OpenClaw-PwnKit lands RCE on vulnerable hosts

// 80d agoOPENSOURCE RELEASE

OpenClaw-PwnKit lands RCE on vulnerable hosts

OpenClaw-PwnKit is a 2026 open-source research framework for black-box adversarial attacks on LLM agent tool-calling. The repo claims it can optimize malicious triggers with CMA-ES to hijack tool calls and drive vulnerable OpenClaw-style agents into shell execution on the host.

// ANALYSIS

This is a sharp reminder that agent security breaks at the capability boundary, not the prompt boundary. If an attacker can steer a tool-calling model into invoking `bash` or another system tool, alignment alone is not a meaningful defense.

–The core trick is gradient-free search in token embedding space, so the attack does not need model weights or internal gradients.
–The framework targets agent ingestion paths like web pages, files, and skill/plugin loading, which are exactly where real-world prompt injection risk lives.
–The repo is more than a toy PoC: it includes a C2 server, bot/session management, and post-exploitation plumbing.
–The big takeaway for builders is boring but important: sandbox tool execution, constrain permissions, and treat external content as hostile by default.

// TAGS

open-sourceresearchsafetyagentllmopenclaw-pwnkit

DISCOVERED

80d ago

2026-03-21

PUBLISHED

80d ago

2026-03-21

RELEVANCE

10/ 10

AUTHOR

Github Awesome

// KEEP READING

More AI developer news from the feed

EXPLORE FULL FEED

MODEL25m ago

Claude Fable 5 launch sparks massive developer backlash

Anthropic's Claude Fable 5 launch faces severe developer backlash over aggressive safety restrictions, high pricing, and a forced 30-day data retention policy. The model silently routes chemistry, biology, and cybersecurity requests to the older Opus 4.8 model, frustrating users with opaque downgrades and anti-distillation blocks.

MODEL26m ago

Designers praise Claude Fable 5 landing pages

Educator and designer Meng To highlighted Claude Fable 5's capability for creating landing pages on X, calling the model "a monster" for the task. Released in June 2026, Claude Fable 5 is Anthropic's latest Mythos-class AI model, featuring a 1-million-token context window, a 128,000-token output capacity, and advanced reasoning for long-horizon agentic workflows, making it highly effective for complex design and front-end code generation tasks.

MODEL1h ago

Claude Fable 5 hits Google Cloud

Anthropic's new Mythos-class frontier AI model, Claude Fable 5, is now generally available on Google Cloud's Agent Platform (Vertex AI). Designed for complex, long-horizon reasoning and autonomous workflows, Fable 5 is built for tasks such as software engineering, deep research, and multi-day agentic execution, featuring built-in safety guardrails that automatically redirect sensitive queries to Claude Opus 4.8.