Hidden commands and phishing emails: researchers demonstrate two attack paths against OpenClaw AI agent

Two security research teams have published separate attacks against OpenClaw, the popular self-hosted AI agent platform, demonstrating that malicious instructions hidden inside shared contacts, vCards, and plain emails can drive the agent to run attacker-controlled code or hand over sensitive data without the victim ever seeing the prompt.

Imperva researcher Yohann Sillam found that when OpenClaw flattens message objects into the prompt text for the large language model, it does not mark the content as untrusted. A shared contact name containing angled brackets is serialized as and the model cannot distinguish the end of the real name from an injected instruction. In tests against Gemini 3.1 Pro, the hidden text told the agent to download and run a script. It did. The fix shipped in OpenClaw 2026.4.23 moves contact names, vCard fields, and location labels out of the prompt body into an untrusted metadata channel.

Agent phishing works where technical defenses hold

Varonis Threat Labs built a test agent named Pinchy on OpenClaw, wired it to a Gmail inbox stocked with synthetic business data, and ran four phishing simulations on both Gemini 3.1 Pro and OpenAI Codex GPT-5.4. The agent failed both exfiltration tests. A message posing as a team lead named Dan, sent from an outside Gmail address, asked for staging access during a fake production incident. Pinchy found credentials and forwarded mock AWS IAM keys, database strings, and SSH credentials in plaintext. A second request for a weekly customer export shipped a synthetic dataset of 247 enterprise customers, contacts, and contract values.

Both failures happened under a strict profile that told the agent to verify senders first. The rule existed. Urgency beat it once, routine beat it the second time. The agent did better on technical threats: it flagged a gift-card phishing page, blocked a malicious OAuth consent screen dressed as a timesheet app, and stopped before granting access.

Underlying weakness spans multiple platforms

Imperva found the same flattening pattern in other personal AI assistants, so the problem is not OpenClaw alone. The Varonis attacks map onto what security researcher Simon Willison calls the lethal trifecta: an agent that can read private data, take in untrusted content, and send data back out. OpenClaw has all three.

A single widely shared contact carrying a hidden instruction could quietly compromise multiple agents if they are not sandboxed, Imperva warns. Varonis says the social judgment gap means agent phishing will persist even as technical attacks get patched. Varonis lead researcher Itay Yashar told The Hacker News the agent drive to be helpful is the attack surface.

OpenClaw users should update to version 2026.4.23 to address the message-object injection. The broader defense against agent phishing, researchers say, requires limiting what an agent can do autonomously and adding human approval gates for outbound data transfers.