Get fresh insights, pro tips, and thought starters–only the best of posts for you.
The latest research involving the OpenClaw AI agent highlights a growing challenge in enterprise security. As organizations deploy AI agents with access to business data and communications, security teams must consider how untrusted content could influence automated actions.
Researchers from Imperva and Varonis independently demonstrated how OpenClaw agents could be influenced by seemingly routine inputs. Their findings showed that contacts, vCards, location data, and email messages could be used to deliver prompt injection or agent phishing attacks, leading to simulated code execution and data disclosure scenarios.
The findings are notable because they do not rely on traditional account compromise. Instead, they demonstrate how attackers may exploit trust relationships inside AI-driven workflows.
Imperva and Varonis used different approaches but exposed a similar security challenge: AI agents may act on untrusted content when it is interpreted as instructions.
Imperva examined how OpenClaw processed shared contacts, vCards, and location pins. Researchers reported that hidden instructions embedded within those objects could become part of the prompt context supplied to the model. In testing, a prompt injection scenario reportedly caused the agent to download and execute a script from a researcher-controlled server.
OpenClaw addressed the message-object prompt injection issue in version 2026.4.23.
Varonis focused on a different attack path. Researchers connected an OpenClaw agent to Gmail and populated the environment with synthetic business information. They then sent phishing-style emails designed to appear operationally legitimate. During testing, the agent reportedly shared:
Although the attack techniques differed, both demonstrations showed how untrusted content could influence agent behavior and trigger actions that organizations would not normally expect from automated workflows.
Prompt injection is not a new concept. What changes the risk profile is the growing number of actions available to modern autonomous agents.
The OpenClaw research illustrates this shift. Rather than simply generating text, the tested agents could interact with external systems, process business data, and perform automated actions. As researchers demonstrated, manipulating an agent’s inputs can potentially influence what the agent does next.
Depending on how they are configured, enterprise AI agents may be able to:
In traditional applications, malicious content might affect a single workflow. In agentic environments, the same content may influence a system capable of making decisions and performing actions on behalf of users.
One notable finding from the Varonis testing involved an agent profile that reportedly required sender verification before processing requests.
Despite those instructions, researchers found that the agent still complied with malicious requests during testing. This highlights a broader challenge with agent phishing, where attackers attempt to manipulate automated decision-making rather than exploit a software vulnerability.
| Component | Intended Purpose | What Researchers Demonstrated |
|---|---|---|
| Contacts and vCards | Share business information | Hidden instructions reportedly influenced agent behavior |
| Location Pins | Provide contextual location data | Embedded content entered the prompt context |
| Email Messages | Support communication workflows | Phishing-style messages reportedly prompted the agent to share mock sensitive data |
| Agent Integrations | Enable automation across systems | Increased the impact of prompt injection and social engineering |
| External Communication Channels | Deliver business outputs | Created potential pathways for AI data exfiltration |
The OpenClaw research demonstrates how prompt injection and phishing-style attacks can influence AI agents that have access to business data and automated workflows.
Traditional phishing campaigns target users. Agent phishing attempts to manipulate AI agents that have access to business data or automated workflows.
When autonomous agents have access to business data and communications, successful manipulation attempts may increase the risk of unintended data disclosure.
Organizations may struggle to determine exactly what data an agent accessed, what actions it performed, and whether those actions aligned with business intent.
Organizations deploying AI agents should focus on reducing unnecessary access, limiting trust relationships, and monitoring automated actions.
Learn how UEM strengthens data security through policy enforcement, encryption, compliance, and access controls.
DOWNLOADAs AI agents gain access to business systems, visibility and governance become increasingly important.
The OpenClaw AI agent research highlights a broader challenge facing enterprise AI deployments. Rather than a single product issue, the findings show how autonomous systems can become vulnerable when trusted instructions and untrusted content are not clearly separated.
As organizations expand the use of AI agents, security teams should focus on least-privilege access, monitored actions, approval controls, and visibility into agent behavior. These measures can help reduce the risks associated with prompt injection, agent phishing, and AI data exfiltration.
See how Hexnode helps security teams investigate threats and improve endpoint visibility.
SIGN UP NOWOpenClaw is a self-hosted AI agent platform that can connect to external tools, services, and data sources to perform automated tasks.
Agent phishing involves using deceptive messages or content to influence an AI agent’s decisions or actions.
Depending on how they are configured, AI agents may have access to sensitive information and external communication channels, increasing the potential impact of unauthorized data disclosure.
