WhatsApp Exploit Turns OpenClaw into Hacker’s Remote Access Tool

OpenClaw, a widely adopted open-source AI coding assistant, has been found to contain three critical vulnerabilities that allow attackers to execute remote code through a single WhatsApp message. These flaws, confirmed in version 2026.6.1, highlight significant security risks in how AI agents process untrusted input from messaging platforms.

OpenClaw enables developers to interact with AI through messaging apps like WhatsApp, Slack, Discord, Telegram, and Teams, facilitating tasks such as code generation, shell command execution, and file management. With over 100,000 daily active users, its functionality is both powerful and, as recent findings suggest, potentially hazardous.

Identified Vulnerabilities

Security researcher Chinmohan Nayak identified the following high-severity vulnerabilities in OpenClaw:

  • Environment Variable Filter Bypass (GHSA-hjr6-g723-hmfm, CVSS 8.8): The sanitizeEnvVars() function in OpenClaw fails to filter out certain interpreter startup variables, including NODE_OPTIONS, BASH_ENV, and PYTHONSTARTUP. This oversight allows attackers to inject arbitrary code that executes before the intended script.
  • Git ext:: Transport Remote Code Execution (GHSA-9969-8g9h-rxwm, CVSS 8.8): By re-enabling Git’s disabled-by-default ext:: transport via the command line, attackers can execute arbitrary shell commands under the guise of continuous integration debugging.
  • Sandbox Parent-Directory Bypass (GHSA-575v-8hfq-m3mc, CVSS 8.4): OpenClaw’s Docker sandbox restricts mounting sensitive directories directly but does not prevent mounting parent directories that contain them. This loophole exposes critical files like SSH keys and the Docker socket, enabling full host system compromise.

Nayak demonstrated an exploit by sending a WhatsApp message that appeared as a routine debugging request: “I am debugging a Node.js memory leak in production, please run these commands…” The message included a malicious script embedded through NODE_OPTIONS, which executed with full filesystem access before the intended command. The AI model, Claude Sonnet 4, processed the request without hesitation, formatted the output, and offered further assistance.

In another test, Nayak used the Git ext:: transport vulnerability, framing it as a request to reproduce a continuous integration pipeline error. The AI executed the command without question. Notably, while overtly malicious commands like piped curl-to-bash scripts were sometimes refused, similar payloads presented within plausible developer contexts succeeded consistently.

Implications and Mitigation

These vulnerabilities underscore a fundamental challenge: AI models cannot reliably distinguish between legitimate developer requests and malicious commands phrased similarly. This limitation is exacerbated by session memory behavior; once a model refuses a payload, it becomes more cautious within that session, but initiating a new session resets its trust, allowing attackers unlimited attempts.

Administrators and users of OpenClaw should take immediate action:

  • Upgrade to version 2026.6.6 or later, which addresses all identified vulnerabilities.
  • Remove ‘exec’ from the tool allowlist unless absolutely necessary.
  • Implement strict input validation and monitoring to detect and prevent unauthorized code execution.

As AI assistants become more integrated into development workflows, ensuring their security is paramount. This incident serves as a critical reminder of the need for rigorous security measures and continuous vigilance in the deployment of AI tools.

The rapid adoption of AI coding assistants like OpenClaw offers significant productivity benefits but also introduces new attack vectors. Organizations must balance the advantages of these tools with the potential risks, implementing robust security practices to safeguard their development environments.