Ravie LakshmananMar 14, 2026Artificial Intelligence / Endpoint Security

China’s National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the security stemming from the use of OpenClaw (formerly Clawdbot and Moltbot), an open-source and self-hosted autonomous artificial intelligence (AI) agent.

In a post shared on WeChat, CNCERT noted that the platform’s “inherently weak default security configurations,” coupled with its privileged access to the system to facilitate autonomous task execution capabilities, could be explored by bad actors to seize control of the endpoint.

This includes risks arising from prompt injections, where malicious instructions embedded within a web page can cause the agent to leak sensitive information if it’s tricked into accessing and consuming the content.

The attack is also referred to as indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA), as adversaries, instead of interacting directly with a large language model (LLM), weaponize benign AI features like web page summarization or content analysis to run manipulated instructions. This can range from evading AI-based ad review systems and influencing hiring decisions to search engine optimization (SEO) poisoning and generating biased responses by suppressing negative reviews.

OpenAI, in a blog post published earlier this week, said prompt injection-style attacks are evolving beyond simply placing instructions in external content to include elements of social engineering.

“AI agents are increasingly able to browse the web, retrieve information, and take actions on a user’s behalf,” it said. “Those capabilities are useful, but they also create new ways for attackers to try to manipulate the system.”

The prompt injection risks in OpenClaw are not hypothetical. Last month, researchers at PromptArmor found that the link preview feature in messaging apps like Telegram or Discord can be turned into a data exfiltration pathway when communicating with OpenClaw by means of an indirect prompt injection.

The idea, at a high level, is to trick the AI agent into generating an attacker-controlled URL that, when rendered in the messaging app as a link preview, automatically causes it to transmit confidential data to that domain without having to click on the link.

“This means that in agentic systems with link previews, data exfiltration can occur immediately upon the AI agent responding to the user, without the user needing to click the malicious link,” the AI security company said. “In this attack, the agent is manipulated to construct a URL that uses an attacker’s domain, with dynamically generated query parameters appended that contain sensitive data the model knows about the user.”

Besides rogue prompts, CNCERT has also highlighted three other concerns –

• The possibility that OpenClaw may inadvertently and irrevocably delete critical information due to its misinterpretation of user instructions.
• Threat actors can upload malicious skills to repositories like ClawHub that, when installed, run arbitrary commands or deploy malware.
• Attackers can exploit recently disclosed security vulnerabilities in OpenClaw to compromise the system and leak sensitive data.

“For critical sectors – such as finance and energy – such breaches could lead to the leakage of core business data, trade secrets, and code repositories, or even result in the complete paralysis of entire business systems, causing incalculable losses,” CNCERT added.

To counter these risks, users and organizations are advised to strengthen network controls, prevent exposure of OpenClaw’s default management port to the internet, isolate the service in a container, avoid storing credentials in plaintext, download skills only from trusted channels, disable automatic updates for skills, and keep the agent up-to-date.

The development comes as Chinese authorities have moved to restrict state-run enterprises and government agencies from running OpenClaw AI apps on office computers in a bid to contain security risks, Bloomberg reported. The ban is also said to extend to the families of military personnel.

The viral popularity of OpenClaw has also led threat actors to capitalize on the phenomenon to distribute malicious GitHub repositories posing as OpenClaw installers to deploy information stealers like Atomic and Vidar Stealer, and a Golang-based proxy malware known as GhostSocks using ClickFix-style instructions.

“The campaign did not target a particular industry, but was broadly targeting users attempting to install OpenClaw with the malicious repositories containing download instructions for both Windows and macOS environments,” Huntress said. “What made this successful was that the malware was hosted on GitHub, and the malicious repository became the top-rated suggestion in Bing’s AI search results for OpenClaw Windows.”

State leaders and environmental advocates responded with outrage after the Trump administration on Friday ordered the restarting of a California pipeline that caused one of the largest oil spills in the state’s history, a move that comes as oil prices have skyrocketed following President Donald Trump’s launching of an illegal war against Iran and Iran’s subsequent closure of the Strait of Hormuz.

After Trump issued an executive order on Friday authorizing the Department of Energy (DOE) to ramp up oil and gas development under the Defense Production Act, Energy Secretary Chris Wright ordered Sable Offshore Corp. to restart operations on the Santa Ynez Unit and Pipeline System, which include an offshore rig and a network of offshore and onshore pipelines along the Santa Barbara coast. Among them is a pipeline that ruptured in 2015, spilling around 450,000 gallons of oil into Refugio State Beach and killing hundreds of marine mammals and sea birds.

“Californians have repeatedly rejected dangerous drilling off our coast for decades,” Sen. Alex Padilla (D-Calif.) said in a statement on Saturday. “Now, after dragging the U.S. into a war with Iran and driving up oil prices, the Trump administration is trying to exploit this crisis to further enrich the oil industry at the expense of our communities and our environment.”

In his statement, Wright emphasized the defense benefits of resuming drilling, arguing that “today’s order will strengthen America’s oil supply and restore a pipeline system vital to our national security and defense, ensuring that West Coast military installations have the reliable energy critical to military readiness.”

The DOE added that “Sable’s facility can produce approximately 50,000 barrels of oil per day, a 15% increase to California’s in-state oil production, that can replace nearly 1.5 million barrels of foreign crude each month.”

Yet, far from a novel response to an unexpected emergency, the order is actually an escalation in a preexisting battle between California and the Trump administration over the future of the pipeline system. The state’s Attorney General Rob Bonta sued to stop the administration from a federal takeover of two of the pipelines in January.

Sable also faces several lawsuits due to its attempts to restart the system after it purchased it from ExxonMobil in 2024, and has not yet cleared all of the state permitting requirements, according to the Center for Biological Diversity.

“In its latest brazen abuse of power, the Trump administration is attempting to seize exclusive federal control over two of California’s onshore pipelines,” Bonta said on social media Friday evening. “We will not stand by as this administration continues their unlawful all-out assault on California and our coastlines, and we are reviewing all of our legal options.”

California Gov. Gavin Newsom also spoke out against Wright’s announcement.

“Trump knew his war with Iran would raise gas prices,” he wrote on social media. “Now he wants to illegally resurrect a pipeline shut down by courts and facing criminal charges. And it won’t even cut prices. I refuse to let Trump sacrifice Californians, our environment, or our $51 billion coastal economy.”

The Center for Biological Diversity noted that this order would mark the first time that the Defense Production Act was used to force an oil company to restart out-of-use Infrastructure and to disregard the state permitting process.

“This is a revolting power grab by an extremist president. Trump is misusing this Cold War-era law just to help a Texas oil company skirt vital state laws that protect our coastline, and Californians will pay the price,” Talia Nimmer, an attorney for the center, said. “Mandating a restart of these defective oil pipelines won’t curb high gas prices, but it will put coastal wildlife at huge risk of another oil spill. Overriding state law to let an oil company restart pipelines sets a radically dangerous precedent. It’s clear that no state is safe from Trump.”

The center also promised to push back against the order.

“Directing a private oil company to push its project through without safety checks and adherence to California laws that keep our coast safe is appalling and illegal,” Nimmer said. “We’re exploring all legal avenues. This dangerous action should be swiftly blocked by the courts.”