A hacker spoofed a popular AI coding tool and installed OpenClaw – the viral, open-source AI agent that “actually does things” – absolutely everywhere. Funny as a stunt, but it’s a sign of what’s to come as more and more people let autonomous software use their computers on their behalf.
The hacker exploited a vulnerability in Kline, an open-source AI coding agent popular among developers, which was discovered by security researcher Adnan Khan. Front Just a few days ago as a proof of concept. Simply put, Kline’s workflow used Anthropic’s cloud, which could be given secret instructions and made to do things it shouldn’t, a technique known as accelerated injection.
The hacker used his access to copy instructions to automatically install software on users’ computers. They could have installed anything, but they chose OpenCL. Fortunately, the agents were not activated at the time of installation, otherwise it would have been a very different story.
This is a sign of how quickly things can unravel when AI agents are given control of our computers. They may seem like clever wordplay – one group enticed chatbots to commit crimes with poetry – but in a world of increasingly autonomous software, prompt injections are massive security risks that are very difficult to protect against. Recognizing this, some companies instead lock down what AI tools can do if hijacked. For example, OpenAI recently introduced a new lockdown mode for ChatGPT that prevents it from giving away your data.
Obviously, it’s hard to defend against early injection if you ignore the researchers who privately tell you about the flaws. Khan said he warned Kline about the vulnerability weeks before publishing his findings. The exploitation was finalized only after he was publicly called out.
