A hidden instruction in a forwarded email can direct an OpenClaw agent to exfiltrate credentials through a sanctioned API call, log an HTTP 200, and leave every layer of a standard security stack completely unaware — because by every definition those tools understand, nothing went wrong.
Six independent security teams shipped six defense tools for OpenClaw in 14 days. Three attack surfaces survived all of them.
The exposure picture is already stark. Token Security found that 22% of its enterprise customers have employees running OpenClaw without IT approval. Bitsight counted more than 30,000 publicly exposed instances within two weeks, up from roughly 1,000. A separate audit by Snyk found that 36% of all ClawHub skills contain security flaws.
Jamieson O’Reilly, founder of Dvuln and now security adviser to the project, has worked directly with OpenClaw founder Peter Steinberger to ship dual-layer malicious skill detection and is driving a capabilities specification proposal through the agentskills standards body. He has been among the researchers pushing hardest for fixes from inside the project. “It wasn’t designed from the ground up to be as secure as possible,” O’Reilly said, according to the report. “That’s understandable given the origins, and we’re owning it without excuses.”
None of those fixes closes the three gaps that matter most.
Three surfaces the current stack cannot see
The first is runtime semantic exfiltration. Malicious behavior is encoded in meaning, not binary patterns. Palo Alto Networks mapped OpenClaw against every category in the OWASP Top 10 for Agentic Applications and identified what researcher Simon Willison calls a “lethal trifecta”: private data access, untrusted content exposure, and external communication in a single process. EDR reads the agent’s behavior as normal because the credentials are real and the API calls are sanctioned. Nothing in the current defense ecosystem tracks what the agent decided to do with that access.
The second is cross-agent context leakage. A prompt injection in one channel poisons decisions across an entire agent chain. Giskard researchers demonstrated in January 2026 that agents silently appended attacker-controlled instructions to their own workspace files and waited for commands from external servers. Palo Alto Networks researchers Sailesh Mishra and Sean P. Morgan warned that persistent memory turns these into stateful, delayed-execution attacks — a malicious instruction buried in a forwarded message can sit dormant in an agent’s context for weeks, activating during an unrelated task.
O’Reilly called this the hardest gap to close. “When context flows unchecked between agents and skills, a single injected prompt can poison or hijack behavior across the entire chain,” he said. No tool in the current ecosystem provides cross-agent context isolation. IronClaw sandboxes individual skill execution; ClawSec monitors file integrity. Neither tracks context propagation between agents in the same workflow.
The trust chain problem
The third surface is agent-to-agent trust chains with no mutual authentication. When OpenClaw agents delegate tasks to other agents or external MCP servers, no identity verification exists between them. Compromise one agent through prompt injection and it can issue instructions to every other agent in the chain, inheriting trust relationships the legitimate agent already established. The entire workflow becomes reachable from a single point of failure.
Photo by Mikhail Nilov on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
