- China’s CNCERT issued a warning about critical security risks in the open-source AI agent OpenClaw, citing weak defaults and privileged access.
- Researchers have demonstrated practical indirect prompt injection attacks, enabling data exfiltration via manipulated URL previews.
- Chinese authorities have moved to restrict the use of OpenClaw in state enterprises and government agencies to contain security risks.
- Threat actors are actively exploiting the platform’s popularity, distributing malware through fake GitHub repositories.
On March 14, 2026, China’s National Computer Network Emergency Response Technical Team officially warned about severe security vulnerabilities stemming from the use of the autonomous AI agent OpenClaw. The agency highlighted the platform’s inherently weak default configurations and its privileged system access. Consequently, these flaws could allow bad actors to seize control of the endpoint through various attack vectors.
The primary risk involves indirect prompt injection, where malicious instructions embedded in a web page can trick the agent into leaking sensitive data. This attack, also referred to as cross-domain prompt injection, weaponizes benign AI features like web page summarization. It can range from SEO poisoning to generating biased responses by suppressing reviews.
Last month, researchers at PromptArmor found a practical data exfiltration pathway using this method. They demonstrated that link preview features in apps like Telegram could be exploited. The AI agent could be manipulated to generate an attacker-controlled URL that automatically transmits confidential data.
CNCERT highlighted three additional critical concerns beyond rogue prompts. These include the risk of irreversible data deletion due to misinterpreted instructions and the installation of malicious skills from repositories like ClawHub. Furthermore, attackers can exploit recently disclosed security vulnerabilities in OpenClaw to compromise systems.
The agency warned that for critical sectors like finance and energy, such breaches could leak core business data or paralyze entire systems. Meanwhile, Chinese authorities have moved to restrict state-run enterprises and government agencies from running OpenClaw AI apps on office computers, according to reports. The ban also reportedly extends to families of military personnel.
Threat actors are capitalizing on the platform’s viral popularity to distribute malware. Huntress detailed a campaign using malicious GitHub repositories posing as OpenClaw installers. These repositories deployed information stealers like Atomic and a Golang-based proxy malware known as GhostSocks.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
