OpenClaw has addressed a critical security vulnerability, dubbed ClawJacked, that could have allowed malicious websites to gain unauthorized access to locally running AI agents. The flaw, identified by Oasis Security, resides within the core OpenClaw gateway itself and does not involve any third-party plugins or extensions.
Oasis Security reported that the vulnerability could enable a malicious website, through social engineering or other means, to establish a connection with a developer’s local OpenClaw gateway. Once connected, an attacker could potentially take full control of the associated AI agent, interact with it, and access sensitive data.
OpenClaw Addresses Critical ClawJacked Vulnerability
The ClawJacked vulnerability presents a significant threat to users running OpenClaw, an AI agent framework. The attack chain begins when a user, enticed by a malicious website, unknowingly allows JavaScript on that page to initiate a WebSocket connection to the local OpenClaw gateway. Unlike standard web requests, browsers do not inherently block these cross-origin connections, making the silent exploitation possible.
According to Oasis Security’s report, the malicious script then exploits a lack of rate-limiting on the gateway to brute-force the password. Upon successful authentication, which grants administrative privileges, the script can register itself as a trusted device. This registration happens automatically without any user prompt, a security measure that is relaxed for local connections within OpenClaw.
With trusted status achieved, the attacker gains comprehensive control over the AI agent. This control extends to interacting with the agent, extracting configuration data, identifying connected nodes, and reading application logs. The user remains entirely unaware of this silent takeover while browsing the web.
In response to responsible disclosure from Oasis Security, OpenClaw has released a fix for the ClawJacked vulnerability. Version 2026.2.25, deployed on February 26, 2026, addresses this critical security issue. Users are strongly urged to update to this latest version as soon as possible to mitigate the risk. Additionally, organizations should implement periodic audits of AI agent access and enforce robust governance for agent identities.
Broader Security Scrutiny of OpenClaw Ecosystem
This recent discovery comes amidst heightened security scrutiny of the OpenClaw ecosystem. AI agents, by their nature, often possess entrenched access to various systems and the authority to perform tasks across enterprise tools. This broad access significantly increases the potential impact, or “blast radius,” if an agent is compromised.
Previous reports from cybersecurity firms like Bitsight and NeuralTrust have highlighted the expanded attack surface presented by OpenClaw instances connected to the internet. Each integrated service can amplify this risk, making compromised agents potent weapons for attackers. Techniques such as prompt injection, where malicious instructions are embedded in content processed by the agent, can lead to unauthorized actions.
In a related development, OpenClaw also recently patched a log poisoning vulnerability. This flaw, addressed in version 2026.2.13 on February 14, 2026, allowed attackers to inject malicious content into log files through WebSocket requests to publicly accessible instances. If an agent processes its own logs for troubleshooting, this vulnerability could be exploited for indirect prompt injections, potentially manipulating the agent’s reasoning, influencing troubleshooting steps, or leading to unintended data disclosures.
The broader OpenClaw platform has faced a series of vulnerabilities in recent weeks, with multiple CVEs reported. These range from moderate to high severity and could lead to remote code execution, command injection, server-side request forgery, authentication bypass, and path traversal. OpenClaw has released updates (versions 2026.1.20, 2026.1.29, 2026.2.1, 2026.2.2, and 2026.2.14) to address these issues.
Malicious Skills and Malware Distribution on ClawHub
Security concerns have also extended to ClawHub, an open marketplace for downloading OpenClaw skills. New research indicates that malicious skills uploaded to this platform are being used to distribute information-stealing malware. One variant of Atomic Stealer, a macOS information stealer, has been linked to this campaign.
The infection chain typically begins with an seemingly harmless skill that installs prerequisites. These skills, often appearing benign on platforms like VirusTotal, contain malicious instructions hosted on external websites. When OpenClaw processes these instructions, it can be tricked into downloading and executing stealer payloads from attacker-controlled servers. Threat hunters have identified specific actors and IP addresses associated with this malware distribution method.
Furthermore, a significant number of malicious skills have been uncovered on ClawHub, some masquerading as legitimate cryptocurrency tools. These skills have contained hidden functionalities designed to redirect funds to threat actor-controlled wallets. Other skills have been linked to multi-layered cryptocurrency scams, employing agent-to-agent attack chains within the AI agent ecosystem and leveraging the inherent trust mechanisms between agents.
Given the increasing risk associated with ClawHub, users are advised to meticulously audit skills before installation, limit the provision of credentials and sensitive keys, and diligently monitor the behavior of installed skills. The widespread adoption of AI agent frameworks necessitates a parallel evolution in security practices to address both traditional vulnerabilities and AI-specific attack surfaces.
Microsoft has issued an advisory regarding the security risks of self-hosted AI agent runtimes like OpenClaw. The advisory warns that unguarded deployments can lead to credential exposure, memory modification, and host compromise if agents are manipulated into retrieving and executing malicious code. Microsoft recommends treating OpenClaw as untrusted code execution with persistent credentials and suggests deploying it only in fully isolated environments with non-privileged credentials and limited data access.
The ongoing discovery of vulnerabilities and malicious activities within the OpenClaw ecosystem underscores the critical need for continuous security vigilance. As AI agents become more integrated into critical systems, the proactive identification and remediation of security flaws, alongside robust user education and secure deployment practices, will be paramount in protecting against emerging threats like ClawJacked.