OpenClaw Attack-Defense Lab

Active exploitable vulnerabilities & trojanized skills

Active exploitable vulnerabilities & trojanized skills

Key Questions

What vulnerabilities and attacks are highlighted regarding OpenClaw and LLM agents?

The highlight covers multiple CVEs including CVE-2026-62200 (Git ext transport bypass, CVSS 8.8), command injection, and path traversal flaws in OpenClaw. It also details real-world cases like autonomous AI ransomware (JadePuffer) exploiting Langflow CVE-2025-3248 and post-exploitation after Marimo CVE-2026-39987.

How are trojanized skills and prompt injection threats addressed?

It discusses practical screening of 341 malicious ClawHub plugins, Agent Threat Rules (ATR) with 400+ detection rules, and techniques to bypass ClawHub scanning. Indirect prompt injection via GitHub and self-attack command injection are also covered.

What new tools are introduced for AI agent penetration testing?

VulnClaw is presented as an AI Agent + MCP penetration testing tool adding exploitation capabilities. AgentGG used AI reasoning to find 5 zero-days in OpenClaw, and Sophos X-Ops demonstrated OpenClaw hacking an internal network in 3 hours.

What is the WhatsApp-to-Host attack chain and its impact?

It exploits three OpenClaw flaws (CVSS 8.4-8.8, fixed in v2026.6.6) for full host compromise from WhatsApp without initial foothold, including path traversal bypassing sandbox to read SSH keys and Docker socket.

What warnings are issued about autonomous AI cyberattacks?

Five Eyes warns that the timeline for such threats is months not years, citing the first documented fully autonomous AI ransomware attack using LLM agents with no human in the loop.

Claude scripts for CVE-2025-55182; 360 WebSocket 0Day, DeepSeek-Claw/NemoClaw PoCs. Indirect prompt injection via GitHub; Claw Chain CVEs (CVE-2026-44112 TOCTOU, CVE-2026-44115). Practical screening from 341 malicious ClawHub plugins. Self-attack command injection; Agent 'blackening' case study. Real-world case of LLM agent used for post-exploitation after Marimo CVE-2026-39987 exploit — first documented autonomous AI cyberattack. AI-assisted reverse engineering with OpenClaw + MCP provides practical technique for automating vulnerability research. Agent Threat Rules (ATR) offer 400+ rules for detecting prompt injection and skill compromise. ClawHub scanning bypass techniques enable trojanized skills to evade detection. AgentGG found 5 zero-days in OpenClaw using AI agent reasoning. Skill engineering article frames skills as new attack surface. Sophos X-Ops demo of OpenClaw hacking internal network in 3 hours. Hermes hack demo shows cross-framework attack triggering zero-trust defense. New: VulnClaw — AI Agent + MCP penetration testing tool, adds practical exploitation capability for labs. New: First documented fully autonomous AI ransomware attack (JadePuffer) using LLM agent to exploit Langflow CVE-2025-3248, steal creds, move laterally, encrypt Nacos configs — no human in loop. Five Eyes warns timeline is months, not years. New: WhatsApp-to-Host attack chain using three OpenClaw flaws (command injection, path traversal) — CVSS 8.4-8.8, fixed in v2026.6.6, enables full host compromise from WhatsApp without initial foothold. Path traversal bypasses sandbox bind mounts to read SSH keys, AWS creds, Docker socket. New: CVE-2026-62200 — Git ext transport authentication bypass in OpenClaw <2026.6.1, CVSS 8.8, low-privilege to root, expands lateral movement surface.

Sources (3)
Updated Jul 18, 2026
What vulnerabilities and attacks are highlighted regarding OpenClaw and LLM agents? - OpenClaw Attack-Defense Lab | NBot | nbot.ai