Three flaws in OpenClaw AI assistant let attackers steal passwords and run code on your computer
A researcher chained three now-patched bugs in the OpenClaw personal AI assistant into a full takeover of the host machine, starting from a single WhatsApp message.

Key points
- A security researcher found three high-severity flaws in OpenClaw, a personal AI assistant, that together let an attacker take over the user's computer.
- The most serious bug, tracked as GHSA-hjr6-g723-hmfm, scores 8.8 out of 10 and lets an attacker run operating system commands on the host.
- The attack chain can be triggered by a single WhatsApp message sent to the victim, with no clicking required beyond normal use of the assistant.
- All three vulnerabilities have been patched, and users are urged to update immediately.
A researcher has gone public with details of three security holes in OpenClaw, a personal AI assistant that people install on their own computers to help with everyday tasks. All three have been fixed, but the write-up shows how badly things could have gone for anyone running an older version.
The short version: an attacker sending a WhatsApp message to the victim could end up running commands on the victim's laptop. That is about as bad as it gets for a desktop app.
The report was first covered by The Hacker News.
How did the attack actually work?
The researcher chained three separate bugs together, because on its own each one is limited, but stacked they give full control.
The headline flaw is GHSA-hjr6-g723-hmfm, scored 8.8 out of 10 on the industry severity scale. It is what engineers call an OS command injection: the assistant takes text it was given and, instead of treating it as plain words, hands part of it to the underlying operating system to execute. Feed it the right booby-trapped string and the computer runs whatever the attacker chose.
The other two flaws round out the chain. One lets an attacker read credentials, meaning stored passwords and login tokens, from the assistant's own storage. The other bumps the attacker up to higher privileges on the machine, so the code they run is not stuck in a limited sandbox. Put together: message in, password stolen, commands executed as a trusted user.
In practice, this is the classic AI-assistant failure mode. The assistant is designed to be helpful and to act on natural language. When that natural language arrives from an outside channel like WhatsApp, the app has to be paranoid about what it does with it. OpenClaw, in the vulnerable versions, was not paranoid enough.
Should ordinary users be worried?
If you use OpenClaw, update it now and the risk goes away. The maintainers have shipped patches for all three issues.
If you do not use it, this is still worth paying attention to, because the same pattern keeps showing up across the growing pile of desktop AI assistants. These tools sit in a privileged spot on your machine. They read your messages, they can open files, some of them can run shell commands on your behalf. A bug in that plumbing is not a small bug.
A few practical notes for anyone running an AI assistant on a personal or work laptop:
- Check what messaging apps and inboxes it is connected to. Anything that can send you a message can, in theory, send it a payload.
- Keep it updated. AI tooling is moving fast and so are the patches.
One thing the post-mortem will say is that the assistant treated inbound message content as trusted input. That assumption is going to bite a lot of vendors this year.
Operational takeaway: if your AI assistant can run commands, treat every message it reads as untrusted user input, because that is exactly what it is.



