As AI agent frameworks like OpenClaw move from experimental tools into production workflows, small design assumptions can quickly turn into high-impact security vulnerabilities. In enterprise environments where agents can trigger actions across SaaS, cloud, and internal tools, a single overlooked flaw can translate into organization-wide impact.
Security researchers have disclosed a critical design flaw in OpenClaw that allows any malicious website you visit to silently connect to – and take control of – AI agents running on your local machine.
The issue, dubbed “ClawJacked” by researchers at Oasis Security, abuses how the OpenClaw gateway trusts WebSocket connections from localhost. By combining that trust with the browser’s ability to open cross-origin WebSocket connections to local services, an attacker can register a new device, gain interactive access to AI agents, and pivot across integrated tools.
How the ClawJacked Attack Works
At the center of the ClawJacked flaw is the OpenClaw gateway, a local service that coordinates AI agents and their connections to tools, SaaS apps, and internal systems.
Modern browsers block most cross-origin HTTP abuse, but WebSocket connections to localhost are still allowed. JavaScript running on any website can silently open a WebSocket connection to services listening on local ports, including the OpenClaw gateway.
Oasis Security found that the gateway then relaxes several security controls for connections originating from localhost, including auto-approving new device registrations without prompting the user. Once the malicious website’s script connects from localhost, the gateway treats it as trusted, registers the attacker-controlled device, and exposes management capabilities.
From there, the attacker can interact with agents, enumerate connected services, read logs and configuration data, and trigger automated actions across the victim’s environment – all through what looks like a legitimate local device.
Patch Status and Vendor Response
OpenClaw has addressed the ClawJacked issue in version 2026.2.25, released on February 26, 2026, following responsible disclosure.
The fixes tighten trust assumptions for WebSocket connections and adjust device registration logic so that localhost-originating connections no longer receive silent, automatic approval.
Separately, the project also patched a log poisoning / indirect prompt injection issue affecting gateway logs. That vulnerability allowed attackers to write crafted content into log files via WebSocket requests. Because OpenClaw agents can read their own logs during troubleshooting, a poisoned log entry could embed malicious instructions that the agent would then follow when processed through an LLM. This issue was mitigated in OpenClaw 2026.2.13 by sanitizing and truncating header values before they are written to logs and by treating logs as untrusted input when used in AI-assisted workflows.
OpenClaw Ecosystem Abuse: Skills and Malware Delivery
ClawJacked lands alongside a broader wave of research into how the OpenClaw ecosystem can be abused – from exposed instances to malicious skills and malware campaigns.
Recent reports from Bitsight, NeuralTrust, Trend Micro, OpenGuardrails, Koi Security, and OpenSourceMalware highlight that:
- Internet-exposed OpenClaw instances expand the attack surface, especially when agents are wired into high-privilege services.
- The ClawHub marketplace has been abused to distribute malicious skills that deliver a new variant of the Atomic Stealer macOS malware, adding to the wider family of macOS malware campaigns.
- Threat actors are dropping malicious terminal commands in skill comments, instructing users to “fix” non-working skills by manually running attacker-supplied commands.
In one documented chain, a seemingly benign ClawHub skill with a normal SKILL.md installer was marked clean on VirusTotal. When executed, OpenClaw fetched installation instructions from openclawcli.vercel[.]app. Those instructions included a hidden step that downloaded an Atomic Stealer payload from 91.92.242[.]30 and ran it on the victim’s system.
In another campaign, a threat actor using the handle @liuhui1010 left comments on legitimate skills telling users to run a terminal command if the skill “doesn’t work on macOS.” That command again retrieved Atomic Stealer from infrastructure previously documented for distributing the same malware.
Who Is at Risk?
Organizations are most exposed when they combine unpatched OpenClaw versions with high-privilege agent configurations and normal web browsing behavior.
High-risk use cases include security, DevOps, and knowledge worker environments where agents have access to email, chat, source code, CI/CD systems, ticketing platforms, and internal APIs. In such setups, a single visit to a malicious website can escalate into full agent compromise and lateral movement across connected services.
Detection and Mitigation
Key detection signals
Because ClawJacked operates through trusted local channels, detection is challenging, but defenders can still look for:
- Unexpected WebSocket connections to the OpenClaw gateway originating from browser processes.
- New device registrations in gateway logs that correlate with web browsing activity.
- Outbound traffic to known malicious infrastructure such as
91.92.242[.]30or domains hosting “helper” installers for ClawHub skills. - Unusual agent behavior, such as accessing resources outside of defined workflows.
Practical mitigation steps
Recommended mitigations include:
- Upgrading to OpenClaw 2026.2.25 or later across all deployments.
- Avoiding direct internet exposure of OpenClaw gateways and restricting access to localhost-bound services.
- Treating ClawHub and similar marketplaces as untrusted software supply chains and enforcing allowlists for skills.
- Applying least privilege to tools and connectors integrated with OpenClaw and separating highly sensitive operations into more tightly controlled agents.
- Explicitly classifying logs, documentation, and comments consumed by agents as untrusted input and adding guardrails and approvals around high-impact actions.
Strategic Takeaways
ClawJacked reinforces a broader shift: AI agents are quickly becoming a new control plane across enterprise environments. A compromise at the agent layer can bypass traditional endpoint and application controls and deliver immediate impact through legitimate automation channels.
For a wider view of how AI chatbot and agent vulnerabilities are reshaping the attack surface, see our analysis of AI chatbot vulnerabilities and military concerns.
Security teams should stop treating agent frameworks as experimental side tools and instead treat them as high-privilege platforms that require formal governance, version management, and continuous security review. OpenClaw’s recent patches are a step in that direction, but the ecosystem-level risks exposed by ClawHub malware campaigns show that the defensive model for agentic AI still has to mature.
