OpenClaw Prompt Injection Vulnerability via Unsanitized Workspace Path

A prompt injection vulnerability has been identified in OpenClaw, a personal AI assistant, prior to version 2026.2.15. The issue arises because the application embedded the current working directory into the agent system prompt without proper sanitization. This flaw allows an attacker to manipulate the prompt by using directory names that include control or format characters, such as newlines or certain Unicode markers. Such manipulation could disrupt the prompt's structure and inject instructions controlled by the attacker. The vulnerability affects OpenClaw versions through 2026.2.14.

Impact

Exploitation of this vulnerability could lead to unauthorized prompt injection, allowing attackers to alter the behavior of the AI agent. This could result in unintended tool usage or the disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, place OpenClaw in a directory with a name that includes control or format characters, such as newlines or specific Unicode bidi or zero-width markers. When OpenClaw runs, it will inject the unsanitized workspace path into the system prompt, including the control characters. This can be verified by observing the prompt injection's impact on the agent's behavior or tool usage.

Remediation

Users can update to OpenClaw version 2026.2.15 or later, where this vulnerability has been patched. The workspace path is now properly sanitized before being embedded into any LLM prompt, removing control characters and explicit line separators.