Full Report
Skills marketplace is full of stuff - like API keys and credit card numbers - that crims will find tasty Another day, another vulnerability (or two, or 200) in the security nightmare that is OpenClaw.…
Analysis Summary
# Vulnerability: Multiple Security Flaws in OpenClaw Ecosystem (Credential Leaks & Indirect Prompt Injection leading to Backdoors)
## CVE Details
- CVE ID: Not explicitly provided in the article for the distinct vulnerabilities discussed.
- CVSS Score: Not explicitly provided.
- CWE: Related to Improper Input Validation, Use of Hard-coded Credentials (for skill flaws), and potentially Improper Neutralization of Special Elements used in an OS Command ('Command Injection' category if the C2 beacon execution is successful).
## Affected Systems
- Products: OpenClaw (AI agent platform), ClawHub marketplace (Agent Skills registry).
- Versions: Not specified for the core platform, but one specific vulnerable skill mentioned is `buy-anything` skill (v2.0.0).
- Configurations: Any OpenClaw instance utilizing vulnerable/malicious skills from the ClawHub marketplace, or any instance integrated with third-party productivity tools (e.g., Google Workspace, Slack).
## Vulnerability Description
The OpenClaw ecosystem is affected by two primary classes of vulnerabilities:
1. **Credential Exposure via Agent Skills:** Approximately 283 skills (7.1% of the registry) found in ClawHub are flawed. They mishandle secrets referenced in their `SKILL.md` instructions. This causes sensitive data—including API keys, passwords, and credit card numbers—to be passed through the LLM's context window and dumped into plaintext application logs or exposed to model providers (like OpenAI/Anthropic). A specific "buy-anything" skill (v2.0.0) was noted for exfiltrating tokenized credit card details.
2. **Indirect Prompt Injection leading to Backdoors:** Researchers demonstrated that malicious skills or content (e.g., in a Google Doc) can contain indirect prompt injection payloads. These payloads exploit the AI agent's integrations with external tools (like Slack or Google Workspace). The attack leads to the agent executing unauthorized setup commands, such as creating an integration with an attacker-controlled Telegram bot. Once the channel is established, the attacker can issue commands to the agent to steal files, exfiltrate data, download and execute C2 beacons (like Sliver), and ultimately take over the user's machine.
## Exploitation
- Status: PoC available (Zenity demonstrated the indirect prompt injection attack). Vulnerable skills are available in the ClawHub marketplace.
- Complexity: **Medium** (Requires leveraging existing integrations or deploying a malicious skill).
- Attack Vector: Network (via marketplace download/content delivery) leading to Local execution/control.
## Impact
- Confidentiality: **High** (Exfiltration of API keys, passwords, credit card numbers, documents, enterprise chat history).
- Integrity: **High** (Ability to perform destructive operations, execute arbitrary code via C2 beacon, and deploy ransomware).
- Availability: **High** (Ability to delete user files and potentially disrupt services through lateral movement).
## Remediation
### Patches
- No specific OpenClaw platform version patch information was provided in the source material. Users must rely on developer notification or withdrawal of vulnerable skills.
### Workarounds
- **Skill Auditing:** Immediately audit all installed and running agent skills for adherence to secure secret handling practices. Remove or isolate suspicious skills.
- **Restrict Integrations:** Review and limit third-party tool integrations (Google Workspace, Slack, etc.) for the OpenClaw instance until platform security is assured.
- **Credential Handling Policy:** Enforce policies preventing the direct inclusion of secrets (API keys, CC numbers) in prompts or configuration files consumed by agents, especially those using external LLM providers.
- **Log Monitoring:** Increase scrutiny on application logs for unexpected plain-text credential dumps or repeated requests for session history/logs.
## Detection
- Indicators of Compromise:
- Unexpected creation of new external integrations (e.g., an unknown Telegram bot connection established by the agent).
- Agent activity attempting to access or send data to external servers not explicitly authorized for its function.
- Plaintext secrets (API keys, CC numbers) appearing in system or application logs associated with OpenClaw processes.
- Detection Methods and Tools: Static analysis of `SKILL.md` files for known problematic instructions related to memory handling or logging. Network-level monitoring for unauthorized egress traffic from the agent runtime environment.
## References
- Vendor Advisories: The article notes that The Register reached out to OpenClaw and developer Peter Steinberger but received no immediate response at the time of publishing.
- Relevant links - defanged:
- snyk.io/blog/openclaw-skills-credential-leaks-research/
- snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/
- youtube.com/watch?v=jvlbhm2uSJ8&t=1s
- labs.zenity.io/p/openclaw-or-opendoor-indirect-prompt-injection-makes-openclaw-vulnerable-to-backdoors-and-much-more