ClawJacked: When Visiting a Website Hijacks Your AI Agent
Source: Dev.to
The Rise of Autonomous AI Agents
2026 is the year AI agents went from chatbots to autonomous operators. OpenClaw — originally called Clawdbot before Anthropic forced a rebrand — became one of the fastest‑growing GitHub repos in history, hitting 135 000 stars in weeks.
Unlike traditional AI assistants that answer questions and forget, OpenClaw is different. It persists. It acts. It runs shell commands, manages files, browses the web, sends emails, and orchestrates your digital life through a local gateway server.
Architecture – a WebSocket gateway runs on your machine, AI‑agent nodes connect to it, and everything communicates through authenticated sessions. Your phone, laptop, and desktop are all linked through this gateway, sharing capabilities and context.
It’s powerful. It’s also a massive attack surface that nobody was thinking about.
The Confused Deputy Returns
The confused‑deputy problem has been around since 1988. The concept is simple: a program with elevated privileges gets tricked into misusing those privileges on behalf of an attacker. It underlies CSRF, SSRF, and countless other vulnerability classes.
ClawJacked is the confused‑deputy problem adapted for the AI‑agent era – and it’s worse than anything we’ve seen before, because the “deputy” in question has root‑level access to your digital life.
How ClawJacked Works: Four Steps to Full Takeover
Oasis Security researchers discovered that any website could take complete control of a locally running OpenClaw agent. The attack chain is elegant in its simplicity:
Step 1: WebSocket to Localhost
When you visit an attacker‑controlled website, JavaScript on the page opens a WebSocket connection to localhost on OpenClaw’s gateway port.
Key point: WebSocket connections to
localhostare not blocked by cross‑origin policies. Standard HTTP requests from a webpage tolocalhostare blocked by CORS, but WebSocket connections are allowed.
// This works from ANY website
const ws = new WebSocket('ws://localhost:GATEWAY_PORT');Step 2: Brute‑Force the Gateway Password
OpenClaw’s gateway implements rate limiting for authentication attempts — except for localhost connections, which are exempt. Researchers demonstrated “hundreds of password guesses per second” from browser JavaScript, exhausting a dictionary of common passwords in under a second.
The security mechanism that trusts “local” connections is the crux of ClawJacked: “local” does not mean “trusted” when any website can reach localhost.
Step 3: Silent Device Registration
Once authenticated, the attacker’s script registers as a new device. Normally, device pairing requires user confirmation (a prompt asking “Do you want to trust this device?”). OpenClaw auto‑approves device pairings from localhost—no prompt, no notification. The attacker silently becomes a trusted device on your AI‑agent network.
Step 4: Full Agent Control
Game over. The attacker can now:
- Execute arbitrary commands on any connected node
- Read all files accessible to the AI agent
- Exfiltrate credentials, API keys, and secrets
- Access the camera and contacts on connected mobile devices
- Read application logs and audit trails
- Enumerate all paired devices across your network
- Instruct the AI agent to perform any action it’s capable of
All of this happens while the victim is browsing a webpage. No clicks. No downloads. No warnings.
The Trust Graph Problem
ClawJacked isn’t just about one vulnerability in one product. It exposes a fundamental architectural flaw in how we’re building AI‑agent systems: cascading trust.
OpenClaw’s gateway connects to nodes—macOS apps, iOS devices, other machines. Each node exposes capabilities: shell access, file system, camera, contacts, calendar. When you compromise the gateway, you don’t just compromise one device; you compromise every device that ever connected to it, and every service those devices can access.
Security researchers at Bitsight and NeuralTrust documented how this creates an expanding blast radius. If your OpenClaw agent is connected to:
- GitHub → attacker can push code to your repos
- Slack → attacker can read and send messages as you
- AWS → attacker can access your cloud infrastructure
- Email → attacker can exfiltrate sensitive communications
The trust graph means a single WebSocket connection from a webpage can cascade into access across dozens of systems. This is the “toxic combination” problem—legitimate agent‑to‑agent communications create exponential security risk when any link in the chain is compromised.
Beyond OpenClaw: The Agent Security Crisis
A security audit conducted in late January 2026 identified 512 vulnerabilities in OpenClaw, eight of them classified as critical. In addition to ClawJacked (CVE‑2026‑25253), other notable CVEs include:
| CVE | Description |
|---|---|
| CVE‑2026‑25593 | Remote code execution |
| CVE‑2026‑24763 | Command injection |
| CVE‑2026‑25157 | SSRF |
| CVE‑2026‑25475 | Authentication bypass |
| CVE‑2026‑26319 | Path traversal |
| CVE‑2026‑26322 | Additional auth bypass |
| CVE‑2026‑26329 | Further RCE vectors |
But this isn’t an OpenClaw‑specific problem. Every locally‑running AI agent with a network listener is potentially vulnerable to the same class of attack.
Localhost Is Not a Security Boundary
The core lesson from ClawJacked is deceptively simple: localhost is not a trust boundary.
For decades developers have treated localhost connections as inherently trusted. “If someone can connect to localhost, they already have access to the machine.” That assumption was always fragile, but it held up when the only things connecting to localhost were other local processes.
Browsers changed that equation. WebSocket, WebRTC, and other browser APIs can reach localhost from any webpage. Your local services are exposed to every website you visit. And in the age of AI agents with expansive capabilities, the blast radius of that exposure is enormous.
What You Should Do Right Now
If you’re running OpenClaw
- Update to version 2026.2.25 or later immediately (patched within 24 hours of disclosure).
- Audit your connected devices and revoke any you don’t recognize.
- Review gateway logs for unexpected localhost connections.
If you’re building AI agents
- Never exempt localhost from authentication or rate‑limiting.
- Require explicit user confirmation for all device registrations, regardless of source.
- Implement origin checking on WebSocket connections.
- Apply zero‑trust principles — treat your AI agent as a privileged identity.
- Assume every integration expands your blast radius.
If you’re a security researcher
- AI‑agent gateways are the new attack surface. Every product running a local server with agent capabilities is a target.
- The confused‑deputy pattern applied to AI agents is a rich hunting ground.
- Trust‑graph analysis across agent integrations will reveal cascading vulnerability chains.
The Bigger Picture
We’re building systems that can execute commands, access files, send emails, and take actions across our digital lives — then connecting them to localhost with rate‑limiting disabled for “trusted” connections.
The era of AI agents is also the era of AI‑agent exploitation. ClawJacked is the first high‑profile example, but it won’t be the last. As autonomous AI systems proliferate, the attack surface isn’t the AI model — it’s the infrastructure we build around it.
The confused deputy got an upgrade. And it has root access.