Prompt-Injection

If your team is running AI agents in production — or planning to — the security conversation can no longer be deferred. The OWASP Agentic AI Top 10 and Bright Security’s companion MCP AppSec playbook, both published this week, give security and engineering teams the most complete picture yet of what can go wrong when you hand autonomous agents real credentials and real access. This isn’t theoretical. These are attack patterns being actively exploited in early production deployments right now. ...

If you’re running AI agents in production and they have access to real tools — file systems, APIs, databases, external services — you have a security problem you may not have fully reckoned with yet. The problem: agents are not sandboxed by default. An agent that gets fed a malicious prompt (prompt injection), hallucinates a destructive command, or malfunctions can do real damage to your host system, your connected services, or your data. And most agent frameworks, even the good ones, don’t enforce OS-level isolation between the agent process and the machine it’s running on. ...

If you’re running a self-hosted OpenClaw instance — and odds are you are, given the platform’s explosive growth — today’s news from China’s National Computer Network Emergency Response Technical Team (CNCERT) is a wake-up call you shouldn’t scroll past. CNCERT has officially warned that OpenClaw’s default security configurations are dangerously weak, and the numbers behind that warning are staggering: over 135,000 public instances running with zero authentication. Two active CVEs. And a Chinese government ban on OpenClaw deployments in government systems. ...

The attack is elegant in a disturbing way. An adversary doesn’t need to breach your AI infrastructure, compromise your API keys, or exploit a software vulnerability. They just need to get your AI agent to read a web page they control — and then they’re driving. Indirect Prompt Injection (IDPI) is the attack technique where malicious instructions are embedded in content that an AI agent processes: web pages, documents, calendar entries, emails. When the agent reads that content, it encounters instructions that override or subvert its intended behavior. The content tells the agent what to do, and the agent, trained to follow instructions, complies. ...

Indirect Prompt Injection (IDPI) is now confirmed in-the-wild by Palo Alto Unit 42. Adversaries are embedding hidden instructions in web pages and documents to hijack AI agents — and OpenClaw’s browser and research agents are high-value targets. This guide walks through concrete hardening steps you can apply to your OpenClaw deployments today. Prerequisites OpenClaw installed and configured (any recent version) At least one agent with web browsing or document processing capability Basic familiarity with OpenClaw’s skill and session configuration Step 1: Audit Your Agent Attack Surface Before hardening anything, map your exposure. For each agent you run: ...

Researchers at Palo Alto Networks’ Unit 42 have published documentation of real-world indirect prompt injection attacks — and this is one of those security stories that deserves more attention from the AI builder community than it’s currently getting. The attack is conceptually simple and practically dangerous: a malicious actor embeds hidden instructions in a website’s content. When an AI agent browses that page as part of an automated task, it reads the hidden instructions and executes them — without the user ever seeing what happened. ...

Zenity Labs published a full disclosure today of PerplexedAgent — a zero-click attack chain targeting Perplexity’s Comet agentic browser. The technique requires no user interaction beyond opening a calendar invite. From there, an attacker can hijack the browser, exfiltrate local files, and steal credentials stored in password managers including 1Password. Perplexity has shipped two patches in response (both in February 2026). But Zenity’s disclosure goes beyond a single product vulnerability — the researchers are warning that the attack surface they found is inherent to the agentic browser category, not unique to Comet. ...