Fedezze fel a legfrissebb kiberbiztonsági híreket

Blog / OpenClaw: When a “helpful assistant” becomes an attack surface
OpenClaw: When a “helpful assistant” becomes an attack surface
Mate Torok
2026. április 2.
phishingemailllmaiopenclaw

OpenClaw (aka clawdbot or Moltbot) is an open source AI assistant that runs on your machine and connects to chat apps like Telegram, Discord, and Slack. Under the hood it relies on a local Gateway at ws://127.0.0.1:18789, which acts as the control plane for sessions, tools, and integrations.

That mix of always-on agent, durable credentials, shell access, and untrusted inbound content is why security teams should treat OpenClaw less like a chatbot and more like privileged automation. The interesting failures are attack chains where a message or skill steers real authority with potential impact.

Why OpenClaw changes the threat model

Traditional automation usually separates code, input, and identity. OpenClaw narrows those gaps: the same runtime can read chat, fetch web content, call tools, write files, and act with your stored tokens. Attackers do not need a software vulnerability to be able to exploit, they only need data in the model’s context and let the agent do the rest.

The dangers that matter most

The Gateway is a control plane, not a harmless localhost helper

The defaults make the Gateway local and loopback first, but that does not make it low risk. It multiplexes HTTP and WebSocket traffic on one port and exposes pairing, tools, and operator actions. If you bind it to LAN, put it behind a reverse proxy, or relax origin checks, you are publishing a dangerous API.

Local services are still reachable from a browser, and proxy mistakes or lack of understainding can collapse trust boundaries. The Gateway security guide warns about loose trustedProxies, allow-all origins, and public exposure. That design class is now tied to one-click takeover chains, including vulnerabilities like CVE-2026-25253, where a malicious page drove requests into the local gateway, changed configuration, and escalated toward host execution.

Skills are a supply chain problem with agent privileges

ClawHub skills should be treated as software installs, not as convenience prompts. A skill can change what the model sees, what tools it asks for, and which files or services it touches. OpenClaw’s own security docs say skill folders are trusted code and should be writable only by trusted operators.

A wave of malicious ClawHub uploads were observed recently that impersonated trading helpers, management tools, and content utilities. Some pushed victims toward fake helper binaries such as AuthTool and relied on ClickFix style social engineering to get code onto the host. Even if the payload looks like markdown or configuration, downloading it means extending an internet-facing automation runtime with attacker-supplied behavior.

Prompt injection can turn into persistence

The most interesting OpenClaw failures are not about the model saying something wrong. They are about the model calling the wrong tool. An attack-chain was observed where a user asked OpenClaw to summarize a malicious page, the page spoofed OpenClaw control tokens, and the agent was pushed toward an unrestricted exec call. The injected payload then wrote malicious instructions into HEARTBEAT.md.

That matters because OpenClaw can read HEARTBEAT.md on recurring heartbeat runs, and the docs confirm that the file is part of the normal workspace and can be updated by the agent. Once the attacker gets content into that file, the compromise becomes recurring instruction execution with a built-in place to store operator-like intent.

The same logic applies to MCP servers. An MCP server can supply prompts, resources, and tool results that get pulled into the model’s context, so a malicious or compromised server can smuggle in instructions that look like trusted guidance. The MCP specification itself explicitly warns that prompt inputs and outputs must be validated to prevent injection, and the MCP security guidance calls out local server compromise, DNS rebinding, arbitrary code execution, and data exfiltration as real risks, however mitigating these is not easy task. In practice, an untrusted MCP server is not just a connector. It is a party that can shape what the model sees and what data it can steal.

Durable secrets and operator context live on disk

OpenClaw concentrates useful secrets in predictable places. The security docs call out ~/.openclaw/openclaw.json, credentials/**, agent auth profiles, and per-agent session logs under ~/.openclaw/agents/<agentId>/sessions/*.jsonl. A host compromise is not just about stealing one API key. An attacker can harvest channel credentials, provider tokens, pairing state, and transcripts that make follow-on abuse easier.

This is why OpenClaw pairs so naturally with infostealer logic. Malware already knows how to search for browser secrets, wallet data, and cloud credentials. An agent runtime adds another high-value directory that also documents what the operator asked the system to do.

One gateway often becomes one trust boundary

OpenClaw is built around a personal assistant model, not a hostile multi-user bus. If several people can message the same tool-enabled agent, each of them can steer that same permission set. Session isolation helps privacy, but it does not create per-user host authorization.

That is why open group policy, wildcard allowlists, and shared team bots matter so much. A shared agent with exec, browser, or file access is closer to delegated admin than to chat automation. An prompt injection itself is a similar scenario.

Closing thought

OpenClaw is useful because it collapses message intake, web access, tool invocation, and stored authority into one runtime. These features make it a very inviting application however that is also the core danger. If an attacker can influence what the model reads, install what it trusts, or reach the control plane that governs it, the jump from “assistant” to privileged automation is very short and dangerous.

Source note

Fedezze fel a legfrissebb kiberbiztonsági híreket

Maradjon egy lépéssel a kiberveszélyek előtt a Naunet szakértői blogbejegyzéseivel! Ismerje meg a legújabb védelmi trendeket, technikákat és technológiákat, hogy növelhesse vállalkozása biztonságát. Csatlakozzon közösségünkhöz, és fejlődjön minden bejegyzéssel!