Why OpenClaw AI Agents Are Facing Critical Security Risks [Prime Cyber Insights]

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders, Leaders, and Decision Makers. [00:06] Aaron Cole: Welcome to Prime Cyber Insights. [00:09] Aaron Cole: We begin today with a critical security alert for practitioners deploying local AI agents, [00:15] Aaron Cole: specifically within the open claw ecosystem. [00:18] Lauren Mitchell: Earlier this week, Oasis Security disclosed a high-severity flaw dubbed Clawjacked, [00:24] Lauren Mitchell: It allows a malicious website to connect to a locally running open-claw dateway via web sockets, [00:30] Lauren Mitchell: essentially bypassing cross-origin protections to take full administrative control of the agent. [00:37] Aaron Cole: Joining us today is Chad Thompson, a director-level AI and security leader with a systems-level focus on automation, [00:43] Aaron Cole: enterprise risk, and operational resilience. [00:46] Aaron Cole: Chad, welcome to the briefing. [00:47] Chad Thompson: Thanks, Aaron. [00:49] Chad Thompson: When we look at Clawjacked, the real concern isn't just the web socket bypass. [00:54] Chad Thompson: It's the blast radius. [00:57] Chad Thompson: These agents aren't just chatbots. [00:59] Chad Thompson: They have entrenched access to enterprise tools and the authority to execute tasks. [01:06] Chad Thompson: If the gateway relaxes security for local connections, which this flaw exploited, [01:12] Chad Thompson: the barrier between a malicious browser tab and your internal infrastructure effectively disappears. [01:21] Lauren Mitchell: Chad, you mentioned the blast radius. [01:24] Lauren Mitchell: How should practitioners be thinking about these non-human [01:28] Lauren Mitchell: or agentic identities compared to traditional service accounts? [01:32] Chad Thompson: The scale is the differentiator, Lauren. [01:35] Chad Thompson: Traditional service accounts have limited scopes, [01:38] Chad Thompson: but OpenClaw agents are often designed to read logs, [01:42] Chad Thompson: Slack messages, and emails. [01:45] Chad Thompson: If an agent can be manipulated via indirect prompt injection, [01:50] Chad Thompson: like the log poisoning issue fixed earlier in February. [01:55] Chad Thompson: You're looking at an attacker who can influence the agent's reasoning process [02:00] Chad Thompson: without ever touching the core code. [02:04] Aaron Cole: And the supply chain seems equally compromised. [02:07] Aaron Cole: We're seeing reports of malicious skills on ClawHub. [02:11] Aaron Cole: Ched, how does that change the threat model for a security team? [02:15] Chad Thompson: It adds a social engineering layer directed at the agents themselves. [02:19] Chad Thompson: We've seen threat actors like Bob von Neumann promoting malicious skills to other agents on social networks. [02:28] Chad Thompson: It's an agent-to-agent attack chain. [02:32] Chad Thompson: Security teams can't just audit human users anymore. [02:36] Chad Thompson: They have to audit the skills and integrations the agents are pulling from these third-party marketplaces. [02:44] Lauren Mitchell: Thanks for that perspective, Chad. [02:46] Lauren Mitchell: Aaron, it's clear that the fix released on February 26th, version 2026.2.25, is mandatory. [02:54] Lauren Mitchell: But the sheer volume of CVE's patch this year suggests a framework that's still maturing under heavy fire. [03:01] Aaron Cole: Exactly, Lauren. [03:02] Aaron Cole: Beyond Clawjacked, we've seen everything from server-side request forgery to remote code execution. [03:09] Aaron Cole: Trend Micro has even flagged campaigns where Atomic Stealer is being delivered through legitimate-looking skills. [03:16] Aaron Cole: This isn't just a vulnerability problem, it's a platform integrity crisis. [03:21] Lauren Mitchell: The takeaway for our listeners is direct. [03:24] Lauren Mitchell: Update to the latest version immediately, but more importantly, start auditing the specific [03:30] Lauren Mitchell: permissions granted to these AI agents. [03:33] Lauren Mitchell: If they don't need access to local logs or terminal commands, strip it away. [03:38] Aaron Cole: That concludes our briefing for today. [03:41] Aaron Cole: We will continue to track the evolution of agentic AI security as these frameworks move into [03:48] Aaron Cole: deeper enterprise integration. [03:50] Lauren Mitchell: Thank you for joining us in the briefing room. [03:53] Lauren Mitchell: For more technical deep dives, visit pci.neuralnewscast.com. [03:59] Lauren Mitchell: This program is for informational purposes and does not constitute professional advice. [04:05] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed. [04:09] Lauren Mitchell: View our AI transparency policy at neuralnewscast.com. [04:14] Announcer: This has been Prime Cyber Insights on Neural Newscast. [04:18] Announcer: Intelligence for Defenders, Leaders, and Decision Makers. [04:21] Announcer: Neural Newscast uses artificial intelligence in content creation, [04:25] Announcer: with human editorial review prior to publication. [04:28] Announcer: While we strive for factual, unbiased reporting, [04:31] Announcer: AI-assisted content may occasionally contain errors. [04:34] Announcer: Verify critical information with trusted sources. [04:37] Announcer: Learn more at neuralnewscast.com.