BlockBeats 消息,3 月 5 日,Web3 安全公司 GoPlus 发文称,AI 开发工具 OpenClaw 近日被曝出现一次「自我攻击」安全事件。在执行自动化任务时,系统在调用 Shell 命令创建 GitHub Issue 过程中构造了错误的 Bash 指令,意外触发命令注入,导致大量敏感环境变量被公开。
事件中,AI 生成的字符串包含反引号包裹的 set,被 Bash 解释为命令替换并自动执行。由于 Bash 在无参数执行 set 时会输出当前所有环境变量,最终导致超过 100 行敏感信息(包括 Telegram 密钥、认证 Token 等)被直接写入 GitHub Issue 并公开发布。
GoPlus 建议,在 AI 自动化开发或测试场景中,应尽量使用 API 调用替代直接拼接 Shell 命令,并遵循最小权限原则隔离环境变量,同时禁用高风险执行模式,并在关键操作中引入人工审核机制。
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Gerelateerde artikelen
Aftermath Finance Opens Claims Page for Attack-Affected Users Following Last Week's Incident
According to Sui's official statement on X, Aftermath Finance has opened a claims page for users affected by last week's attack, with all refunds processed. When users reconnect to aftermath.finance, the system will prompt them to withdraw balances from Aftermath Perps. Affected users can contact th
GateNews54m geleden
Ripple Shares North Korean Hacker Intelligence with Crypto Industry as Attack Methods Shift to Social Engineering
According to BlockBeats, on May 5, Ripple announced it is sharing internal threat intelligence about North Korean hackers with the crypto industry through Crypto ISAC. The move addresses a fundamental shift in attack methodology: rather than exploiting smart contract code vulnerabilities, threat act
GateNews1u geleden
Tydro Halts All Markets on May 5 Due to Oracle Issue; User Funds Safe
According to BlockBeats, Tydro, a lending protocol in the Ink ecosystem, suspended all markets on May 5 following a third-party oracle issue report. The team confirmed user funds remain safe and is actively investigating the
GateNews1u geleden
摩斯密碼騙過 AI 代理!駭客誘騙 Grok 與 BankrBot 轉帳,得手 17 萬美元加密貨幣
X 平台爆出 AI 代理漏洞:攻擊者以 Bankr Club NFT 獲取 Grok 錢包轉帳權,再以摩斯密碼指令促使 BankrBot 未經人審就轉走約 3 億 DRB,市值約 17.5 萬美元。問題出在 BankrBot 架構未把 AI 輸出當作授權,資金已追回,將加強 API 金鑰與 IP 白名單等防護。
ChainNewsAbmedia2u geleden
Aave Seeks to Lift $73M ETH Freeze From Kelp DAO Exploit
Aave LLC filed an emergency motion in federal court on May 1 seeking to lift a court-ordered freeze on roughly $73 million in ether recovered from the April 18 Kelp DAO exploit, arguing that temporary possession of stolen assets does not equate to ownership. The motion challenges restrictions preven
CryptoFrontier3u geleden
