OpenClaw has addressed a high-severity security vulnerability that could have allowed malicious websites to silently connect to and fully hijack locally running AI agents through an exposed WebSocket interface.
The flaw, discovered by Oasis Security and dubbed “ClawJacked,” resides in OpenClaw’s core gateway architecture, requiring no third-party plugins, extensions, or marketplace components.
How the ClawJacked Attack Works
The attack scenario assumes a common developer setup:
- OpenClaw is running locally on a laptop
- The OpenClaw gateway exposes
- Access is protected by a password, but
The attack is triggered when a developer is lured to an attacker-controlled website via social engineering, phishing, or malicious ads.
Attack Chain Breakdown
- Malicious JavaScript on the website initiates a WebSocket connection to localhost on the OpenClaw gateway port
- The script brute-forces the gateway password, exploiting missing rate-limiting for localhost connections
- Upon successful authentication, the script registers itself as a trusted device
- The gateway auto-approves the device without any user prompt due to relaxed localhost security checks
- The attacker gains full administrative control over the AI agent
Once compromised, attackers can:
- Interact with the AI agent directly
- Dump configuration data
- Enumerate connected nodes
- Read application logs
- Abuse agent permissions across enterprise tools
Why Browsers Make This Attack Possible
Unlike standard HTTP requests, WebSocket connections are not blocked by browser cross-origin protections when targeting localhost.
This implicit trust model allows malicious JavaScript to silently communicate with local services — a design choice that significantly amplifies risk when combined with weak gateway protections.
Patch Released Within 24 Hours
Following responsible disclosure, OpenClaw released a fix in under 24 hours:
- Patched version:
2026.2.25 - Release date: February 26, 2026
Security Recommendations for Users
- OpenClaw users are strongly advised to:
- Update to the latest version immediately
- Regularly audit trusted devices and agent access
- Apply strict governance controls for non-human (agentic) identities
- Avoid running OpenClaw on personal or production workstations without isolation
Growing Security Risks in the OpenClaw Ecosystem
The ClawJacked disclosure comes amid increasing scrutiny of OpenClaw’s security posture. AI agents often hold deep, persistent access to enterprise systems, meaning a single compromise can result in an outsized blast radius.
Internet-Exposed OpenClaw Instances
Recent reports have shown that OpenClaw instances exposed to the internet significantly increase attack surface:
- Each connected service expands potential lateral movement
- AI agents can be coerced into executing attacker-controlled actions
- Prompt injection attacks embedded in emails or Slack messages can trigger malicious agent behavior
Log Poisoning Bug Enables Indirect Prompt Injection
OpenClaw also patched a log poisoning vulnerability that allowed attackers to write malicious content into log files via unauthenticated WebSocket requests on TCP port 18789.
Because OpenClaw agents sometimes read their own logs for troubleshooting, attackers could exploit this behavior to inject indirect prompts, influencing agent reasoning and actions.
- Patched version:
2026.2.13
Multiple High-Risk CVEs Addressed in 2026 Releases
In recent weeks, OpenClaw has patched multiple vulnerabilities — ranging from moderate to high severity — including:
- Remote Code Execution (RCE)
- Path Traversal
- Command Injection
- Server-Side Request Forgery (SSRF)
- Authentication Bypass
Affected versions were fixed across releases:
2026.1.20, 2026.1.29, 2026.2.1, 2026.2.2, and 2026.2.14
Malicious Skills Abusing the ClawHub Marketplace
Security researchers have also uncovered malicious AI skills uploaded to ClawHub, OpenClaw’s open skill marketplace.
Atomic Stealer Delivery via AI Skills
Threat actors have embedded malicious installation instructions inside seemingly benign skill documentation files. When followed by the AI agent, these instructions download and execute Atomic Stealer, a macOS information-stealing malware.
In several cases:
- Skills appeared clean on VirusTotal
- The AI agent autonomously executed the instructions
- Malicious commands were hosted externally
Researchers also identified social-engineering tactics where attackers left comments instructing users to manually run Terminal commands if a skill “didn’t work on macOS.”
Large-Scale Supply Chain Abuse Discovered
An analysis of 3,505 ClawHub skills revealed 71 malicious skills, including:
- Fake cryptocurrency utilities
- Agent-to-agent attack chains exploiting implicit trust between AI agents
- Wallet drainers redirecting funds to attacker-controlled addresses
Two notable skills were linked to a multi-layered crypto scam that instructed agents to:
- Store private keys in plaintext
- Purchase worthless tokens
- Route transactions through attacker infrastructure
Microsoft Warns Against Unsafe OpenClaw Deployments
The rising risks surrounding self-hosted AI agent runtimes prompted Microsoft to issue a security advisory.
Microsoft’s Recommended Safeguards
If OpenClaw must be evaluated:
- Deploy only in fully isolated environments (VMs or separate hardware)
- Use non-privileged, dedicated credentials
- Restrict access to non-sensitive data
- Implement continuous monitoring and rebuild plans
Final Takeaway
The ClawJacked vulnerability highlights a critical reality:
AI agents dramatically amplify security risk when core trust assumptions fail.
As agentic systems gain autonomy and deeper integrations, organizations must treat AI runtimes with the same caution as untrusted execution environments — or risk turning productivity tools into attack platforms.