0-Click Remote Code Execution in OpenClaw with GPT5.2 via Gmail Hook (opens in new tab)

(veganmosfet.github.io)

4 pointsveganmosfet1mo ago3 comments

3 comments

Second part of the saga, now escaping sandbox with multi-layered prompt injection:

BrokenClaws: Escape the Sub-Agent Sandbox with Indirect Prompt Injection in OpenClaw (via Gmail Hook, 0-Click RCE)

https://veganmosfet.github.io/2026/02/15/openclaw_sandbox.ht...

Yet another "OpenClaw is insecure" post! I found this simple but elegant way to get silent RCE via email, exploiting prompt injection (despite countermeasures, there is no silver bullet) and insecure plugin handling (not skills!). I try to explain how it works and some ideas about hardening. Note: prompt injection attacks are out-of-scope in the security policy. Happy to get feedback.

veganmosfetOP1mo ago

[Update] Now with opus4.6 and latest version.

j / k navigate · click thread line to collapse

3 comments

veganmosfetOP1mo ago

Second part of the saga, now escaping sandbox with multi-layered prompt injection:

BrokenClaws: Escape the Sub-Agent Sandbox with Indirect Prompt Injection in OpenClaw (via Gmail Hook, 0-Click RCE)

https://veganmosfet.github.io/2026/02/15/openclaw_sandbox.ht...

veganmosfetOP1mo ago

[Update] Now with opus4.6 and latest version.

j / k navigate · click thread line to collapse