OpenClaw AI agent: indirect prompt injection (Imperva) + agent phishing (Varonis)

Two independent teams published complementary findings against OpenClaw, the self-hosted AI-agent platform that plugs into messaging systems, mailboxes, file systems and APIs. Imperva showed that shared contact names, vCard fields and location-pin labels flow into the LLM prompt with no untrusted-content boundary: a crafted contact — its injected command hidden behind 65 whitespace characters so the UI truncates it — executed python3 on the victim's host the moment the victim shared the contact with their agent (Imperva, 2026-06-10). Varonis demonstrated "agent phishing": a plain email from a plausible sender persuaded a mailbox-connected agent to forward mock AWS IAM keys and a customer export to an external address, with no exploit involved — the agent simply lacks sender-identity verification before acting (Varonis, 2026-06-09). Both teams note OpenClaw's default memory persistence lets one successful injection survive across sessions. The vendor fix (v2026.4.23) moves messaging-object metadata into a separate untrusted channel — but the structural lesson stands: wherever an agent ingests third-party-controlled strings (contacts, calendar invites, ticket bodies), that channel is an injection surface (T1059). Defender takeaway: pin OpenClaw ≥ v2026.4.23; inventory which AI agents hold mailbox send-permissions or shell access; gate agent-initiated outbound actions behind approval workflows the same way you gate privileged operations.

Cyera Research published on 2026-05-15 four chained vulnerabilities in OpenClaw (also marketed as Clawdbot), an autonomous AI-agent platform released in late 2025 with integrations including Microsoft Agent 365 (Cyera Research, 2026-05-15 · The Hacker News, 2026-05-15). All four CVEs are fixed by the OpenClaw release dated 2026-04-23, addressed under GitHub Security Advisories GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx. The defender-relevant detail is that an attacker who can obtain code execution inside the OpenClaw managed sandbox — achievable via a malicious plugin, prompt injection into the agent context, or supply-chain compromise of an OpenClaw plugin — can chain the four primitives to a full sandbox-escape → credential-harvest → owner-level agent control → file-disclosure sequence whose steps each mimic normal agent behaviour and so evade controls calibrated to "human-attacker" indicators. CVE-2026-44112 (CVSS 9.6, Critical) is a TOCTOU race in the OpenShell sandbox backend that lets the sandbox process win the filesystem write race and redirect writes outside the intended mount root, enabling host-filesystem tampering and persistent backdoor placement. CVE-2026-44115 (CVSS 8.8, High) is an incomplete allowlist in OpenClaw's command parser — shell-expansion tokens embedded in environment-variable names bypass the validation gate, leaking API keys, tokens, and credentials at execution time. CVE-2026-44118 (CVSS 7.8, High) trusts a client-controlled senderIsOwner flag in MCP loopback messages without validating against the authenticated session, allowing privilege escalation to owner-level agent control. CVE-2026-44113 (CVSS 7.7, High) is the companion TOCTOU read escape enabling file disclosure outside the sandbox root. Exposure is broad: Cyera cites ~65 K (Shodan) and ~180 K (ZoomEye) publicly accessible OpenClaw instances as of May 2026, summing to an estimated ~245 K exposed servers. No in-the-wild exploitation reported at disclosure. Detection: alert on the agent process writing files outside designated sandbox mount directories; flag MCP loopback messages with senderIsOwner=true from sources not matching the authenticated session; alert on environment-variable expansion in command strings at agent execution time.