Security

Researchers at Palo Alto Networks’ Unit 42 have published documentation of real-world indirect prompt injection attacks — and this is one of those security stories that deserves more attention from the AI builder community than it’s currently getting. The attack is conceptually simple and practically dangerous: a malicious actor embeds hidden instructions in a website’s content. When an AI agent browses that page as part of an automated task, it reads the hidden instructions and executes them — without the user ever seeing what happened. ...

⚠️ Safety Warning: If you installed OpenClaw recently and did not download it from the official source at openclaw.ai or the verified GitHub organization, your system may be compromised. Read this article in full before continuing to use the installation. OpenClaw’s explosive growth has made it an irresistible target for threat actors. Researchers at Huntress have uncovered an active campaign using malicious OpenClaw installers hosted on GitHub — and critically, those fake installers were being actively surfaced by Bing AI’s search results, dramatically expanding their potential victim pool. ...

If you’ve deployed OpenClaw agents with MCP server integrations, there’s a good chance your agents have more access than you realize — and your audit logs are hiding it. Security researchers call it the “god key” problem, and it’s a genuine architectural gap in how most teams are running MCP today. Here’s what it is, why it matters, and how to fix it. What Is the MCP God Key Problem? Model Context Protocol (MCP) servers act as bridges between your AI agents and external tools — databases, file systems, APIs, SaaS platforms. The problem is how credentials flow through that bridge. ...

In just 14 days, OpenClaw has done something no software project has ever done: it crossed 250,000 GitHub stars, surpassing both React and Linux to become the most-starred repository in the platform’s history. It is, by any measure, the fastest star climb in GitHub’s existence — and it’s already triggering a serious debate about what the explosion in adoption means for enterprise security. The Numbers That Broke Records Let’s put this in context. React — Facebook’s UI library — took years to accumulate its star count. Linux, the foundation of half the world’s computing infrastructure, built its GitHub presence over decades. OpenClaw crossed Linux at 224,000 stars and kept going, blowing past React’s all-time high on its way to 250,000. ...

Zenity Labs published a full disclosure today of PerplexedAgent — a zero-click attack chain targeting Perplexity’s Comet agentic browser. The technique requires no user interaction beyond opening a calendar invite. From there, an attacker can hijack the browser, exfiltrate local files, and steal credentials stored in password managers including 1Password. Perplexity has shipped two patches in response (both in February 2026). But Zenity’s disclosure goes beyond a single product vulnerability — the researchers are warning that the attack surface they found is inherent to the agentic browser category, not unique to Comet. ...

A critical vulnerability in ModelScope’s MS-Agent framework — now officially tracked as CVE-2026-2256 — allows an attacker to achieve full system compromise through code injection via an AI agent’s prompt pipeline. If you’re running MS-Agent v1.6.0rc1 or earlier in any deployment, this is a drop-everything patch situation. The vulnerability was disclosed today by multiple security outlets, with full CVE record details confirmed by SecurityWeek, GBHackers, CyberPress, and OffSeq Threat Radar. ...

The ClawJacked vulnerability allowed malicious websites to brute-force OpenClaw’s local WebSocket gateway and silently gain admin control over your AI agents. The patch is out — but patching alone isn’t enough if your gateway is still misconfigured. This guide walks you through verification and hardening. Time required: 10–15 minutes Difficulty: Beginner–Intermediate Prerequisites: OpenClaw installed and running locally Step 1: Check Your OpenClaw Version The ClawJacked fix shipped in the latest OpenClaw release. First, confirm what version you’re running. ...

If you run OpenClaw on your local machine, here’s your mandatory security update for the week: a vulnerability named ClawJacked was quietly exploiting a gap in the local gateway WebSocket handshake — and yes, a malicious website could have used it against you while you were browsing with OpenClaw running in the background. The patch is out. Here’s what happened and what you need to do. What Is ClawJacked? ClawJacked is the name given to a class of attack discovered by Oasis Security that targets OpenClaw’s local gateway server — the WebSocket service that runs on localhost to connect your browser to your AI agents. ...

If you’ve been running OpenClaw on your host machine and quietly wondering what happens if an agent goes sideways, NanoClaw is the answer you’ve been looking for. This guide walks you through the basics of setting up NanoClaw — the new containerized OpenClaw alternative from Gavriel Cohen — so your agents run with minimal permissions and your host system stays protected. What You’ll Need Docker installed and running (Docker Engine 24+ or Docker Desktop) Node.js 18+ (for the NanoClaw CLI) An existing OpenClaw config or familiarity with SOUL.md/USER.md concepts About 20 minutes Step 1: Install NanoClaw npm install -g nanoclaw Verify the install: ...

The Summer Yue inbox-deletion incident. The OpenClaw WebSocket zero-click vulnerability. A series of agent sandboxing failures that made headlines through late 2025 and into 2026. These weren’t edge cases — they were warnings. Gavriel Cohen, a software engineer based in Israel, has been paying attention. Today, he’s shipping an answer: NanoClaw, a containerized OpenClaw alternative that puts security architecture first, not as an afterthought. What Is NanoClaw? NanoClaw is an open-source agent platform inspired by OpenClaw — but built from the ground up to run agents inside Docker containers with minimal permissions. The design philosophy is simple: agents shouldn’t have access to more of your system than they actually need to do their jobs. ...