OpenClaw has a self-attack vulnerability that mistakenly executes Bash commands, leading to key leakage

By: rootdata|2026/03/05 20:43:30

0

Share

copy

Web3 security company GoPlus stated that the AI development tool OpenClaw has recently been reported to have experienced a self-attack security incident. During the execution of automated tasks, the system constructed an incorrect Bash command while calling Shell commands to create a GitHub Issue, inadvertently triggering command injection, which led to the exposure of a large number of sensitive environment variables.

In the incident, the AI-generated string contained a set wrapped in backticks, which was interpreted by Bash as command substitution and executed automatically. Since Bash outputs all current environment variables when executing set without parameters, this ultimately resulted in over 100 lines of sensitive information (including Telegram keys, authentication tokens, etc.) being directly written to the GitHub Issue and publicly published. GoPlus recommends that in AI automation development or testing scenarios, API calls should be used instead of directly concatenating Shell commands, and the principle of least privilege should be followed to isolate environment variables. Additionally, high-risk execution modes should be disabled, and a manual review mechanism should be introduced for critical operations.

-- Price

You may also like

SBF's little brother turned 225 million into 5.5 billion in one year

SBF's little brother turned 225 million into 5.5 billion in one year

Let’s meet the 24-year-old new "stock god" of AI.

In a World of Disruption, How Can Humanities Workers Better Use AI?

In a World of Disruption, How Can Humanities Workers Better Use AI?

This AI in Practice experience is not about teaching you a few magical keywords to memorize; it's more like a methodology.

Anthropic Open Letter: The Hypocritical Sam Altman, PUA Master

Anthropic Open Letter: The Hypocritical Sam Altman, PUA Master

OpenAI's extensive PR rhetoric with the Department of War on these issues is either lying or deliberately creating confusion. These facts reveal a pattern of behavior, a pattern I have seen many times in Sam Altman, and I hope everyone can recognize it

On the same day that Kraken's Fedmaster Account was approved, the banking lobbying group immediately launched a counterattack.

On the same day that Kraken's Fedmaster Account was approved, the banking lobbying group immediately launched a counterattack.

Banking Lobby Group Slams Kraken's Approval for "Limited Purpose" Fed Master Account.

Bitwise: This weekend's attack accelerated the on-chain migration of the financial world

Bitwise: This weekend's attack accelerated the on-chain migration of the financial world

The never-ending market has become a global obsession.

Market Downturn: Which Assets Are Worth Watching?

Market Downturn: Which Assets Are Worth Watching?

"Whether it can bring benefits to the holder" is one of the key reference indicators.

The real opportunity of stablecoins is not to kill Visa

The real opportunity of stablecoins is not to kill Visa

In the new merchant ecosystem born in the AI era, stablecoins will become the first widely adopted payment infrastructure.

Trump's AI Farce: Insult if You Don't Pay

Trump's AI Farce: Insult if You Don't Pay

Dario's all-hands email is full of ad hominem attacks

US & Canada Crypto Tax Season 2026: Official Tax Reporting Support from WEEX × KoinX

US & Canada Crypto Tax Season 2026: Official Tax Reporting Support from WEEX × KoinX

Prepare for US & Canada crypto tax season 2026. Learn how to export your WEEX transaction history and access official reporting support through our partnership with KoinX.

Conversation between Tom Lee and "The Big Short" Author: AI has detected bubble signal, crypto correction due to gold liquidity being "siphoned off"

Conversation between Tom Lee and "The Big Short" Author: AI has detected bubble signal, crypto correction due to gold liquidity being "siphoned off"

A real bubble occurs when everyone is absolutely certain that "this is definitely not a bubble."

The true reason for Claude's ban, Kraken accessing the Federal Reserve payment system, What is the English community paying attention to?

The true reason for Claude's ban, Kraken accessing the Federal Reserve payment system, What is the English community paying attention to?

What Was Trending in the Last 24 Hours?

「Buying the Dip」 of 400,000 BTC: Is $74,000 a Rebound or a Reversal?

「Buying the Dip」 of 400,000 BTC: Is $74,000 a Rebound or a Reversal?

BTC price hits a new monthly high.

OpenClaw, Another Batch of Middle Class Jobless

OpenClaw, Another Batch of Middle Class Jobless

Time will not wait for anyone.

Morning News | Backpack will launch on-chain IPO subscription service; Predict.fun strategically acquires on-chain prediction platform Probable; SoFi partners with Mastercard for strategic cooperation

Morning News | Backpack will launch on-chain IPO subscription service; Predict.fun strategically acquires on-chain prediction platform Probable; SoFi partners with Mastercard for strategic cooperation

March 4 Market Important Events Overview

Inventorying the Washington power in the crypto space, who is speaking out for U.S. crypto legislation?

Inventorying the Washington power in the crypto space, who is speaking out for U.S. crypto legislation?

From ideology to ecological initiatives, the lobbying power of American cryptocurrency is undergoing a comprehensive evolution, ushering in a new era of specialized and refined policy games.

650 million dollars, 1.5 billion dollars, 2 billion dollars, the crypto VC landscape has changed!

650 million dollars, 1.5 billion dollars, 2 billion dollars, the crypto VC landscape has changed!

Homogenized industries are ultimately fragile; only when different species can emerge does the market truly come alive.

Why prediction markets are the largest untapped collateral pool in DeFi

Why prediction markets are the largest untapped collateral pool in DeFi

From "gambling" to "financable assets": prediction markets are becoming the next hundred billion collateral pool in DeFi, opening new frontiers of capital efficiency.

500% XAUT Staking, Zero-Fee Gold Futures and $100K Rewards: Why Traders Are Turning to WEEX for Tokenized Gold

500% XAUT Staking, Zero-Fee Gold Futures and $100K Rewards: Why Traders Are Turning to WEEX for Tokenized Gold

Explore WEEX's $100,000+ gold campaign featuring 500% XAUT staking, zero-fee gold contracts, and $30,000 PAXG rewards. Trade tokenized gold today.

SBF's little brother turned 225 million into 5.5 billion in one year

Let’s meet the 24-year-old new "stock god" of AI.

In a World of Disruption, How Can Humanities Workers Better Use AI?

This AI in Practice experience is not about teaching you a few magical keywords to memorize; it's more like a methodology.

Anthropic Open Letter: The Hypocritical Sam Altman, PUA Master

OpenAI's extensive PR rhetoric with the Department of War on these issues is either lying or deliberately creating confusion. These facts reveal a pattern of behavior, a pattern I have seen many times in Sam Altman, and I hope everyone can recognize it

On the same day that Kraken's Fedmaster Account was approved, the banking lobbying group immediately launched a counterattack.

Banking Lobby Group Slams Kraken's Approval for "Limited Purpose" Fed Master Account.

Bitwise: This weekend's attack accelerated the on-chain migration of the financial world

The never-ending market has become a global obsession.

Market Downturn: Which Assets Are Worth Watching?

"Whether it can bring benefits to the holder" is one of the key reference indicators.

Popular coins

Latest Crypto News

20:43

Figure: The circulating supply of the securitized stablecoin YLDS increased to $588 million, a month-on-month growth of 56%

The Nasdaq-listed blockchain capital market company Figure Technology Solutions announced its latest business operations report, which disclosed that the circulating supply of its securitized stablecoin YLDS has increased to $588 million, a 56% increase compared to the previous period. YLDS aims to ...

20:43

Digital asset trading technology company Crossover Markets has completed a $31 million Series B funding round

Crossover Markets, an institutional-grade digital asset trading technology company, has completed a $31 million Series B funding round, reaching a valuation of $200 million. This round was led by Tradeweb Markets, a global multi-asset electronic trading platform, with participation from institutions...

20:43

Data: ETH total network contract open interest increased by 5.89% in 24 hours

According to Coinglass data, the total contract open interest for ETH has increased by 5.89% in the past 24 hours, with the current total open interest at $28.56 billion. Among them, Binance has an open interest of $6.17 billion, OKX has $1.82 billion, Bybit has $2.151 billion, and Gate has $2.95 bi...

20:43

The spot Bitcoin ETF saw a net inflow of over $1.1 billion in three days, with analysts stating that the "safe-haven asset" narrative is returning

The inflow of spot Bitcoin ETFs has significantly rebounded. Data shows that spot Bitcoin ETFs recorded a total net inflow of approximately $1.1 billion, with a single-day net inflow of about $462 million. BlackRock's iShares Bitcoin Trust (IBIT) led with around $307 million. The return of funds has...

20:43

FATF: Peer-to-peer transfers of stablecoins have become a major money laundering risk, recommending issuers to introduce freezing and blacklisting mechanisms

The global anti-money laundering organization Financial Action Task Force (FATF) pointed out in its latest report that stablecoin peer-to-peer (P2P) transfers have become a key source of money laundering risk in the crypto ecosystem, especially when users trade directly through unmanaged wallets, ma...