Attackers discovered they could hijack OpenClaw agents through link previews in Telegram and Discord messages.
China's CNCERT issued a formal warning after researchers demonstrated that OpenClaw agents could be hijacked through indirect prompt injection via link previews. The attack was elegant: an attacker crafts a URL that, when generated by the agent and shared to Telegram or Discord, triggers a link preview that silently exfiltrates sensitive data to attacker-controlled domains. The agent itself generates the attack vector, making it nearly invisible to the user. Organizations were urged to isolate OpenClaw instances from sensitive data immediately.
AFFECTED USERS: ~2,000
ESTIMATED COST: $300,000
The Actual Culprit
OpenClaw agents had no URL sanitization or output filtering. When an agent generated a URL containing encoded sensitive data, messaging platform link previews would send that data to external servers automatically.
We obsess over what goes into an agent. But what comes out can be weaponized too — especially when third-party platforms process it.
Every messaging platform that renders link previews is a potential side channel for leaking data encoded in URLs.
Input validation, output sanitization, network isolation — agents need the same security layers we've used for web apps for decades.
Loading comments...