360 Vulnerability Discovery Agent's Latest Findings: Three Major OpenClaw Vulnerabilities

SadMoneyMeow · 2026-04-07T16:14:00+00:00

The 360 vulnerability discovery agent has recently successfully identified and reported three high-value vulnerabilities related to the core operation mechanisms of AI agents, affecting user devices and data security. The high-risk vulnerabilities can be exploited by attackers to maliciously replace scripts, leading to information theft and other issues. The medium-risk vulnerabilities involve OAuth processes and WebSocket data handling, both of which pose serious security risks. This intelligent agent technology has achieved a transition from traditional tools to intelligent solutions, improving vulnerability detection efficiency and freeing security experts from routine tasks.

SadMoneyMeow

2026-04-07 16:14:00

Abstract generation in progress

Stock trading is all about reading Jinqilin analysts’ research reports—authoritative, professional, timely, and comprehensive—helping you uncover high-potential theme opportunities!

According to a Sina Technology report on the evening of April 7, recently, the 360 vulnerability mining intelligent agent successfully discovered and reported 3 high-value vulnerabilities related to OpenClaw: 1 high-severity and 2 medium-severity. At present, all newly discovered vulnerabilities have been officially fixed and publicly disclosed.

The three newly discovered vulnerabilities all directly target the core operating mechanisms of AI intelligent agents. The security risks directly affect the core security of users’ devices, data, and accounts. The harm is clear and intuitive. Among them, the high-severity vulnerability exists in the local script approval and execution process. The system only checks the script approval status and does not verify whether the script content has been tampered with. After the script passes approval, an attacker can maliciously replace the code, thereby executing illegal actions on the user’s computer to achieve information theft, file modification, or even full control of the entire machine.

One of the medium-severity vulnerabilities is hidden in the OAuth manual paste authorization flow. Because the developer reuses locally confidential security verification parameters as public parameters, key verification information leaks along with the callback URL. Attackers can steal this information via the clipboard, network proxies, and other methods, easily obtain access tokens, and take over Google services associated with the user, posing a serious threat to users’ account security and data privacy. The other medium-severity vulnerability appears in the voice-call WebSocket data processing flow. The system does not validate the legitimacy of the data in advance but instead directly processes oversized data packets. Attackers can exhaust system resources by sending massive amounts of large data packets, causing device lag and crashes, which prevents normal services from being used.

According to the report, the 360 vulnerability mining intelligent agent system has cumulatively discovered multiple high-value security vulnerabilities in mainstream AI intelligent agents. Unlike traditional rule-based vulnerability scanning tools, the 360 vulnerability mining intelligent agent makes a leap from rule-driven operation to intelligent, thought-driven operation. It can precisely identify deep-seated risks such as authorization logic defects, resource control vulnerabilities, and protocol implementation risks in AI intelligent agents. Its more milestone-level value lies in giving security researchers—who have accumulated defense-and-attack intuition and domain experience over many years—a digital carrier that can be accumulated, reused, and continuously evolved. In the past, large amounts of repetitive and mechanical foundational work such as vulnerability identification, verification, and reproduction could now be efficiently handled by the vulnerability mining intelligent agent. This frees security experts from tedious repetitive labor and lets them return to the core battleground of the most creative security research—rule design and risk assessment—truly maximizing the release of human value and technical capability.

Sina statement: This message is reprinted from Sina’s partner media. Sina.com publishes this article for the purpose of conveying more information, and does not mean that it agrees with its viewpoints or confirms the descriptions made in it. The article content is for reference only and does not constitute investment advice. Investors act on this at their own risk.

Responsible editor: Song Yafang

(Interim Editor: Liu Chang)

[Disclaimer] This article only represents the author’s personal viewpoints and is unrelated to Hexun. The Hexun website maintains neutrality toward the statements and opinion judgments in the article, and provides no explicit or implicit guarantees regarding the accuracy, reliability, or completeness of any content contained herein. Readers are requested to use this information only as reference and assume all responsibility themselves. Email: news_center@staff.hexun.com

Report

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.