Cross-industryPrompt InjectionAgentic WorkflowCatastrophic

OpenClaw agent skills suffer widespread vulnerabilities and data exfiltration

Cisco researchers identified critical security flaws in the OpenClaw agent ecosystem, affecting 26% of analyzed skills. The most notable failure involved a popular skill that exfiltrated user data via prompt injection.

OpenClaw · Incident Jan 28, 2026 · Indexed Jun 5, 2026 · 2 sources

The What Would Elon Do? skill used prompt injection to silently exfiltrate user data via curl to an attacker-controlled server.

Key facts

What
Cisco researchers identified critical security flaws in the OpenClaw agent ecosystem, affecting 26% of analyzed skills.
Incident date
Jan 28, 2026
Who
OpenClaw
Failure mode
Prompt Injection
AI surface
Agentic Workflow
Severity
Catastrophic

What happened

Cisco researchers identified that 26% of 31,000 analyzed OpenClaw agent skills contained vulnerabilities. The top-ranked skill, What Would Elon Do?, exfiltrated user data to an attacker-controlled server using prompt injection to trigger malicious actions. This demonstrates a fundamental weakness in the agentic AI supply chain and plugin autonomy.

What broke inside the model

Failure path · this incident · Prompt Injection
  1. 01 · TriggerA third-party skill carries embedded instructions for the agent that runs it.
  2. 02 · Model stepThe agent executes the skill's code and prompts with its own privileges.
  3. 03 · Control gapSkills are not sandboxed; injected instructions can reach the network unchecked.
  4. 04 · FailureThe skill initiates unauthorized curl requests carrying local data.
  5. 05 · ConsequenceUser data exfiltrates from inside the agent runtime.

The failure stemmed from an insecure architecture that allowed third-party skills to execute code with the agent's privileges. Prompt injection enabled the skill to bypass constraints and initiate unauthorized network requests via curl for data exfiltration.

What it cost

Public visibilityHigh
Regulatory exposureNone
Customer impactMany customers
Financial impactUnknown
Time to disclosureHours

Sources

  1. PrimaryPersonal AI Agents like OpenClaw Are a Security Nightmareblogs.cisco.com
  2. PrimaryOpenClaw's 230 Malicious Skills: What Agentic AI Supply Chains...authmind.com

Cite this entry

Permalinkhttps://failureindex.ai/failures/openclaw-skills-suffer-widespread-vulnerabilities-exfil
CitationAI Failure Index. "OpenClaw agent skills suffer widespread vulnerabilities and data exfiltration" (FI-0243). Realm Labs. https://failureindex.ai/failures/openclaw-skills-suffer-widespread-vulnerabilities-exfil (indexed Jun 5, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0243. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard

Realm inspects the model's internal state for the signature of instructions arriving through the data channel, so an injected command can be flagged and blocked inline before the model acts on it, instead of trusting a classifier that scores the input as safe.

Book a Demo

Related failures

Other records that share this failure mode (Prompt Injection) or industry (Cross-industry).

FI-0501Cross-industryMedium
Hallucination

KPMG pulls AI report after organizations dispute claims

KPMG withdrew its "Total Experience: Redefining Excellence in the Age of Agentic AI" report after several organizations stated the claims about their AI usage were untrue. Research by GPTZero revealed that the majority of the report's citations were AI-generated hallucinations.

Confidence
High (multi-source, primary)
KPMG3 sourcesPrimaryPublicJun 2026
FI-0576Cross-industryMedium
Brand & Safety Incident

Reddit ads used deepfake news and cloned sites to promote AI investment scams

Reddit failed to prevent a series of sponsored ads that used deepfakes and cloned websites to impersonate news outlets like the BBC and The Guardian. These ads promoted fraudulent AI investment platforms, targeting users in the US and Europe.

Confidence
High (multi-source, primary)
Reddit3 sourcesPrimaryPublicJun 2026
FI-0502Cross-industryMedium
Hallucination

EY retracts loyalty rewards report after AI hallucinations and fake footnotes discovered

EY withdrew a cybersecurity report on loyalty rewards programs after researchers found it contained fabricated data and non-existent citations. The report was used by EY Canada for marketing purposes but was retracted once the AI-generated errors were exposed.

Confidence
Medium (multi-source)
EY3 sourcesPressPublicMay 2026