“ClawJacked” Flaw in OpenClaw Lets Malicious Websites Silently Hijack Local AI Agents, Researchers Warn

CyberDefender 6 mins0

Recent research uncovered a critical vulnerability in the open-source AI agent OpenClaw Vulnerability Enables Hijack of AI Agents (ClawJacked) that allows unauthenticated websites to silently take over local AI agents, grant full permissions, and execute arbitrary actions — all without user prompts or plugins.

OpenClaw is a self-hosted autonomous AI assistant that can:

  • Execute terminal & system commands
  • Read & write files
  • Orchestrate workflows across messaging apps, email, APIs, browsers
  • Operate autonomously as a “super-agent” building tasks and workflows on your behalf.

The security fallout has become one of the first major AI agent breach vectors seen in 2026.

What the ClawJacked Vulnerability Is

The Attack Surface

  • Cause: OpenClaw’s local gateway trusted any connection from localhost (127.0.0.1) as safe, including WebSocket (persistent) connections.
  • Issue: Browsers allow background scripts on malicious sites to create WebSocket connections to services on localhost.
  • Flaw: The OpenClaw gateway never prompted the user, nor validated origin, before accepting local connections.

This implicit trust exposed OpenClaw to a silent hijack — dubbed “ClawJacked” — where a single malicious browser tab could connect to and control a running AI agent.

Steps of the Exploit

  1. User visits a malicious webpage in their browser.
  2. The page opens a WebSocket to the local OpenClaw gateway.
  3. Since OpenClaw treats local processes as trusted, it does not challenge or warn.
  4. The attacker brute-forces the agent’s password without throttling.
  5. Once authenticated, the attacker gains:
    • full agent control,
    • ability to read sensitive data,
    • execute commands,
    • steal API keys, credentials, or files.

This means no phishing attachment, no dodgy binaries — only visiting a website could give an attacker total control.

Root Technical Cause

The core architectural mistake was assuming:

If a connection originates from localhost, it must be trusted.

But localhost ≠ authenticated or safe, especially with browser scripting standards that allow local ports to be accessed via WebSockets.

This reflects a classic implicit trust assumption:

if (connection.origin == localhost) {
    grant_full_access();
}

which leaves the logic open to abuse via background scripts in webpages.

Severity & Impact

  • The vulnerability was trivial to exploit in tests — no visual indication or alerts to the user during the hijack.
  • Attackers could:
    • Execute arbitrary system calls via the agent
    • Read local files or private messaging data
    • Steal API keys & credentials
    • Escalate to broader network systems once identity is owned

The risk is magnified by the fact that OpenClaw agents typically run with full user permissions on local machines.

Remediation & Fix

OpenClaw’s maintainers patched the flaw within ~24 hours after disclosure. Users must update to version 2026.2.25 or later to avoid this attack vector.

The patch likely removed the blind trust on localhost, adding:

  • origin validation,
  • authentication challenges,
  • stricter connection policies.

Broader Technical Context

This vulnerability is not an isolated bug, it stems from a pattern of insecure defaults:

How OpenClaw Grew So Fast

OpenClaw’s rapid adoption and feature-first development led to:

  • minimal initial security gating,
  • broad permissions for skills & plugins,
  • exposed agent instances online.

Linked Issues

Researchers have also found:

  • Malicious add-ons in community skill repos targeting crypto wallets and macOS malware.
  • Multiple high-severity CVEs including one-click RCE and command injection.
  • Thousands of exposed instances compromising credentials & data.

Lessons for Secure AI Agent Design

  1. Never Implicitly Trust Local Connections
    Assumptions like “localhost is safe” break down when browser scripts can reach those interfaces without user approval.
  2. User-Visible Prompts Matter
    Any autonomous action that can affect system state should require explicit user affirmation.
  3. Integrate Identity Governance
    Treat AI agents like service identities with least privilege access, MFA, and lifecycle controls — not like casual scripts.
  4. Supply Chain Vetting
    Skill/plugin ecosystems for AI agents need firm vetting and automated security scans.

Final Thoughts

The ClawJacked vulnerability highlights a crucial point:

Autonomy without security controls = catastrophic risk.

As AI agents gain more control over workflows, files, and cloud workflows, their attack surface grows. OpenClaw’s explosion in popularity outpaced basic security hardening and governance — and attackers pounced.

CyberDefender