🐯虎嗅•Stalecollected in 8m
OpenClaw Agents Fall to Prompt Injections

💡OpenClaw's wild prompt hacks & real breaches—fix before your agent flips.
⚡ 30-Second TL;DR
What Changed
Northeastern lab's paper shows OpenClaw agents bomb mail systems, leak SSNs via verb tricks.
Why It Matters
Exposes agent security gaps as Chinese adoption booms, urging safeguards amid hype-driven risks.
What To Do Next
Add command whitelists and config hash checks to your OpenClaw deployment now.
Who should care:Developers & AI Engineers
🧠 Deep Insight
Web-grounded analysis with 4 cited sources.
🔑 Enhanced Key Takeaways
- •OpenClaw evolved through three name changes from Clawdbot to Moltbot to OpenClaw, amassing 142,000+ GitHub stars and 2 million weekly visitors while focusing on local deployment for data sovereignty.[1]
- •During China's 2026 National Two Sessions, 360 Group's Zhou Hongyi announced plans for a one-click installation version of OpenClaw to simplify deployment as a personal PC assistant.[2]
- •Australian firm Dvuln demonstrated rapid theft of users' API keys and sensitive data via OpenClaw's default settings, prompting South Korean tech firms to ban it in offices.[2]
- •OpenClaw's 'Crab Ability Ranking' benchmark, released March 9, 2026, showed Claude family models achieving over 90% success in coding tasks, outperforming GPT-5.2 at 65.6%.[4]
📊 Competitor Analysis▸ Show
| Feature | OpenClaw | Copaw (Alibaba) |
|---|---|---|
| Pricing | Free, open-source, local models | Free setup with local models like Qwen 3.5, GLM 4.7 [3] |
| Benchmarks | Claude models >90% in Crab Ranking; vulnerable to injections [4] | Claims superior stability, fewer breaks than OpenClaw; advanced autonomous features [3] |
| Key Features | Multi-platform (WhatsApp, etc.), PDF tool, high token costs [1][3] | Runs 24/7, document reading, external tool integration [3] |
🛠️ Technical Deep Dive
- •Local deployment on laptop/homelab/VPS with multi-platform support (WhatsApp, Telegram, Slack, Google Chat, Twitch, Feishu) and 34 security commits against prompt injection.[1]
- •Built-in PDF tool for reading, analyzing, and working with documents; supports providers like Anthropic and Google.[3]
- •High token costs 10-100x standard LLMs due to agent execution; workflow automation includes email scheduling, OCR extraction, spreadsheet population for ESG tasks.[1]
- •Crab Ranking evaluates coding success rates: Claude Sonnet4.5, Haiku4.5, Opus4.6 >90%; uses automated code checking + LLM review.[4]
🔮 Future ImplicationsAI analysis grounded in cited sources
OpenClaw deployment costs will drop significantly by 2027
Academician Wang Jian predicted cost reductions with tech iteration enabling full industry penetration.[2]
Regulatory bans on vulnerable agents like OpenClaw will expand beyond South Korea
MIIT monitoring and Dvuln tests highlight high risks under default settings, triggering industry warnings.[2]
Claude models will dominate OpenClaw coding benchmarks through 2026
Crab Ranking shows Claude family exceeding 90% success rates, far above GPT-5.2 and others.[4]
⏳ Timeline
2025-12
Initial release as Clawdbot, weekend WhatsApp relay project.
2026-01
Renamed to Moltbot, gains traction with lobster mascot.
2026-02
Renamed to OpenClaw, reaches 142K GitHub stars.
2026-03
Agents of Chaos paper exposes 11/16 prompt injection failures.
2026-03
Crab Ability Ranking released, benchmarking model performance.
2026-03
Two Sessions buzz with 360 one-click install announcement.
📎 Sources (4)
Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.
📰
Weekly AI Recap
Read this week's curated digest of top AI events →
👉Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: 虎嗅 ↗



