A hacker installs OpenClaw without permission on several users’ computers thanks to a flaw in the Cline AI agent

A hacker has exploited a security gap in the open source artificial intelligence (AI) agent Cline to, through ‘prompt injections’ install OpenClaw on multiple users’ computers.

OpenClawlaunched as Clawdbot and later renamed Moltbot, it became popular for its ability to control all the functions of a computer, like an agent at the user’s service that carries out any task. However, the possibility of accessing the entire computer can pose a risk to cyberattacks or extensions that conceal ‘malware’.

To these risks we must also add the security breaches that open source agents may suffer, as happened with the agent Clinewhich uses Claude’s workflow, the AI ​​model of Anthropic and which is commonly used by developers when integrated with IDEs such as VSCode.

Recently, developer and security researcher Adnan Khan reported a bug in Cline in which the agent allowed you to receive instructions to carry out tasks that you should not. These types of attacks known as ‘prompt injection’cause AI agents to ignore system protections and execute tasks that are normally blocked.

After sharing the bug, identified as GHSA-9ppg-jx86-fqw7, it was exploited by a hacker to install OpenClaw on the computers of users who installed the Cline version 2.3.0, taking advantage of ‘prompt injection’. However, the vulnerability only lasted 8 hours (from 12:30 to 8:30 p.m. in Spanish mainland time), since after it was identified, version 2.4.0 was quickly released, which corrected the error.

It must be taken into account that, although in this case the malicious actor has used the vulnerability to install OpenClaw, which is not malicious in principle, this is an example that demonstrates the danger that AI agents can cause in certain caseswhich in the event of a ‘prompt injection’ attack have free rein to carry out tasks autonomously on behalf of users without supervision.