Agent Commander is a proof-of-concept command and control (C2) framework that hijacks AI agents using natural language prompts rather than OS commands. The research demonstrates how agents like OpenClaw, Kimi Claw, and NanoClaw can be compromised via indirect prompt injection—through malicious emails, documents, or websites—and made to periodically check in for new tasks. Persistence is achieved by modifying agent configuration files like HEARTBEAT.md. Once hijacked, agents can perform host enumeration, screenshot capture, data exfiltration, and influence campaigns, all directed through prompts. The post covers attack vectors, persistence mechanisms, sandboxing limitations, and defensive recommendations including prompt monitoring, integrity checks, kill-switches, and credential rotation. The author warns that as software becomes more 'organic,' attacks will become less predictable and harder to control.
Table of contents
What is Prompt-Based Command and Control?Agent CommanderVideo WalkthroughInitial Entry Points and ExploitationPersistence Using HeartbeatsObjectives: Your Agent Works For Me NowRecommendations and MitigationsWhat’s Next?Agent Commander AccessConclusionReferences1 Comment
Sort: