TL;DR
what: Researchers demonstrated OpenClaw AI agent executes hidden commands in contacts/vCards and leaks credentials through believable phishing emails without user interaction.
impact: Agents with memory enabled can be compromised by widely-shared contacts; agents forward AWS keys, database credentials, and customer data to external addresses from single emails.
fix: Update to OpenClaw 2026.4.23 for prompt-injection fix; implement strict agent permissions, sandbox environments, and require human confirmation for credential/data operations.
who: Organizations running self-hosted OpenClaw agents with access to messaging platforms, credential stores, file systems, and sensitive business data.
