BrokenClaw – RCE in OpenClaw via Gmail Hook (veganmosfet.codeberg.page)

A critical security vulnerability, dubbed "BrokenClaw," has been identified in the OpenClaw AI system, allowing for 0-click remote code execution (RCE) via its Gmail hook feature. This vulnerability exploits a combination of prompt injection and insecure plugin management, enabling an attacker to send a malicious email that the OpenClaw agent processes, leading to the execution of arbitrary code without user intervention. The issue centers around the default configuration, where external email content is processed as user role messages, heightening the risk of successful prompt injections. This revelation has significant implications for the AI/ML community, highlighting the need for robust security measures in AI systems, especially those utilizing email integrations. OpenClaw is not secure by default, as its sandboxing and plugin management features are opt-in and insecure, respectively. Recommended mitigations include placing all non-main sessions in a secure Docker sandbox and changing the message roles for external content to reduce risk. The ongoing issues with prompt injection emphasize the critical need for developing safer models and practices within AI to prevent such vulnerabilities from being exploited in real-world applications.