Key Points
- Five zero‑day flaws in OpenClaw allowed attackers to hijack AI agents by impersonating trusted users.
- The same identity issue existed across multiple messaging platforms, including Telegram, Teams, and Slack, showing a repeated design weakness rather than a one‑off bug.
- IANS Faculty say the incident highlights how fast‑developed AI agents with system access can expose enterprises to major security threats unless they are tightly controlled and sandboxed.
OpenClaw Zero-Days Allow Attackers to Hijack Agents Across Messaging Platforms
Security researchers have identified five critical OpenClaw zero-days that allow hackers to hijack AI agents across several messaging programs.
OpenClaw, the open-source agentic AI platform, is highly dependent on user-defined allowlists -– a custom list of users approved to control the agent and access sensitive data. However, an identity issue within OpenClaw prompted agents to identify trusted users by their display names, rather than permanent IDs or authorized credentials.
Attackers only needed to figure out the name of one trusted user. Then, attackers could impersonate an authorized user and silently gain control of OpenClaw agent interactions.
This improper identity resolution during allowlist processing meant that attackers could hijack agents simply by changing their display names on multiple messaging platforms.
The issue was initially spotted in OpenClaw’s Telegram integration and was quickly patched. However, the flaw still persisted across other communications channels like Slack, Discord and Microsoft Teams.
Security engineer Philip Garabandic discovered the bugs using an AI-driven analysis tool to examine previous OpenClaw vulnerabilities. The tool identified patterns of recurring weaknesses and found the zero-day flaws that repeated across multiple modules.
OpenClaw maintainers have since addressed each finding and announced fixes that enforce ID-based matching.
"Tools such as OpenClaw are still very new and not very battle-hardened. Issues like this, and more generally, the level of access these bots require to be useful can be problematic, and we can expect many similar vulnerabilities to be found.” Guillaume Ross, IANS Faculty.
Big Picture
For a relatively new tool, OpenClaw has already experienced several security incidents. Each incident seems to point back to the same lesson: when AI tools are deployed before they’ve been fully tested and hardened, basic design flaws turn into major security risks.
OpenClaw is powerful, with the ability to streamline productivity and automate tasks on users’ behalf. But, with this power comes significant risk –- especially to enterprise environments.
"The thing to remember is that ALL present AI tools have been written quickly and have not yet withstood the test of time. The intent was always to test these tools with AI scanners once the scanners matured to a point where that was possible. We just crossed that threshold recently, and only for some contexts." Josh More, IANS Faculty.
Future security vulnerabilities in OpenClaw are inevitable, and will also have significant cascading effects -- especially when attackers can easily control AI agents’ actions and access the sensitive information they need to function.
If organizations choose to accept the risks of deploying tools like OpenClaw, they should be treated as high-risk systems. Because these agents require broad, system-level permissions, organizations need strong governance and controls for appropriate oversight.
"If you need to use tools like OpenClaw, you should investigate techniques to sandbox it in containers, VMs, or remote systems where only necessary access is provided and users are not interactively using the system as well.” Guillaume Ross, IANS Faculty.
IANS Faculty Recommendations
- Diversify controls: Ensure authentication controls include strong auth, rate limiting, and logging of failed access attempts. Put agent access under PAM-style controls: zero standing privilege, just-in-time (JIT) credentials, and auto-revocation at session end.
- Scan for potential flaws: Leverage every significant AI model improvement to scan agentic AI tools for potential flaws.
- Implement strong agentic AI governance: Do not trust any AI tool at this point. Place guardrails around what you're using and make sure that they're not only the guardrails provided by the AI vendor.
- Accelerate patch timelines: As AI tools advance, expect more security flaws to emerge. Be prepared to patch quickly as models continue to improve. Expect sporadic but intense patching to be needed.
Authors & Contributors
Emily Dempsey, Author, IANS News
Guillaume Ross, IANS Faculty
Josh More, IANS Faculty
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.