A single malicious message from an unauthenticated external user achieves full remote code execution on the host system via prompt injection through the unsandboxed exec tool.
Attacker→
WhatsApp (TB-1)→
Gateway (TB-2)→
Context Assembly (TB-3)→
Prompt Injection ⚡→
exec Tool (TB-5)→
Host Shell RCE
Two-phase persistent attack: first poisons agent memory with malicious instructions, then waits for a legitimate user to trigger context retrieval, exfiltrating credentials across channels.
Attacker Chat→
Memory Poison (T5)→
Victim Triggers Retrieval→
Poisoned Context (TB-3)→
read auth-profiles.json→
message → Attacker Channel
A malicious ClawHub plugin hooks into the engine pipeline, intercepts context assembly, injects persistent instructions, and writes cron jobs that survive plugin removal.
Malicious ClawHub Plugin→
Hooks Engine→
Intercept Context (TB-3)→
Inject Instructions→
Tool Calls (TB-5)→
Write cron/jobs.json
Attacker compromises agent via one channel, then uses the agent's trusted identity to send social engineering messages to corporate Slack — users trust the agent implicitly.
Inject via Discord→
Agent Compromised→
message → Corp Slack→
Users Trust Agent→
Exfil → Discord
Exploiting the gateway's WebSocket server grants full control of the hub, enabling enumeration via mDNS and lateral movement to all connected peripheral devices.
Exploit WS Server→
Full Gateway Control→
Enumerate Nodes (mDNS)→
Dispatch → macOS (TB-6)→
Dispatch → iOS (TB-6)→
Device Data Access