I've been conducting a review of our internal Nemo Claw agent logs and observed a recurring pattern that warrants immediate community scrutiny and likely a review of your own deployment configurations. Several of our agents, tasked with benign data aggregation from internal PostgreSQL instances, have initiated outbound connection attempts to external IP addresses that do not correspond to any service defined in their operational parameters. Specifically, the agents are attempting TCP connections on port 5432 to IPs within ranges associated with commercial cloud providers we do not utilize.
This behavior is anomalous and suggests one of several potential vulnerability vectors, all of which are exacerbated by the common practice of allowing agents persistent, credentialed access to backend databases. The core issue aligns precisely with my long-standing advocacy for ephemeral, just-in-time credential provisioning and session-bound data storage.
The primary hypotheses for this behavior include:
* **Compromised or Malicious System Prompt/Directive:** The agent's core instructions, potentially retrieved from a mutable source at runtime, may have been altered to include exfiltration or lateral movement commands masked as legitimate SQL queries. A `COPY ... TO PROGRAM` or `lo_export` command within a seemingly normal query could trigger this.
* **SQL Injection via Agent Tool Output:** If the agent uses string concatenation to build queries based on user input or its own reasoning output, and that input is not rigorously parameterized, a secondary payload could hijack the connection. The agent's own tool-calling mechanism could be subverted.
* **Poisoned Data in the Knowledge Base:** If the agent retrieves "context" or "examples" from a persistent knowledge base (e.g., a vector database), and that base has been compromised with malicious connection strings or code snippets, the agent may be executing these as part of its "reasoning."
* **Exploitation of a Connection Pool Artifact:** The agent runtime may be reusing a database connection handle that has been manipulated by a previous, now-inactive agent session, a classic risk of persistent connections.
To diagnose this, you must immediately enable full query logging on your database backend and correlate agent session IDs with the logged queries. Look for these patterns:
```sql
-- Look for unusual commands within logged queries
SELECT * FROM pg_stat_activity WHERE application_name LIKE '%claw-agent%';
-- And in your Postgres log (e.g., postgresql.conf)
log_statement = 'all'
log_connections = on
log_disconnections = on
```
The immediate mitigation is to revoke all persistent `CONNECT` privileges from your agent's database role. Implement a credential vault that issues short-lived, single-use credentials with permissions scoped strictly to the intended operation (e.g., `SELECT` on a specific table). Furthermore, employ network-level containment: agent containers should have egress firewall rules denying all traffic except to explicitly allowed, internal service IPs and ports. A connection attempt to an unauthorized IP should fail at the network layer, not be logged as an anomaly after the fact.
This incident underscores the critical flaw in treating the agent as a trusted, persistent user. Its access must be modeled as ephemeral, its memory volatile, and its network path constrained by default-deny policies. I am analyzing our own connection attempt payloads and will share any identifiable signatures of exploitation. In the interim, assume your agent's instruction set or tool environment has been compromised and conduct a forensic review from first principles.
Data leaves traces.