OpenClaw has a self-attack vulnerability that mistakenly executes Bash commands, leading to key leakage
Web3 security company GoPlus stated that the AI development tool OpenClaw has recently been reported to have experienced a self-attack security incident. During the execution of automated tasks, the system constructed an incorrect Bash command while calling Shell commands to create a GitHub Issue, inadvertently triggering command injection, which led to the exposure of a large number of sensitive environment variables.
In the incident, the AI-generated string contained a set wrapped in backticks, which was interpreted by Bash as command substitution and executed automatically. Since Bash outputs all current environment variables when executing set without parameters, this ultimately resulted in over 100 lines of sensitive information (including Telegram keys, authentication tokens, etc.) being directly written to the GitHub Issue and publicly published. GoPlus recommends that in AI automation development or testing scenarios, API calls should be used instead of directly concatenating Shell commands, and the principle of least privilege should be followed to isolate environment variables. Additionally, high-risk execution modes should be disabled, and a manual review mechanism should be introduced for critical operations.
You may also like
How WEEX Bridges Crypto and Football: A Deep Look at the LALIGA Partnership Inside the WEEX App
WEEX is not just a LALIGA sponsor. It’s a true partner. From iPhone Dynamic Island to LALIGA-themed app icons and smart posters, see how WEEX brings football passion into every trade — and builds a real bridge between crypto and sports.
FC Barcelona vs Real Madrid Preview: El Clásico – Can Barça Clinch the Title at Spotify Camp Nou?
FC Barcelona vs Real Madrid El Clásico match preview for May 11, 2026. Barça need just 1 point to win LALIGA. Can Madrid delay the trophy? Full preview inside.
Miners welcome a new life
At the Stripe conference, I saw the future of the AI economy
Seven Important Judgments by Claude Code's Founder at the Sequoia Conference
Morning Report | MoonPay acquires Solana's execution layer DFlow; Strategy releases Q1 financial report; Manta Network announces the termination of Manta staking program
Dialogue Velocity Eric: What is the stablecoin track that the CFO really wants?
The payment moment of AI agents: Who will become the Stripe of the machine economy?
Rented Tracks: What is this wave of stablecoin FX hot money really paying for?
Strategy should have said that selling coins is not ruled out
How MegaETH Achieved a TVL of 700m Within a Week of TGE? Analyzing the Packaging Strategy
Futures Trading Hours: Trade Cryptocurrency 24/7 and Earn Back Up to 45% in Trading Fees
Learn futures trading hours and the best time to trade crypto futures. Discover 24/7 market insights, peak trading sessions, and how to earn back up to 45% in fees.
Why is a16z Crypto raising another $2.2 billion to heavily invest in Web3?
Polymarket Underlying Algorithm Explained
What do projects born in the crypto bear market do?
a16z founder's Stanford lecture: Whenever Wall Street and Silicon Valley have different ideas, it's Wall Street that ends up being wrong
Michael Saylor: After three consecutive quarters of losses, Strategy will sell Bitcoin to pay dividends
The toll station at Hormuz and the RMB that cannot be bought
How WEEX Bridges Crypto and Football: A Deep Look at the LALIGA Partnership Inside the WEEX App
WEEX is not just a LALIGA sponsor. It’s a true partner. From iPhone Dynamic Island to LALIGA-themed app icons and smart posters, see how WEEX brings football passion into every trade — and builds a real bridge between crypto and sports.
FC Barcelona vs Real Madrid Preview: El Clásico – Can Barça Clinch the Title at Spotify Camp Nou?
FC Barcelona vs Real Madrid El Clásico match preview for May 11, 2026. Barça need just 1 point to win LALIGA. Can Madrid delay the trophy? Full preview inside.
Miners welcome a new life
At the Stripe conference, I saw the future of the AI economy
Seven Important Judgments by Claude Code's Founder at the Sequoia Conference
Morning Report | MoonPay acquires Solana's execution layer DFlow; Strategy releases Q1 financial report; Manta Network announces the termination of Manta staking program
