BlockBeats News, March 5 — Web3 security firm GoPlus announced that the AI development tool OpenClaw recently experienced a “self-attack” security incident. During automated tasks, the system constructed incorrect Bash commands when calling Shell commands to create GitHub Issues, unintentionally triggering command injection and exposing a large number of sensitive environment variables.
In the incident, the AI-generated string contained a backtick-enclosed set, which Bash interpreted as command substitution and executed automatically. Since Bash outputs all current environment variables when running ‘set’ without parameters, over 100 lines of sensitive information—including Telegram keys, authentication tokens, and more—were directly written into the GitHub Issue and made public.
GoPlus recommends that in AI automation development or testing scenarios, API calls should be used instead of directly concatenating Shell commands. Environment variables should be isolated following the principle of least privilege, high-risk execution modes should be disabled, and manual review mechanisms should be introduced for critical operations.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Lido EarnETH Vault Exposed to $21.6M rsETH Following Kelp Bridge Exploit, DAO Sets $3M Loss Protection
On April 18, a Kelp cross-chain bridge exploit led to the theft of $292 million in rsETH. Lido reported $21.6 million in exposure via its EarnETH vault, prompting Aave to freeze relevant markets. EarnETH has paused transactions and is deleveraging, while Lido's DAO treasury implemented a $3 million protection mechanism to cover potential losses. The core staking protocol remains unaffected.
GateNews7m ago
Seven Israeli Officers Charged in Multimillion-Dollar Crypto Theft Ring
Israeli Security Forces Charged in Crypto Theft Case
Israeli authorities have charged seven military and police officers with running a multimillion-dollar theft and bribery ring involving cryptocurrency, marking the second crypto-related criminal case to hit the country's defence establishment in
CryptoFrontier4h ago
Ice Open Network Suffers Data Breach; User Emails and 2FA Phone Numbers Exposed
Ice Open Network reported a security breach on April 15, revealing unauthorized access to user data, including email addresses and 2FA phone numbers, but no financial data was compromised. The incident, linked to former partners of a service provider, is under legal review, and users are advised to update security settings. The breach highlights escalating security issues in the crypto sector, with significant losses reported in recent months.
GateNews7h ago
Russian Crypto Exchange Grinex Halts Operations After $13M Hack, Threatening Sanctions Evasion Network
Russian cryptocurrency exchange Grinex ceased operations after a cyberattack caused losses over $13 million. The shutdown impacts Russian businesses' ability to convert rubles internationally and challenges the country's shadow finance system.
GateNews9h ago
Kelp DAO Hack Attributed to Lazarus Group; eth.limo Domain Hijacked via Social Engineering
LayerZero reported that the Kelp DAO exploit, attributed to North Korea's Lazarus Group, led to a loss of $292 million in rsETH tokens due to vulnerabilities in its decentralized verifier network. Additionally, eth.limo faced a domain hijacking from a social engineering attack, but DNSSEC mitigated severe damage.
GateNews13h ago
