Have you ever wondered about a personal AI assistant that does everything you want? Like in the movie Her. Currently, such a fantasy is almost a reality: the LLM agent OpenClaw is quickly gaining popularity.
But such AI agents are becoming a popular attack vector, and we just found a new security issue that has to be added to the already known OpenClaw vulnerabilities.
When working with LLM agents, it’s easy to fall into the trap of incorrect expectations. It seems that you’re giving the agent a simple task: look at a page, collect data, analyze it. But in practice, you’re delegating not only the goal but also the way to achieve it. This is the problem.
LLM agents make decisions based on language models and act using code, API calls, or OS utilities. With weak restrictions on actions and access to data, the agent can behave too autonomously. This is the nature of large language models: they provide statistically suitable answers based on the current context. The key word here is statistically.
One might argue that there are carefully written prompts. But LLMs are trained to be helpful, and if they can’t achieve the result in the described way, they may look for alternative solutions.
Sometimes these alternatives are reasonable. But sometimes they go far beyond what the user intended. In particular, the agent’s actions can lead to the compromise of the node on which the LLM agent is running.
This is what happened in our case: we analyzed the OpenClaw agent and found a way to achieve Remote Code Execution. When visiting a specially prepared web page, the OpenClaw agent executes shell commands in the context of the user under which the process is running.
In response to our report, the vendor stated that they consider the described behavior as prompt injection, not a defect in the model, and therefore do not qualify it as a vulnerability.
We understand their position, but we believe the risk is significant and deserves attention. Therefore, we are publishing the minimum necessary practical measures to reduce the risk of the discovered attack:
Run OpenClaw in a Docker container, isolating it from sensitive data and infrastructure.
Limit the tools, for example, by setting up confirmation for all system commands
exec.ask=always.If possible, disable the use of
exec.In environments with high security requirements, it’s better to refrain from using OpenClaw altogether.
General conclusion: with LLM-based agents, we delegate not only “what to do” but also “how exactly”. Without strict restrictions, this can lead to unexpected and dangerous consequences.
A detailed technical analysis of our findings will be published later, stay tuned.
