Almost 7.1% of open-source AI agent OpenClaw skills on the ClawHub marketplace have facilitated the exposure of API keys, credentials, and credit card details due to an issue in SKILL.md instructions, The Register reports.Most severe of the discovered illicit skills is the buy-anything skill v2.0.0, which conducts credit card number tokenization to pilfer financial details before prompting credit card information gathering, according to Snyk analysts. Another report from Zenity revealed that users of OpenClaw, formerly known as Moltbot and Clawdbot, could have their machines backdoored in attacks involving a Google document with an indirect prompt injection payload that facilitates new Telegram bot integration.Threat actors could leverage the attack technique to not only exfiltrate targeted devices' files but also launch a Sliver command-and-control beacon for persistent remote access. Intrusions could also result in privilege escalation, lateral movement, and potential ransomware execution, said researchers.
AI/ML, Vulnerability Management, Data Security
Reports shed light on more OpenClaw vulnerabilities

(Credit: Tada Images – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



