OpenClaw, a widely used AI agent platform, has recently addressed a severe security vulnerability that could allow malicious websites to hijack locally running AI agents through a WebSocket connection. Discovered and disclosed by cybersecurity firm Oasis Security, the flaw dubbed ClawJacked targets the core OpenClaw gateway running on developers’ machines, enabling attackers to gain unauthorized control without user intervention.
The vulnerability exploits the fact that OpenClaw’s gateway—a local WebSocket server bound to localhost and protected by a password—lacks proper security restrictions such as rate limiting and user confirmation for new device registrations. By tricking a developer into visiting a malicious website, an attacker can use JavaScript to initiate a WebSocket connection to the local gateway. The script can then brute-force the password and automatically register as a trusted device, a process normally requiring user approval but bypassed here due to relaxed local security measures.
Once authenticated, attackers gain unrestricted access to the AI agent, allowing them to manipulate its operations, extract configuration data, enumerate connected nodes, and read logs—all silently and without any indication to the user. Oasis Security warns that browsers do not block these cross-origin localhost connections, which further enables the attack’s stealth.
Following responsible disclosure, OpenClaw swiftly released a patch in version 2026.2.25 on February 26, 2026, urging users to update immediately. Security experts recommend routine audits of AI agent access and the enforcement of strict governance policies around non-human or agentic identities, given the broad system access such AI agents hold in enterprise environments.
This vulnerability surfaces amid heightened scrutiny of OpenClaw’s ecosystem due to the significant security risks AI agents pose. OpenClaw agents can access multiple enterprise systems and perform complex tasks, magnifying the potential impact of any compromise. Additional vulnerabilities uncovered recently include a log poisoning flaw that enabled attackers to insert malicious content into log files, potentially manipulating AI agent behavior through indirect prompt injections. This issue was fixed in version 2026.2.13.
OpenClaw has also been found vulnerable to a range of other security issues with severity levels from moderate to high—such as remote code execution, command injection, server-side request forgery, authentication bypass, and path traversal—which have been patched progressively throughout early 2026.
The platform’s open skill marketplace, ClawHub, has become a focal point for attackers distributing malicious AI skills. Threat actors have exploited seemingly benign skills to deliver malware, including a new variant of the Atomic Stealer macOS information stealer. Some attacks leverage social engineering tactics, enticing users to run harmful commands under the guise of troubleshooting or enhancing skill functionality. Security researchers identified multiple malicious skills involved in cryptocurrency scams and agent-to-agent attack chains designed to siphon funds through compromised wallets.
Given the evolving threat landscape, cybersecurity experts and major companies like Microsoft have cautioned organizations to treat OpenClaw as a risky execution environment requiring strict isolation. Microsoft recommends running OpenClaw only within dedicated virtual machines or physical systems with limited credentials and access, continuous monitoring, and a robust incident recovery plan to mitigate risks such as credential theft and host compromise.
OpenClaw users and enterprises relying on AI agent frameworks should prioritize immediate patching, conduct regular security audits, scrutinize skills before installation, and implement governance controls to prevent unauthorized access and mitigate supply chain risks.
