ClawJacked Exposed: How Malicious Websites Hijacked OpenClaw AI Agents in Seconds

Key Takeaways

• ClawJacked is a high-severity vulnerability in OpenClaw's gateway that allowed malicious websites to silently connect to localhost WebSocket servers and brute-force passwords at hundreds of attempts per second.
• No plugins, extensions, or user prompts were required—attackers gained admin-level control to interact with the AI agent, dump configurations, enumerate nodes, and execute commands.
• The flaw stemmed from localhost trust assumptions, disabled rate limiting for loopback connections, and automatic device approvals.
• OpenClaw patched it in version 2026.2.25 (released within 24 hours of disclosure); all users must update immediately.
• Post-patch, broader lessons apply to securing local AI agents against browser-based cross-origin attacks.

What Is OpenClaw?

OpenClaw is an open-source, self-hosted AI agent framework designed as a personal assistant that runs locally on developer machines. It integrates with messaging platforms like WhatsApp, Telegram, Slack, and Discord, manages calendars, executes shell commands, and automates workflows using connected large language models.

The core architecture revolves around a gateway—a local WebSocket server—and multiple nodes (such as macOS apps or other devices) that register capabilities like file access or system execution. Users interact via web dashboards or terminals, making it powerful yet deeply integrated with local systems.

Its rapid rise to over 100,000 GitHub stars highlighted its appeal, but also exposed risks in shadow AI deployments where agents hold sensitive credentials without centralized oversight.

Understanding the ClawJacked Vulnerability

Security analysis by Oasis Security revealed ClawJacked as a vulnerability chain enabling website-to-local agent takeover. Unlike supply-chain attacks via community skills, this flaw resided in the core gateway itself.

The gateway binds to localhost by default and relies on password or token authentication. Benchmarks from controlled testing showed that browser JavaScript could establish WebSocket connections to this port without cross-origin restrictions—unlike standard HTTP requests.

Community feedback and exploit demonstrations confirmed the attack's stealth: victims experienced no visible indicators while attackers assumed full control.

Step-by-Step: How the ClawJacked Attack Works

The exploit chain unfolds silently in a victim's browser:

1. Website Visit: The user lands on any attacker-controlled or compromised site.
2. WebSocket Connection: Embedded JavaScript opens a WebSocket to the localhost OpenClaw gateway port (permitted by browser policy for loopback addresses).
3. Password Brute-Force: No rate limiting or failure logging applies to localhost connections, enabling hundreds of guesses per second. Common or dictionary passwords fall in seconds to minutes.
4. Trusted Device Registration: The gateway auto-approves localhost-originated pairings without prompts.
5. Full Takeover: Authenticated sessions allow message injection to the AI agent, configuration dumps, node enumeration, log reading, and command execution across connected devices.

A typical proof-of-concept in browser JavaScript demonstrates sustained brute-forcing and subsequent agent interaction, all without user awareness.

Technical Deep Dive: Why Localhost WebSockets Fail Securely

Analysis shows the root cause lies in mismatched trust models:

• Browser Behavior: WebSockets bypass same-origin policy for localhost, allowing any tab's script to connect.
• Gateway Assumptions: Local connections were treated as inherently trusted, exempting rate limits and enabling silent approvals. This design suited CLI or companion apps but ignored adversarial browser contexts.
• Authentication Gaps: Password auth lacked loopback-specific throttling; even strong passwords were vulnerable at scale.

Edge cases amplified risks:

• Multi-node setups exposed additional devices for enumeration and execution.
• Persistent gateway sessions allowed long-term data exfiltration via the AI agent (e.g., querying Slack for keys).
• Developers running OpenClaw alongside heavy browsing workflows faced elevated exposure.

This mirrors historical localhost exploits but stands out in agentic AI contexts, where agents hold broader system access than traditional servers.

Potential Impacts and Real-World Risks

Successful ClawJacked attacks equated to workstation compromise:

• Data Theft: Extraction of AI provider keys, messaging histories, and node configurations.
• Agent Manipulation: Instructing the AI to perform malicious tasks, such as sending emails or executing shell commands.
• Lateral Movement: Control over paired nodes for camera access, contacts, or file reads.

In developer environments, this risked API key leaks, intellectual property exposure, or ransomware facilitation. Broader ecosystem concerns included unmonitored shadow AI instances amplifying organizational blind spots.

Comparisons to related issues—such as malicious ClawHub skills or earlier token exfiltration CVEs—underscore OpenClaw's evolving threat surface, yet ClawJacked's no-interaction requirement made it uniquely severe.

How OpenClaw Responded and the Official Fix

OpenClaw classified ClawJacked as high severity and deployed fixes in under 24 hours. Version 2026.2.25 (and subsequent releases) introduced tightened WebSocket security checks, enforced rate limiting even for localhost, and prevented automatic approvals from cross-origin browser contexts.

The response demonstrates strong responsible disclosure handling. As of March 2026, all patched versions eliminate the brute-force vector while preserving core functionality.

Best Practices to Secure Your OpenClaw Setup

Immediate Action:

• Update to the latest release (2026.2.25 or higher) across all instances.
• Restart the gateway and verify version via CLI or dashboard.

Advanced Configuration Tips:

• Prefer token-based authentication over passwords where possible; rotate tokens regularly.
• Bind the gateway to specific interfaces or use firewall rules to restrict localhost exposure.
• Enable logging for WebSocket connections and monitor for anomalous browser-originated traffic.
• Isolate OpenClaw nodes in sandboxed environments or containers to limit command execution scope.

Organizational Governance:

• Inventory all local AI agents using endpoint tools.
• Audit integrations and revoke unnecessary credentials.
• Adopt zero-trust principles for non-human identities, treating agents as high-privilege entities.

Pitfalls to Avoid:

• Assuming localhost equals safe—browser ecosystems invalidate this.
• Delaying updates in multi-device fleets.
• Over-relying on community skills without verification.

Broader Lessons for AI Agent Security

ClawJacked highlights systemic challenges in local agent design: browser-local trust gaps, rapid adoption without security scaling, and the need for origin-aware protocols in WebSocket gateways.

Future frameworks should incorporate mandatory cross-origin validation, adaptive rate limiting, and formal security modeling. Developers building agents must prioritize localhost hardening alongside feature velocity.

Conclusion

The ClawJacked vulnerability exposed a critical gap in OpenClaw's architecture, but swift patching and transparent disclosure mitigated widespread exploitation. With updates applied, the focus shifts to proactive governance and hardened configurations.

Audit your OpenClaw installations today, apply the latest patch, and implement the security practices outlined above to safeguard your AI agents. Stay vigilant—local autonomy demands local security excellence.

Take Action Now: Check your version and update via official channels to eliminate ClawJacked risks permanently.