts. Many OFWs use OpenClaw for freelance work, personal productivity, and side businesses. The OpenClaw vulnerabilities put these users at direct risk.
As we reported in our coverage of OFW digital safety, the rapid adoption of AI tools without corresponding security awareness creates a growing attack surface that threat actors are eager to exploit.
What the Security Researchers Found
The two independent security teams — Cyera Research and Brinztech — discovered different aspects of the AI agent vulnerability landscape:
Cyera’s Four Vulnerabilities: Cyera identified four chained vulnerabilities that together allow complete compromise of AI agent instances. The chain starts with a malicious gatewayUrl parameter that steals the authToken, uses Cross-Site WebSocket Hijacking (CSWSH) to bypass localhost restrictions, disables sandboxing through the API, and achieves remote code execution. The complete attack chain was demonstrated with proof-of-concept code.
Brinztech’s Agentic Prompt Injection: Brinztech focused on the indirect prompt injection vectors — how attackers can manipulate OpenClaw through hidden contacts and phishing emails. Their research showed that even organizations with strong email security are vulnerable because the attack happens at the AI agent level, not the email level. Traditional email filters don’t detect prompt injection because the malicious content is designed to be read by AI, not humans.
Particula’s Malicious Skills Discovery: Particula Tech’s analysis of the agent skills marketplace revealed that 1 in 5 skills contained malicious code. These skills were designed to look legitimate — offering useful functionality like weather updates, calendar management, or news summaries — while secretly exfiltrating data or installing backdoors.
The development team has released patches for the known vulnerabilities, but the fundamental challenge remains: AI agents that process external data will always be vulnerable to some form of prompt injection.
How OFWs Can Protect Themselves
For OFWs using AI agents, protection requires immediate action and ongoing vigilance:
- Update immediately: Update to the latest version that patches CVE-2026-25253 and the other known vulnerabilities. Check the OpenClaw GitHub repository for the latest security patches.
- Audit your skills: Review all installed AI agent skills and remove any that you don’t recognize or that came from untrusted sources. The 20% malicious skills rate means there’s a significant chance you have at least one compromised skill.
- Restrict agent permissions: Limit your AI agent’s access to only the services and data it absolutely needs. Don’t give it access to your entire file system, email, or financial accounts unless necessary.
- Monitor agent behavior: Watch for unusual behavior — unexpected emails being sent, files being accessed, or network connections being made. These could indicate that your AI agent has been compromised.
- Use sandboxed environments: Run AI agents in a sandboxed or virtualized environment that limits the damage an attacker can do if the agent is compromised.
- Be cautious with external data: Remember that any data your AI agent processes — emails, contacts, documents, web pages — could contain hidden malicious instructions. Don’t blindly trust your agent’s outputs when processing untrusted data.
As we noted in our Agentjacking investigation, the AI agent security landscape is evolving rapidly. The OpenClaw vulnerabilities are the latest example of how AI agents create new attack surfaces that traditional security tools aren’t designed to protect.
What You Don’t Know: The AI Agent Supply Chain Problem
This security crisis exposes a fundamental problem in the AI agent ecosystem that most users don’t understand: the AI agent supply chain.
Skills as Supply Chain: AI agent skills are like mobile apps — they extend the agent’s functionality but also expand its attack surface. The 20% malicious skills rate in the AI agent marketplace is comparable to the rate of malicious apps found in unofficial Android app stores. But unlike mobile apps, AI agent skills have direct access to your data, email, and system commands.
Dependency Chain Risk: AI agents depend on dozens of external services — email providers, calendar services, cloud storage, code repositories, messaging platforms. A vulnerability in any of these dependencies can be exploited through the AI agent. The OpenClaw attacks show how a single vulnerability in the agent’s email processing can lead to complete system compromise.
The Trust Problem: AI agents are designed to be helpful and trusting. They follow instructions, process data, and take actions without questioning the source. This trust is their greatest strength and their greatest weakness. These attacks exploit this trust by hiding malicious instructions in data that the agent processes as legitimate.
OFW Remote Work Amplification: OFWs who work remotely — often from shared workspaces, co-working spaces, or home offices — face amplified risk. Their AI agents may process data from multiple clients, use shared network connections, and operate outside the protection of corporate security infrastructure. A compromised AI agent instance on an OFW’s laptop could expose not just the OFW’s data, but their clients’ data as well.
The Regulatory Gap: Current cybersecurity regulations were written for traditional software, not AI agents. When an AI agent autonomously executes malicious code, the legal liability framework is unclear. According to the NIST AI Risk Management Framework, organizations deploying AI agents are responsible for ensuring their security — but the framework doesn’t provide specific guidance on securing against prompt injection attacks. This regulatory gap means that both OFW developers and their employers may be unprepared for the legal and financial consequences of an AI agent security incident.
The Malicious Skills Epidemic: The discovery that 20% of AI agent skills contained malicious code has implications beyond OpenClaw. The AI agent skills economy is largely unregulated, with anyone able to publish skills that millions of users might install. Unlike mobile app stores that have review processes (however imperfect), AI agent skill marketplaces have minimal vetting. For OFW developers who rely on agent skills for productivity, this means every installed skill is a potential security risk.
This security crisis is a preview of the AI security challenges that will define the next decade. As AI agents become more capable and more autonomous, the attacks against them will become more sophisticated and more damaging.
FAQ
What is OpenClaw?
OpenClaw is an open-source AI agent framework that allows users to create autonomous AI agents for tasks like email management, calendar scheduling, data analysis, and workflow automation. It gained massive popularity with 250,000+ GitHub stars and an estimated 180,000+ enterprise deployments before the security vulnerabilities were discovered.
What is CVE-2026-25253?
CVE-2026-25253 is a critical remote code execution vulnerability in OpenClaw with a CVSS score of 8.8. It allows attackers to achieve one-click remote code execution on exposed AI agent instances through a malicious gatewayUrl parameter. Over 17,500 AI agent instances were found to be directly vulnerable to this attack.
How do I protect my AI agent instance?
Update to the latest version immediately, audit and remove untrusted skills, restrict agent permissions, run OpenClaw in a sandboxed environment, monitor for unusual behavior, and be cautious with external data sources. If you’re not actively using OpenClaw, consider disabling it until you can apply security patches.
Are other AI agents vulnerable to similar attacks?
Yes. Any AI agent that processes external data — emails, contacts, documents, web pages — is potentially vulnerable to indirect prompt injection attacks. The OpenClaw vulnerabilities are specific to OpenClaw’s implementation, but the underlying attack technique applies to all AI agents. As we reported in our Agentjacking coverage, the AI agent security challenge is industry-wide.
Should I stop using AI agents entirely?
Not necessarily, but you should use them with caution. Keep your AI agents updated, restrict their permissions, monitor their behavior, and be aware of the risks. The productivity benefits of AI agents are real, but so are the security risks. Treat your AI agent as a powerful tool that requires careful management — not a set-and-forget solution.
How many OFWs use OpenClaw?
Exact numbers are unavailable, but the Philippines has one of the world’s largest communities of open-source AI enthusiasts. Many OFWs use AI agents for freelance development, content creation, and personal productivity. The OpenClaw vulnerabilities are relevant to any OFW who uses AI agents — whether AI agents specifically or similar tools.
This article is for informational purposes only and does not constitute cybersecurity advice. Information sourced from The Hacker News, Cyera Research, Particula Tech, Brinztech, and CNCSO (as of June 2026).
