ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket

Source: The Hacker News

OpenClaw Fixes High‑Severity Security Issue (ClawJacked)

OpenClaw has fixed a high‑severity security issue that, if successfully exploited, could have allowed a malicious website to connect to a locally running artificial‑intelligence (AI) agent and take over control.

“Our vulnerability lives in the core system itself – no plugins, no marketplace, no user‑installed extensions – just the bare OpenClaw gateway, running exactly as documented,” Oasis Security said in a report published this week.
The flaw has been codenamed ClawJacked by the cybersecurity company.

Threat model

A developer has OpenClaw set up and running on their laptop, with its gateway (a local WebSocket server) bound to localhost and protected by a password. The attack assumes the developer visits an attacker‑controlled website (via social engineering or another vector).

The infection sequence proceeds as follows:

1. Malicious JavaScript on the web page opens a WebSocket connection to localhost on the OpenClaw gateway port.
2. The script brute‑forces the gateway password, exploiting a missing rate‑limiting mechanism.
3. After successful authentication with admin‑level permissions, the script stealthily registers as a trusted device, which the gateway auto‑approves without any user prompt.
4. The attacker gains complete control over the AI agent, allowing them to:
   • Interact with the agent
   • Dump configuration data
   • Enumerate connected nodes
   • Read application logs

“Any website you visit can open one to your localhost. Unlike regular HTTP requests, the browser doesn’t block these cross‑origin connections,” Oasis Security explained. “So while you’re browsing any website, JavaScript running on that page can silently open a connection to your local OpenClaw gateway. The user sees nothing.”

“That misplaced trust has real consequences. The gateway relaxes several security mechanisms for local connections—including silently approving new device registrations without prompting the user. Normally, when a new device connects, the user must confirm the pairing. From localhost, it’s automatic.”

Patch and remediation

Following responsible disclosure, OpenClaw released a fix in less than 24 hours with version 2026.2.25 (released February 26 2026). Users should:

• Apply the latest update immediately.
• Periodically audit access granted to AI agents.
• Enforce governance controls for non‑human (agentic) identities.

Context: broader security scrutiny

The development arrives amid heightened scrutiny of the OpenClaw ecosystem. AI agents possess entrenched access to disparate systems and can execute tasks across enterprise tools, dramatically expanding the blast radius if compromised.

• Bitsight and NeuralTrust have reported that OpenClaw instances exposed to the internet increase the attack surface. Each integrated service broadens the blast radius and can be weaponised via prompt injections embedded in content (e.g., email or Slack messages) processed by the agent.
• OpenClaw also patched a log‑poisoning vulnerability that allowed attackers to write malicious content to log files via WebSocket requests to a publicly accessible instance on TCP port 18789. Since the agent reads its own logs for troubleshooting, the flaw could be abused to embed indirect prompt injections, leading to unintended consequences.
  • The issue was addressed in version 2026.2.13 (shipped February 14 2026).
  • “If the injected text is interpreted as meaningful operational information rather than untrusted input, it could influence decisions, suggestions, or automated actions,” Eye Security noted. “The impact would therefore not be ‘instant takeover,’ but rather manipulation of agent reasoning, influencing troubleshooting steps, potential data disclosure if the agent is guided to reveal context, and indirect misuse of connected integrations.”

Recent OpenClaw vulnerabilities

In recent weeks, OpenClaw has been found susceptible to multiple vulnerabilities, including:

• CVE‑2026‑25593 – advisory link
• CVE‑2026‑24763 – advisory link
• CVE‑2026‑25157 – advisory link
• CVE‑2026‑25475 – advisory link
• CVE‑2026‑26319 – (details pending)

CVE‑2026‑26322, CVE‑2026‑26329 – OpenClaw Vulnerabilities
Source: Endor Labs

• Severity: moderate → high
• Impact: Remote code execution, command injection, SSRF, authentication bypass, path traversal
• Fixed in OpenClaw versions:

“As AI‑agent frameworks become more prevalent in enterprise environments, security analysis must evolve to address both traditional vulnerabilities and AI‑specific attack surfaces,” – Endor Labs.

Malicious Skills on ClawHub

Atomic Stealer Distribution

Research sources: The Hacker News, Trend Micro, CrowdStrike

• Threat actor: Cookie Spider (cybercrime group)
• Malware: Atomic Stealer – a macOS information stealer.
• Delivery vector: Malicious OpenClaw skills uploaded to ClawHub (the open marketplace for OpenClaw skills).

“The infection chain begins with a normal SKILL.md that installs a prerequisite,” – Trend Micro. “The skill appears harmless on the surface and was even labeled as benign on VirusTotal. OpenClaw then goes to the website, fetches the installation instructions, and proceeds with the installation if the LLM decides to follow the instructions.”

• Command host: openclawcli.vercel[.]app
• Payload server: 91.92.242[.]30 (malicious stealer download)

LiuComment Malware Campaign

Source: OpenGuardRails

• Actor: @liuhui1010
• Tactic: Posting comments on legitimate skill pages urging users to run a malicious terminal command when a skill “doesn’t work on macOS.”
• Payload: Same Atomic Stealer from 91.92.242[.]30.

Straiker Analysis – 71 Malicious Skills

Source: Straiker AI security

• Findings: 71 malicious skills out of 3,505 examined.

• Notable examples:

  1. bob‑p2p‑beta – Instructs AI agents to store Solana private keys in plaintext, purchase $BOB tokens on pump.fun, and route payments through attacker‑controlled infrastructure.
  2. runware – Poses as a benign image‑generation tool to gain developer trust.

• Actors:

  • “26medias” on ClawHub
  • “BobVonNeumann” on Moltbook (social network for AI agents) and X

“BobVonNeumann presents itself as an AI agent on Moltbook, a social network designed for agents to interact with each other,” said researchers Yash Somalkar and Dan Regalado. “From that position, it promotes its own malicious skills directly to other agents, exploiting the trust that agents are designed to extend to each other by default. It’s a supply‑chain attack with a social‑engineering layer built on top.”

Image

Recommendations

1. Audit skills before installation – review code, permissions, and external calls.
2. Never provide credentials or private keys unless absolutely required.
3. Monitor skill behavior – use runtime telemetry and sandboxing.

Microsoft Advisory on OpenClaw

Source: Microsoft Defender Security Research

“Because of these characteristics, OpenClaw should be treated as untrusted code execution with persistent credentials,” the team warned. “It is not appropriate to run on a standard personal or enterprise workstation.”

Deployment guidance

• Use a fully isolated environment (dedicated VM or physical system).
• Run with non‑privileged, dedicated credentials.
• Restrict access to non‑sensitive data only.
• Implement continuous monitoring and maintain a rebuild plan for the runtime.

Stay Informed

Follow us for more security updates:

• Google News: Google
• Twitter: thehackersnews
• LinkedIn: The Hacker News