0-Click Remote Code Execution in OpenClaw with GPT5.2 via Gmail Hook (veganmosfet.github.io)

A recent demonstration exposed a significant security vulnerability in OpenClaw, a new AI agent that can execute remote code via malicious Gmail hooks. Using a combination of prompt injection and insecure plugin management, it was shown that a simple email could trigger unwanted code execution on a user's machine without any user interaction, effectively circumventing intended security measures. The default configuration allows untrusted external email content to be processed, raising serious concerns about the stability and security of AI applications relying on such agents. This vulnerability highlights a broader issue within the AI/ML community regarding safety protocols in handling external content. OpenClaw's default settings do not employ sandboxing, allowing the agent to inherit user permissions and execute arbitrary code. Security experts are urging developers to implement stronger safeguards, such as sandboxing untrusted sessions and enforcing strict content validation, to prevent potential exploitation. The implications of this research are profound as they underline the need for robust security measures in AI systems, especially when integrating with platforms like Gmail, which can be vulnerable to social engineering and prompt injection tactics.