AI Agents Still Can’t Block Prompt Injection – and Tens of Thousands of OpenClaw Setups Are Wide Open, Claw Crew Warns

June 23 15:57 2026
AI Agents Still Can't Block Prompt Injection - and Tens of Thousands of OpenClaw Setups Are Wide Open, Claw Crew Warns
Independent June 2026 testing shows direct prompt-injection attacks succeed in more than 79% of attempts, while security researchers flag 35.4% of exposed OpenClaw deployments as vulnerable. Claw Crew, the home base for OpenClaw builders, publishes plain-English hardening guidance aimed at the solo operators most exposed.

As open-source AI agents move from hobby projects to always-on infrastructure, the security gap is widening faster than most operators realize. New benchmark research published in June 2026 found that leading AI agents still cannot reliably resist prompt injection — the attack class the OWASP GenAI Security Project now describes as an architectural flaw rather than a patchable bug. In testing, direct prompt-injection attacks succeeded in more than 79% of attempts across every configuration evaluated, and hidden (“indirect”) injections embedded in ordinary web content succeeded between roughly 42% and 68% of the time (StakeBench study, Nanyang Technological University, ST Engineering, IBM Research and the University of Illinois Urbana-Champaign).

For the fast-growing OpenClaw community, those numbers are not abstract. OpenClaw — an open-source agent that connects to a user’s files, terminal and messaging apps — surged past hundreds of thousands of installs in early 2026, and the attack surface scaled with it.

Claw Crew, the independent content and community hub for OpenClaw builders, today reiterated its call for builders to treat security as step one, not an afterthought, and pointed to three findings that show why.

The data behind the warning

  • 35.4% of exposed OpenClaw deployments were flagged vulnerable. SecurityScorecard’s STRIKE threat-intelligence team identified tens of thousands of internet-exposed OpenClaw instances and flagged 35.4% as vulnerable at the time of analysis, many to remote code execution (SecurityScorecard STRIKE, February 2026). Broader later scans reported well over 135,000 exposed instances across 82 countries.
  • Hundreds of malicious “skills” reached the official marketplace. In a first audit of OpenClaw’s ClawHub marketplace, Koi Security found 341 malicious skills out of 2,857 reviewed — most tied to a single coordinated campaign it named “ClawHavoc.” As the marketplace grew past 10,700 skills, the confirmed malicious count climbed past 824 (Koi Security, via Sangfor, February 2026). Skills install with the same system access as the agent itself.
  • Secrets are leaking from the supply chain. Snyk reported 283 ClawHub skills leaking API keys, and a separate audit found roughly 36% of reviewed skills contained detectable prompt-injection content (Snyk, via Cyberdesserts, 2026). In a related incident, a misconfigured database behind an OpenClaw-agent social network exposed 1.5 million agent API tokens and 35,000 email addresses.

The common thread: the danger is rarely “rogue AI.” It is exposed infrastructure, unvetted marketplace code, and stored credentials sitting behind agents that were never hardened before being switched on.

Expert commentary

“The headlines obsess over autonomous agents going rogue. The boring truth is more dangerous: most of these setups are simply left open, with admin access and live credentials, and nobody locked the door,” said Benjamin Hübner, founder of IM Dominator. “A 79% prompt-injection success rate isn’t a reason to panic — it’s a reason to assume your agent will be manipulated and to remove what it can leak or destroy. That’s a configuration problem, and configuration problems are fixable in an afternoon.”

“The people most at risk right now aren’t enterprise security teams — they’re solo operators, course creators and small agencies who installed an agent over a weekend because it was genuinely useful,” Hübner added. “They don’t need a 200-page framework. They need a short, ordered checklist of the handful of changes that actually move the needle: don’t expose the gateway, vet every skill, isolate credentials, and patch on sight.”

What Claw Crew is doing about it

Claw Crew has published practitioner-focused hardening guidance for OpenClaw operators — covering safe network binding, skill vetting, sandboxing and access control — at claw-crew.com/learn/security. The guidance is deliberately written for non-specialists running OpenClaw on their own machines and servers, the exact group the exposure data suggests is most affected.

For operators who want a structured weekend walkthrough rather than reference material, Hübner’s AI Hack Defense / Weekend Lockdown Plan condenses the work into five short lessons and 22 concrete actions completable in a single weekend. Details are available via his WarriorPlus profile: Benjamin Hübner on W+.

About Claw Crew

Claw Crew (claw-crew.com) is the independent home base for OpenClaw builders: community, frameworks, skills, tutorials and practical news for people building real workflows with open-source AI agents. Its focus is clarity and usable systems over hype — including honest guidance on the security realities of running agentic AI.

Media Contact
Company Name: IM Dominator – Simpletradery Pte Ltd
Contact Person: Benjamin Huebner
Email: Send Email
Phone: 015782342523
Address:NORTH BRIDGE ROAD #B1-35, HIGH STREET CENTRE
City: Singapore
Country: Singapore
Website: https://imdominator.com/