Fernando Irarrázaval's open-source AI agent blocked every prompt injection attempt from over 2,000 attackers, offering a rare public proof of concept for autonomous AI security.
Here’s a stress test most software companies quietly avoid: put your AI in front of the entire internet and dare people to break it. OpenClaw just did exactly that, and the results were surprisingly clean.
Fiu, an AI assistant built on the OpenClaw autonomous agent framework and developed by Fernando Irarrázaval, completed a public prompt-injection challenge hosted at hackmyclaw.com. More than 2,000 attackers sent over 6,000 emails trying to trick the AI into leaking sensitive data stored in a secrets.env file. Not one succeeded.
What actually happened #
The test gained serious traction after landing on the front page of Hacker News on June 25, 2026.
Prompt injection is the AI equivalent of social engineering. Instead of exploiting a bug in code, attackers craft clever inputs designed to override an AI’s instructions and make it behave in ways its creator never intended.
Fiu’s test instance was configured specifically to limit its responses to cost-related topics, and it was only designed to engage meaningfully if an attacker successfully completed a prompt injection. The setup made the target explicit and the success criteria unambiguous. If the secrets leaked, the test failed. They didn’t.
OpenClaw’s complicated security history #
The platform, which has gone through name iterations as Moltbot and Clawdbot before settling on OpenClaw, is an open-source AI agent framework. It gives developers tools to build autonomous AI systems that can interact with messaging apps, access system resources, and execute tasks through modular skills.
Early 2026 brought a rough patch. Researchers disclosed CVE-2026-25253, a critical one-click remote code execution vulnerability in the platform. Separately, security audits of ClawHub, OpenClaw’s skill marketplace, turned up 341 malicious skills capable of facilitating data theft or deploying malware on users’ systems.
The distinction matters. Fiu demonstrating resilience against prompt injection is meaningful, but prompt injection is one attack vector. The CVEs and marketplace contamination represent different threat surfaces entirely, ones that exist at the infrastructure level rather than the conversational layer where prompt injection happens.
What this means for the autonomous AI space #
For developers building on AI agent frameworks, the Fiu result offers a practical takeaway: explicit configuration constraints and narrowly scoped response rules meaningfully reduce the attack surface for prompt injection. The test instance’s deliberate limitation to cost-related responses wasn’t incidental. It was the design choice that made the defense tractable. OpenClaw doesn’t currently have a crypto token tied to this test or the platform more broadly. The community response and organic Hacker News attention suggest the interest here is driven by genuine technical curiosity rather than price speculation.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our