Key Findings

• OpenClaw has fixed a high-severity security issue that could have allowed a malicious website to connect to a locally running AI agent and take over control.

• The flaw, dubbed "ClawJacked" by Oasis Security, enables a malicious website to silently open a WebSocket connection to the local OpenClaw gateway and brute-force the password.

• Upon successful authentication, the malicious script can register as a trusted device, which is automatically approved by the gateway without any user prompt, granting the attacker complete control over the AI agent.

Background

OpenClaw is an artificial intelligence (AI) agent framework that allows developers to build and integrate AI-powered applications into their software ecosystems. The platform consists of a local gateway that manages the lifecycle and interactions of these AI agents.

Attack Sequence

1. Malicious JavaScript on an attacker-controlled website opens a WebSocket connection to the local OpenClaw gateway running on the victim's machine.

2. The script brute-forces the gateway password by taking advantage of a missing rate-limiting mechanism.

3. After successful authentication, the script registers as a trusted device, which is automatically approved by the gateway without any user prompt.

4. The attacker gains complete control over the AI agent, allowing them to interact with it, dump configuration data, enumerate connected nodes, and read application logs.

Impact

• The attacker can take full control of the victim's OpenClaw AI agent, enabling them to perform a wide range of malicious activities, such as data exfiltration, system manipulation, and lateral movement.

• The attack is stealthy and does not require any user interaction beyond visiting the malicious website, making it a significant risk for developers who run OpenClaw on their local machines.

Mitigation

• Users are advised to apply the latest OpenClaw updates (version 2026.2.25 or higher) as soon as possible to address the ClawJacked vulnerability.

• Regularly audit access granted to AI agents and enforce appropriate governance controls for non-human (agentic) identities.

Broader Security Concerns

• The disclosure comes amid a broader security scrutiny of the OpenClaw ecosystem, as AI agents hold entrenched access to disparate systems and the authority to execute tasks across enterprise tools, leading to a significantly larger blast radius should they be compromised.

• Recent vulnerabilities in OpenClaw have also included remote code execution, command injection, server-side request forgery (SSRF), authentication bypass, and path traversal issues.

• As AI agent frameworks become more prevalent in enterprise environments, security analysis must evolve to address both traditional vulnerabilities and AI-specific attack surfaces.

Sources

• https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html

• https://x.com/TheCyberSecHub/status/2027803053848756619

• https://www.linkedin.com/posts/dlross_clawjacked-flaw-lets-malicious-sites-hijack-activity-7433692491805208576-mKvx

• https://www.facebook.com/thehackernews/posts/a-malicious-website-could-take-over-your-openclaw-ai-agent-without-any-click-bey/1306585174839396/