[Developing situation]: Why you need to be careful giving your local LLMs tool access: OpenClaw just patched a Critical sandbox escape

Ant AI Security Lab, the security research arm of Ant Group, conducted a rigorous three-day audit of the popular OpenClaw framework, a tool used to connect local large language models (LLMs) to agent frameworks for tool calling. The audit resulted in a staggering 33 vulnerability reports, leading to a critical patch release (version 2026.3.28) that addresses eight of the most severe issues. The most alarming vulnerability patched is a high-severity sandbox escape within the framework's 'message' tool.

This specific sandbox escape flaw is particularly dangerous for local AI setups. It allowed the AI agent to bypass its intended isolation and read arbitrary files on the user's host computer. In practice, if a local LLM like Llama 3 or Claude 3.5 experiences a hallucination or is compromised via a prompt injection attack while using this tool, it could lead to the exposure of sensitive personal or system files that should be completely off-limits. The incident underscores that 'local' does not automatically mean 'secure' and that the frameworks wrapping these models require the same scrutiny as the models themselves.

The full list of advisories has been published on OpenClaw's GitHub security page. This discovery serves as a critical wake-up call for developers and enthusiasts in the local AI ecosystem, highlighting that agent frameworks represent a significant and often overlooked attack surface. Security must be baked into the entire toolchain, not just the core AI model.