On the Security of OpenClaw and Other Agents

Artificial IntelligenceAgentic AISecurity
Written By Polyfortech

I feel duty-bound to communicate this to my network.  Classic attack vectors are being used in the Agentic AI domain and if you don’t know what you’re doing you could ruin your life or your organization.  

Vibe coding and agents are great.  They are immensely powerful tools.  However, just like any other tool like a circular saw or a nail gun, unless you have been trained on how to operate them safely, it’ll be all fun and games until someone gets seriously hurt.  For those of you who think, “Who needs professional IT people anymore with vibe coding and agents”,  us professional IT folk can’t help but facepalm when we hear time and time again that a vibe-coded application left the database open to the public, like Tea - The Dating Safety App for Women, or how a coding agent recursively deleted someone's root drive. 

If you’re not a trained professional, these tools are a loaded gun waiting for negligent discharge.  Instead of getting rid of your IT people in favor of AI, you should be asking your IT people to review and safely leverage AI tools as a force multiplier for your business objectives.

Anyway….rant over…more to the point….

There’s this wonderfully awesome but also horrible thing called OpenClaw (formerly MoltBot, formerly ClawdBot).  It is an agent you run, and you give it the keys to your kingdom, personal or professional and it goes and does things for you.

People and/or organizations are giving OpenClaw database credentials, bank account passwords, social security numbers, and plenty more sensitive information and having this thing help them run their life or business.

For those of you who watched Andy Griffith after “Uncle” Bob’s The Price is Right when you were home sick from school this will ring true:

There is a reason Andy carried only a single handgun, and an even bigger reason Barney Fife was only given a single bullet. 

Some folks are out there giving an artificial Barney access to an entire personal amory filed with bank account access, passport numbers, SSNs and all manner of things you would want to keep close to the chest.

I just watched a video posted by one of my favorite YouTubers, ThePrimeagen (link to the video below), in which he calls out how a handful of ways that attackers can use classic venerability tactics to take over your agent or trick your agent into making calls you never intended.

For those who don’t know, OpenClaw has a skill hub.  A marketplace for agent skills.  A skill is simply a Markdown file (.md) that provides extra context to the agent so you don’t have to continually reiterate it in your prompts.

Seems safe right?  It is just Markdown.  It is not executable code.

Wrong…

Agents read and interpret the Markdown files, and act based on their instructions.  

“Ok so we just won’t download any skills from skills hub that list any commands in their Markdown.”

Wrong again….

Plenty of modem Markdown interpreters will read and render HTML.  What happens when there is an HTML comment?  The interpreter doesn’t render it. Attackers are hiding malicious code and commands in HTML comments in skills.  You may not see it rendered in the skill hub’s UI, but it is most definitely being read by your agent after you download.

This to me seems to be like a modern Dependency Confusion, SQL Injection/Stored Cross-site-scripting/Typo-squating attack.

There is another attack vector where attackers are researching most commonly hallucinated cli commands.  Apparently a common one is something to the tune of “npx react-codeshift…..  --dir <project-root>”.  What attackers are doing is “backfilling” these commands to now seem so that their malicious action is now a legitimate part of a npm user’s npm installation.  Your agent, or you executes the seemingly innocent but malicious command and now off a sudden they could have access to your root system, api keys, etc.

This is eerily similar to a DNS Hijacking or subdomain takeover attack with some elements of typo-squatting mixed in.  In reality it is considered a software supply chain attack but it is very reminiscent of the former.  YouTuber NetworkChuck has a great video on how these attacks are performed.  Link below.

Unfortunately unlike DNS, where the domain is narrow enough we’ve developed tools to defend against this (hello DNSSEC), with this agnetic version of the attack the number of remote runners is seemingly limitless.  There is npx, pipx, and for my fellow Rust devs, our beloved cargo could fall prey to this and many more.

There are probably many ways to reduce the risk.  Like using OpenClaw with no or entirely homegrown skills and possibly inside containers, but none of it is fool-proof.

Also, don’t get me wrong I don’t want to come off like I’m blaming OpenClaw.  At the end of the day it is a tool.  Any person should know how to safely handle and control their tools.  You wouldn’t trust a bow saw to just magically stop when it gets to your finger. You would stop it yourself!

Please watch the videos, these fellows can communicate how to explain these concepts in a way just about everyone can understand.

And by no means is this intended as a sales pitch but if you’d like to chat about how my organization can help you secure your IT environment and/or start exploring AI tooling SAFELY

Schedule some time with me.

I’d love to hear from you.

If not, at least educate yourself and scrutinize everything your tools are doing.

Calendar link in the comments.

 * * THIS POST WAS NOT AI GENERATED…WELL THE IMAGE WAS TO CONVEY A POINT

DNS Subdomain Takeover by NetworkChuck:

https://www.youtube.com/watch?v=GH6O3oBZLK8

ThePrimeagen Skill Issue Video: 

https://youtu.be/Y2otN_NY75Y?si=8nj0iifuHEkHJHhL 

Book time with me:

https://book.polyfortech.com

Polyfortech https://polyfortech.com
Next

Scalpels and Servers: What Grey’s Anatomy Can Teach Us About Application Migration