Two simple words bypass the security system of the corporate agent.
A common letter, contact in the messenger or a mark on the map may look harmless, but for an AI agent with access to mail, files and commands, such input turns into a direct road to other people's data. Two teams of specialists showed separately how the popular independently placed AI-Agent OpenClaw can be forced to execute someone else’s code or send confidential information outside the company.
Imperva experts found a vulnerability in how OpenClaw transfers the language model data from messages. The agent turned the general contact, the calling card or geotag in the ordinary text and inserted it directly into the query to the model, without specifying such data as unbelieved. As a result, the attacker could hide the command inside the name of the contact, the full name field in the business card or signature to the place on the map.
This technique is especially dangerous that the victim does not see harmful instructions. In WhatsApp and in the receiving application, the long contact name is trimmed on the screen, and the model receives the hidden part as a whole. In the Imperva vs Gemini 3.1 Pro tests, the hidden command forced the agent to download and run the script from the server that was controlled by specialists.
Imperva warned that with OpenClaw memory, one widely distributed contact or an object with nested instructions could theoretically infect agents that will process such input. OpenClaw developers have fixed the problem in version 2026.4.23. Now the names of contacts, the fields of business cards and signatures to geotags are transmitted through a separate channel of untrusted metadata, and do not mix with the main text of the request. Those who use OpenClaw need to upgrade to version 2026.4.23 or newer.
Varonis Threat Labs checked OpenClaw from the other side. The team created the Pinchy test agent, connected it to the Gmail mailbox with plausible but artificial business data and conducted four phishing tests on the Google Gemini 3.1 Pro and OpenAI Codex GPT-5.4. Experts called such a scenario as an agent phishing: the attacker does not hide commands in the data, but sends a convincing request through the usual channel, hoping that the agent will begin to act earlier than he checks the sender.
In two cases, the agent failed the test. First, a letter on behalf of the team leader sent from the Gmail address asked for access for an alleged urgent incident on the work system. Pinchy found the account and sent AWS IAM test keys, a database connection string and data for SSH. The agent then received a routine request to unload client data weekly for the presentation and sent a synthetic set of 247 corporate clients, contacts and contract amounts.
Both failures occurred even with strict settings, where the agent was directly ordered to check the sender first. In one case, the pressure of urgency worked, in another, on the contrary, the everyday tone of the letter. The agent recognized the technical traps better: a suspicious page with gift cards he eventually marked as dangerous, and the malicious screen for issuing permits through OAuth stopped after checking the address of the redirect.
Varonis makes an unpleasant conclusion from the tests: an AI agent can better notice bad links and fake entry pages, but he feels the social context worse. The desire to help becomes part of the attack. According to Varonis, OpenAI Codex GPT-5.4 carefully sent data to external sites without confirmation than the Gemini 3.1 Pro, but both variants of the model succumbed to convincing business requests.
The total cause of two attacks is one. OpenClaw simultaneously reads closed data, accepts untrusted input and is able to send information outward. In such a bundle, poisonous contact and friendly writing lead to one result, because the agent’s rights become the rights of the attacker. Varonis compares both attacks with what Simon Willison calls the “lethal triad.”
A similar problem was manifested in the OpenClaw extensions for messengers. A separate analysis of InfoSec Write-ups found five vulnerabilities in the channels of Slack, Discord, Matrix, Zalo and Microsoft Teams. In each case, the list of authorized users was checked by the changed displayed name, and not by a stable identifier. The attacker could be renamed a trusted user and be able to control the agent. These errors have already been corrected.
OpenClaw provides wide access to files, command shells and more than 20 messaging platforms, so the price of the error is high. The Dutch Personal Data Protection Authority has previously taken a tough stance and advised users and organizations not to run OpenClaw on sensitive information systems, pointing to the risk of leaks and account capture.
One update in such a situation is not enough. Correcting version 2026.4.23 closes a specific error with message objects, but phishing attacks through conventional emails require a different architecture. The agent should not be given the right to write to unfamiliar addresses for the first time without the approval of a person. Access to connected services should depend on where the task came from. The mailbox that accepts external letters should not simultaneously open the entire client base to the agent. High-risk actions should be awaiting manual confirmation – for example, when the agent forwards the credentials or conducts financial transactions.
Both teams come to the same idea that an AI agent with access to systems cannot be considered an independent protective tool. Without restrictions, he is more like a junior employee with greater rights, a strong desire to help and a weak flair on strange requests. So far, there is no universal solution for such a model, so the owners of OpenClaw remain updated, isolation, strict rights and mandatory confirmation of dangerous actions by a person.
A common letter, contact in the messenger or a mark on the map may look harmless, but for an AI agent with access to mail, files and commands, such input turns into a direct road to other people's data. Two teams of specialists showed separately how the popular independently placed AI-Agent OpenClaw can be forced to execute someone else’s code or send confidential information outside the company.
Imperva experts found a vulnerability in how OpenClaw transfers the language model data from messages. The agent turned the general contact, the calling card or geotag in the ordinary text and inserted it directly into the query to the model, without specifying such data as unbelieved. As a result, the attacker could hide the command inside the name of the contact, the full name field in the business card or signature to the place on the map.
This technique is especially dangerous that the victim does not see harmful instructions. In WhatsApp and in the receiving application, the long contact name is trimmed on the screen, and the model receives the hidden part as a whole. In the Imperva vs Gemini 3.1 Pro tests, the hidden command forced the agent to download and run the script from the server that was controlled by specialists.
Imperva warned that with OpenClaw memory, one widely distributed contact or an object with nested instructions could theoretically infect agents that will process such input. OpenClaw developers have fixed the problem in version 2026.4.23. Now the names of contacts, the fields of business cards and signatures to geotags are transmitted through a separate channel of untrusted metadata, and do not mix with the main text of the request. Those who use OpenClaw need to upgrade to version 2026.4.23 or newer.
Varonis Threat Labs checked OpenClaw from the other side. The team created the Pinchy test agent, connected it to the Gmail mailbox with plausible but artificial business data and conducted four phishing tests on the Google Gemini 3.1 Pro and OpenAI Codex GPT-5.4. Experts called such a scenario as an agent phishing: the attacker does not hide commands in the data, but sends a convincing request through the usual channel, hoping that the agent will begin to act earlier than he checks the sender.
In two cases, the agent failed the test. First, a letter on behalf of the team leader sent from the Gmail address asked for access for an alleged urgent incident on the work system. Pinchy found the account and sent AWS IAM test keys, a database connection string and data for SSH. The agent then received a routine request to unload client data weekly for the presentation and sent a synthetic set of 247 corporate clients, contacts and contract amounts.
Both failures occurred even with strict settings, where the agent was directly ordered to check the sender first. In one case, the pressure of urgency worked, in another, on the contrary, the everyday tone of the letter. The agent recognized the technical traps better: a suspicious page with gift cards he eventually marked as dangerous, and the malicious screen for issuing permits through OAuth stopped after checking the address of the redirect.
Varonis makes an unpleasant conclusion from the tests: an AI agent can better notice bad links and fake entry pages, but he feels the social context worse. The desire to help becomes part of the attack. According to Varonis, OpenAI Codex GPT-5.4 carefully sent data to external sites without confirmation than the Gemini 3.1 Pro, but both variants of the model succumbed to convincing business requests.
The total cause of two attacks is one. OpenClaw simultaneously reads closed data, accepts untrusted input and is able to send information outward. In such a bundle, poisonous contact and friendly writing lead to one result, because the agent’s rights become the rights of the attacker. Varonis compares both attacks with what Simon Willison calls the “lethal triad.”
A similar problem was manifested in the OpenClaw extensions for messengers. A separate analysis of InfoSec Write-ups found five vulnerabilities in the channels of Slack, Discord, Matrix, Zalo and Microsoft Teams. In each case, the list of authorized users was checked by the changed displayed name, and not by a stable identifier. The attacker could be renamed a trusted user and be able to control the agent. These errors have already been corrected.
OpenClaw provides wide access to files, command shells and more than 20 messaging platforms, so the price of the error is high. The Dutch Personal Data Protection Authority has previously taken a tough stance and advised users and organizations not to run OpenClaw on sensitive information systems, pointing to the risk of leaks and account capture.
One update in such a situation is not enough. Correcting version 2026.4.23 closes a specific error with message objects, but phishing attacks through conventional emails require a different architecture. The agent should not be given the right to write to unfamiliar addresses for the first time without the approval of a person. Access to connected services should depend on where the task came from. The mailbox that accepts external letters should not simultaneously open the entire client base to the agent. High-risk actions should be awaiting manual confirmation – for example, when the agent forwards the credentials or conducts financial transactions.
Both teams come to the same idea that an AI agent with access to systems cannot be considered an independent protective tool. Without restrictions, he is more like a junior employee with greater rights, a strong desire to help and a weak flair on strange requests. So far, there is no universal solution for such a model, so the owners of OpenClaw remain updated, isolation, strict rights and mandatory confirmation of dangerous actions by a person.
