OpenClaw's OpenDoor problem is so bad that installing malware yourself might save time

The popular open-source AI agent OpenClaw, formerly known as Clawdbot, can be completely taken over through manipulated documents. Security researchers show how attackers can install a permanent backdoor and compromise the user's computer.

Security researchers from Zenity Labs have shown that attackers can gain long-term control of systems through indirect prompt injection. All it takes is a manipulated document; no additional user input required.

The problem is baked into OpenClaw's architecture, the researchers say: the agent processes content from untrusted sources like emails or shared documents in the same context as direct user instructions. There's no separation between what the user wants and what the agent reads on the side, and the agent relies primarily on the security mechanisms of the underlying language model.

What makes this especially dangerous is that unlike conventional chatbots, OpenClaw is built to take action: it can execute commands, read and write files, and runs with whatever permissions it was granted during setup. Feed it the wrong instructions, and the damage potential is significant.

A harmless document becomes a Telegram backdoor

The researchers demonstrate the attack using a typical corporate scenario: an employee installs OpenClaw and connects the agent to Slack and Google Workspace. The attack starts with what looks like a harmless document. Buried deeper in the text, though, is a hidden prompt. When OpenClaw processes the document, it gets tricked into creating a new chat integration, a Telegram bot with an access key the attacker set up beforehand.

Once that integration is in place, OpenClaw starts accepting commands from the attacker. The original entry point is no longer needed. The attacker now has a permanent control channel that's completely invisible to the company. The researchers are deliberately holding back the exact attack prompt.

Even more troubling is the possibility of persistence. OpenClaw uses a configuration file called SOUL.md that defines how the agent behaves. An attacker can modify this file through the backdoor. In their proof of concept, the researchers set up a scheduled task that runs every two minutes and overwrites SOUL.md. Even if someone removes the original chat integration, the attacker keeps control.

As a final step, the researchers demonstrate installing a C2 beacon. This turns the compromised AI agent into a classic gateway for hackers. From there, attackers can move laterally through the company network, steal credentials, or push ransomware.

The attack works across different models, including GPT-5.2, and through various integrations. "If personal AI assistants are going to live on our endpoints and inside our workflows, compromising on security is not an option," the researchers write. All video demonstrations are available here.

OpenClaw's security problems run deep

This isn't the first red flag. A developer recently tested OpenClaw with the security analysis tool ZeroLeaks: the system "scored" 2 out of 100 points, with an 84 percent extraction rate and 91 percent successful injection attacks using common language models. Only Claude Opus 4.5 fared better at 39 out of 100 points, but that's still nowhere near acceptable when you consider how much control OpenClaw has over your computer.

System prompts, tool configurations, and memory files could be read with almost no effort. A simple scan also turned up 954 OpenClaw instances with open gateway ports, many without any authentication. The backdoor demonstrated here is a practical example of how these security weaknesses can be exploited in the real world.