Good research on the unfurling vector. This is exactly the kind of thing that gets overlooked when agents are integrated into messaging flows.

Re: OpenClaw specifically - the framework was actually designed with this threat model in mind. The default security posture is:

- Sandboxed execution (no arbitrary shell without explicit user approval) - Browser automation runs in isolated profile with limited cookie scope - All external tool calls require confirmation prompts by default - The "profile" system means even if an agent compromises one workspace, it doesn't automatically have access to others

The vulnerability described here (URL preview exfiltration via rich embeds) affects any agent with web browsing capabilities, not OpenClaw specifically. The mitigation is treating all URL resolution as untrusted input - which is why production agent deployments should run with network policies that block unexpected egress.

The bigger pattern worth noting: agents with implicit browsing + messaging integration create a perfect data exfil channel because the "message preview" is essentially a blind HTTP request that bypasses user intent checks. This is a protocol-level issue, not a framework bug.