OpenClaw has recently addressed a critical security flaw that could have allowed unauthorized websites to gain control over local AI agents through WebSocket connections. Reported by Oasis Security, this vulnerability, named ‘ClawJacked,’ existed within the core OpenClaw system itself, excluding any plugins or extensions.
The identified threat scenario involves a developer running OpenClaw on a laptop, with the gateway operating via a local WebSocket server secured by a password. A malicious website could exploit this setup if a developer visits such a site through social engineering techniques. Upon accessing the site, malicious JavaScript could establish a WebSocket connection to the local OpenClaw gateway, bypassing rate-limiting to brute-force the password. Achieving admin-level access, the script could then register as a trusted device without user approval, gaining full control over the AI agent.
Exploiting Local Connections
Oasis Security highlighted how web browsers allow cross-origin WebSocket connections, meaning JavaScript from any site can silently connect to local services like OpenClaw, without user awareness. This is compounded by the gateway’s relaxed security for local connections, automatically approving new device registrations without user confirmation.
Following responsible disclosure, OpenClaw issued a patch within 24 hours, version 2026.2.25, dated February 26, 2026. Users are urged to update their systems immediately, regularly review AI agent access permissions, and implement stringent identity governance for non-human entities.
Broader Security Implications
This incident coincides with increasing scrutiny of OpenClaw’s security, exacerbated by AI agents’ broad access to diverse systems, potentially amplifying the impact of any breach. Reports from Bitsight and NeuralTrust indicate that internet-exposed OpenClaw instances could serve as attack vectors, with integrations expanding potential damage through embedded prompt injections in content.
Additionally, OpenClaw recently patched a log poisoning vulnerability that allowed attackers to inject malicious content into logs via WebSocket requests, which could be misinterpreted by the AI agent, leading to unintended consequences.
Recent Threats and Mitigation
OpenClaw’s vulnerabilities aren’t isolated. Recently, the platform faced multiple security issues, ranging from remote code execution to authentication bypass, addressed in various updates. The rise of OpenClaw in enterprises necessitates a nuanced security approach to both traditional and AI-specific vulnerabilities.
Meanwhile, malicious skills on ClawHub, OpenClaw’s skill marketplace, have been used to distribute the Atomic Stealer malware, highlighting the need for caution when installing new skills. Users are advised to audit skills, avoid unnecessary credential sharing, and monitor behavior closely.
Microsoft has also cautioned against unprotected OpenClaw deployments, which could lead to credential exposure and system compromise. It advises deploying OpenClaw in isolated environments with non-privileged credentials and continuous monitoring to mitigate risks.
The ongoing security challenges underscore the importance of vigilance and proactive measures in securing AI-driven platforms like OpenClaw against emerging threats.
