But attackers can exploit this – instructions embedded in the agent’s memory, possibly through external content such as emails, web pages or documents, can manipulate its behaviour.
Known as memory poisoning, attackers can add inputs in fragments over time. The agent stores these fragments in its long-term memory, and they later combine into a harmful set of instructions.
In practical terms, a user could think the agent is just preparing a report. But it could also be following hidden instructions embedded earlier through emails, webpages or documents, said Associate Professor Goh Weihan with the Singapore Institute of Technology (SIT).
OpenClaw can also learn skills from external sources, and these skills are often made by other users and do not undergo rigorous vetting, which opens up further risks.
Applying this to practical uses, an individual may, for example, allow OpenClaw access to their personal email inbox.
If their agent is compromised, then the information in their personal email accounts is also not safe.
