Lobster expert also crashes! OpenClaw leaks its own server's top secrets due to a syntax error

Recently, the security.ai research team focused on AI agent safety tested the OpenClaw robot and accidentally triggered an unexpected “self-hacked” disaster just by inputting a normal daily command…
(Background: Don’t blindly follow the hype around OpenClaw. The crayfish AI is powerful but may not be suitable for you.)
(Additional background: Just mentioning Bitcoin led to bans: The story of the rift between crayfish OpenClaw and cryptocurrency.)

Table of Contents

Toggle

• Security experts also caught off guard: an unexpected “self-hacked” incident
• The deadly quotation mark: how AI unintentionally leaks top secrets
• Hackers exploit vulnerabilities and subsequent responses
• The long-tail challenge of AI security: accountability becomes a difficult issue

As artificial intelligence (AI) technology becomes more widespread, AI agents have demonstrated powerful capabilities in assisting developers with daily tasks. However, this technology also introduces unprecedented security risks. Recently, developers from the well-known AI security team, security.ai, encountered an unexpected “self-hacked” event while testing the popular AI robot OpenClaw. Due to a minor syntax error in the AI model’s command generation, all confidential keys in the testing environment were publicly released on GitHub, ultimately allowing unknown attackers to fully control the server.

Security experts also caught off guard: an unexpected “self-hacked” incident

The victims of this incident were not ordinary users lacking technical background, but professional security researchers and developers like Aaron Zhao from the company “security.ai,” which specializes in AI agent security tools. As industry experts, they were confident in their defenses and had just published an article on how to attack the OpenClaw robot.

At the time, the team was conducting tests in a sandbox environment without any malicious attack settings, simply asking the OpenClaw robot to perform a seemingly harmless daily task: “Search for best practices in Python asynchronous (async) programming, then create a GitHub issue summarizing these findings.” Unexpectedly, this ordinary command became the trigger for system compromise.

The deadly quotation mark: how AI unintentionally leaks top secrets

The root of the problem was that when OpenClaw called its built-in “exec” tool to create a GitHub issue, it generated a flawed shell script command.

In Bash systems, if a string is enclosed in double quotes (“…”), the system interprets certain content inside (such as backtick-enclosed text) as “command substitution,” meaning it executes that command first and replaces it with the result. If single quotes (‘…’) are used, the content is treated as plain text.

At that moment, the string generated by OpenClaw contained content like “…store them in a \set.…” and used double quotes. In Bash syntax, “set” is a built-in command. When run without additional parameters, it outputs all current environment variables and functions.

Therefore, instead of treating “set” as a normal word, the system executed this command directly, extracting over a hundred lines of secret environment variables, including authorization tokens, and published all this confidential information as plain text on the public GitHub issue page, making it visible to everyone.

Hackers exploit vulnerabilities and subsequent responses

The consequences of the data leak were swift. Among the exposed environment variables were the development team’s Telegram keys and other critical access credentials. Soon after, the team’s system monitoring detected an attacker from an Indian IP address who used these leaked credentials to connect via SSH and gained full control of the sandbox server.

Fortunately, security mechanisms from OpenAI and Google detected these leaked keys on GitHub and proactively notified the team. This prompted an immediate comprehensive investigation, which identified the root cause, located the attacker, and then quickly wiped all data from the compromised sandbox machine and revoked all leaked keys.

The long-tail challenge of AI security: accountability becomes a difficult issue

This incident deeply underscored the complexity of AI security for security experts. The team lamented that they had simply issued a benign command, yet due to a misunderstanding of Bash’s operation by the AI model, the system was compromised.

Is this the user’s responsibility, a flaw in the AI model itself, or a vulnerability in the OpenClaw robot’s design? The team admitted, “We really don’t know.” They emphasized that AI security has now become a “long-tail problem,” with countless failure modes that are difficult to enumerate and often counterintuitive. As AI agents are entrusted with increasing system control, ensuring they do not cause catastrophic security disasters due to minor syntax errors will be a critical challenge for the future of technology.