ClawJacked Flaw Allows Malicious Sites to Shoot OpenClaw AI Agents via WebSocket

OpenClaw fixed a serious security issue that, if successfully deployed, could have allowed a malicious website to connect to an artificial intelligence (AI) agent and take control.

“Our vulnerability resides in the core system itself – no plugins, no marketplace, no user-installed extensions – just a bare-bones OpenClaw gateway, which works in scripted form,” Oasis Security said in a report published this week.

The error is coded ClawJacked is a cybersecurity company.

The attack assumes the following threat model: The developer has OpenClaw set up and running on his laptop, which has its own gateway, a local WebSocket server, bound to localhost and protected by a password. An attack begins when a developer accesses a website controlled by the attacker using social engineering or other methods.

The sequence of infection then follows the steps below –

• Malicious JavaScript on a web page opens a WebSocket connection to the local host on the OpenClaw gateway port.
• The script brute-forces the gateway password by using the missing parameter parameter.
• Post successful authentication with administrator-level permissions, the script is stealthily registered as a trusted device, which is automatically authorized by the gateway without user notification.
• An attacker gets full control over the AI ​​agent, allowing them to interact with it, dump configuration data, count connected nodes, and read application logs.

“Any website you visit can open one on your local host. Unlike standard HTTP requests, the browser does not block these connections from other locations,” Oasis Security said. “So while you’re browsing any website, the JavaScript running on that page can silently open a connection to your local OpenClaw gateway. The user sees nothing.”

“That misplaced trust has real consequences. The gateway relaxes several security measures for local connections – including silently authorizing the registration of a new device without notifying the user. Normally, when a new device connects, the user must confirm the pairing. From localhost, it’s automatic.”

After the responsible disclosure, OpenClaw advanced the fix in less than 24 hours with version 2026.2.25 released on February 26, 2026. Users are advised to apply the latest updates as soon as possible, periodically check the access granted by AI agents, and use appropriate non-human (agenttic) management controls.

The development comes amid a wide-ranging review of the security of the OpenClaw ecosystem, which stems from the fact that AI agents hold concentrated access to different systems and the authority to perform tasks on all business tools, leading to a much larger area of ​​​​explosion if they are compromised.

Reports from Bitsight and NeuralTrust detail how OpenClaw instances left connected to the Internet create an expanded attack surface, and each connected service expands the blast radius and can be turned into an attack weapon by embedding quick injections into the content (eg, email or Slack message) that the agent processes to perform malicious actions.

The disclosure comes as OpenClaw also uncovered a log poisoning vulnerability that allowed attackers to write malicious content to insert files via WebSocket requests in a publicly accessible environment on TCP port 18789.

As the agent reads its logs to solve certain tasks, the security loophole can be misused by a threat actor to embed unintended rapid injections, leading to unintended consequences. The issue was addressed in version 2026.2.13, which was shipped on February 14, 2026.

“If the input text is interpreted as logically valid information instead of trusted input, it may influence decisions, suggestions, or automated actions,” Eye Security said. “Therefore the impact will not be ‘immediate takeover,’ but rather: the manipulation of the agent’s thinking, influencing the steps to solve the problem, the possible disclosure of data if the agent is directed to disclose the context, and the indirect misuse of connected integration.”

In recent weeks, OpenClaw has also been found to be vulnerable to critical vulnerabilities (CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-263302, CVE-26312, CVE-26302, CVE-25157, CVE-2026-25475, CVE-2026-263302 CVE-2026-26329), ranging from moderate to severe, can result in remote code execution, command injection, server-side application forgery (SSRF), authentication bypass, and path termination. The vulnerability is addressed in OpenClaw versions 2026.1.20, 2026.1.29, 2026.2.1, 2026.2.2, and 2026.2.14.

“As AI agent frameworks become more common in enterprise environments, security analytics must evolve to address traditional vulnerabilities and AI-specific attack surfaces,” Endor Labs said.

Elsewhere, new research has shown that malicious skills uploaded to ClawHub, an open marketplace for downloading OpenClaw skills, were used as delivery channels for a variant of Atomic Stealer, a macOS hacker created and employed by the cybercriminal actor known as Cookie Spider.

“The chain of infection starts with the standard SKILL.md that installs the prerequisite,” Trend Micro said. “The skill appears harmless from the outside and is listed as harmless on VirusTotal. OpenClaw then goes to the website, downloads the installation instructions, and continues to install if LLM decides to follow the instructions.”

Instructions hosted on the website “openclawcli.vercel[.]app” contains a malicious command to download the stolen payment from an external server (“91.92.242)[.]30”) and run it.

Threat hunters also flagged a new malware delivery campaign when a malicious actor named @liuhui1010 was identified, leaving comments on the official pages of the skill list, urging users to explicitly run the command they provided in the Terminal app if the skill “doesn’t work on macOS.”

The command is designed to retrieve Atomic Stealer from “91.92.242[.]30,” an Internet address previously credited by Koi Security and OpenSourceMalware for distributing the same malware with malicious capabilities uploaded to ClawHub.

In addition, a recent analysis of 3,505 ClawHub capabilities by AI security firm Straiker found no less than 71 malicious ones, some of which appeared to be legitimate cryptocurrency tools but contained the hidden functionality of redirecting funds to threaten player-controlled wallets.

Two other capabilities, bob-p2p-beta and runware, are calculated for a multi-layered cryptocurrency scam that uses an agent-to-agent attack chain targeting an AI agent ecosystem. The skills were allegedly created by a threat actor operating under the aliases “26medias” on ClawHub and “BobVonNeumann” on Moltbook and X.

“BobVonNeumann presents himself as an AI agent on Moltbook, a social network designed for agents to communicate with each other,” said researchers Yash Somalkar and Dan Regalado. “In that capacity, it develops its malicious capabilities directly on other agents, using trusting agents designed to automatically extend to each other. Supply chain attacks with a social engineering layer built on top.”

What bob-p2p-beta does, however, is instruct other AI agents to store the private keys of the Solana wallet in plaintext, buy empty $BOB tokens from pump.fun, and route all payments through attacker-controlled infrastructure. The second skill is that it provides a tool to generate a positive image to build developer credibility.

As ClawHub becomes a new fertile ground for attackers, users are advised to test skills before installing them, avoid providing credentials and keys unless necessary, and monitor skill behavior.

Security risks associated with hosted agent runtimes such as OpenClaw have prompted Microsoft to issue an advisory, warning that unsupervised use could pave the way for evidence disclosure/extraction, memory modification, and host compromise if the agent is tricked into retrieving and executing poisoned code or by poison injection capabilities or information.

“Because of these features, OpenClaw should be considered a trusted exploit for ongoing data,” said the Microsoft Defender Security Research Team. “It’s not good to work in a normal personal or business environment.”

“If an organization decides that OpenClaw should be tested, it should only be used in a completely isolated environment such as a dedicated virtual machine or a separate virtual system. The runtime should use dedicated, non-privileged credentials and only access non-sensitive data. Continuous monitoring and refactoring should be part of the operating model.”