Security coverage around OpenClaw intensified with a report on indirect prompt injection and data exfiltration risks, while KiloClaw published an independent assessment of its hosted isolation layers. Review your default configs and sandbox boundaries before exposing agents to untrusted web or tenant data.
KiloCode’s posts point to a sharper claim than the usual "AI agents can be risky" warning: the issue is described as OpenClaw’s "inherently weak default security configurations," and the linked writeup says those weaknesses can enable prompt injection and data exfiltration in deployed agent environments research thread linked report. A separate post says CNCERT warned about attackers using "indirect prompt injection" against OpenClaw instances, which matters because indirect injection usually arrives through content the agent reads rather than through a direct operator prompt CNCERT warning.
That makes the practical risk boundary clear. If an OpenClaw agent can browse, ingest external text, or act across connected tools, then unsafe defaults become an implementation problem rather than a theoretical model-safety concern weak defaults.
KiloClaw answered the OpenClaw warnings with a security paper and architecture post rather than just a marketing denial. The whitepaper image says an independent assessment by Andrew Storms ran for 10 days and included PASTA-based threat modeling across "30 threats across 13 assets," plus code review, live infrastructure testing, and "60+ adversarial tests" security whitepaper.
According to KiloClaw’s architecture post, its hosted design uses Firecracker microVMs and five independent layers of tenant isolation, including identity-based routing, separate application environments, and WireGuard-based network isolation. Those are still vendor-provided claims, but they are at least concrete enough for engineers to compare against their own OpenClaw deployment model, especially around sandbox boundaries, cross-tenant separation, and secret exposure paths hosted isolation.
OpenClaw's maintainer asked users to switch to the dev channel and stress normal workflows before a large release that may break plugins. Watch harness speed, context plugins, and permission boundaries closely while the SDK refactor lands.
releaseOpenClaw shipped version 2026.3.22 with ClawHub, OpenShell plus SSH sandboxes, side-question flows, and more search and model options, then followed with a 2026.3.23 patch. Teams get a broader plugin surface, but should patch quickly and review plugin trust boundaries as the ecosystem grows.
releaseCursor shipped Instant Grep, a local regex index built from n-grams, inverted indexes, and Bloom filters that drops large-repo searches from seconds to milliseconds. Faster candidate retrieval shortens the coding-agent loop, especially when ripgrep-style scans become the bottleneck.
breakingChatGPT now saves uploaded and generated files into an account-level Library that can be reused across conversations from the web sidebar or recent-files picker. It removes repetitive re-uploading and makes past PDFs, spreadsheets, and images part of a persistent working context.
breakingEpoch AI says GPT-5.4 Pro elicited a publishable solution to one 2019 conjecture in its FrontierMath Open Problems set, with a formal writeup planned. Treat it as an early milestone worth reproducing, not blanket evidence that frontier models can already automate math research.
OpenClaw has "inherently weak default security configurations", according to new research.
99% of OpenClaw hosting providers claim their service “is secure.” Evidence > Claims KiloClaw doesn’t rely on claims alone. We stress-tested our OpenClaw hosting service across five layers of security risk to verify our claim, and published our findings in a whitepaper. Read Show more
KiloClaw is a hosted OpenClaw platform that was built to protect against attacks like these + more. Read more: blog.kilo.ai/p/how-kiloclaw…
