ClawJacked Vulnerability: Malicious Websites Hijack Local OpenClaw AI Agents
These articles are AI-generated summaries. Please check the original sources for full details.
ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket
OpenClaw recently patched ClawJacked, a high-severity flaw allowing malicious websites to take over local AI agents via WebSocket. The vulnerability exploits a lack of rate-limiting and automatic local device approval to grant attackers admin-level permissions.
Why This Matters
The technical reality of agentic AI frameworks often overlooks the inherent risks of cross-origin WebSocket connections, which browsers do not block by default. While ideal models assume local environments are secure, ClawJacked demonstrates that a localhost binding can be weaponized through a developer’s browser, leading to complete agent compromise and access to integrated enterprise systems. This vulnerability highlights a significant failure in the trust model where local connections bypass standard security prompts, effectively turning a local AI agent into a gateway for remote attackers.
Key Insights
- OpenClaw version 2026.2.25 was released on February 26, 2026, to address a critical missing rate-limiting mechanism in the gateway password authentication.
- Log poisoning vulnerabilities documented by Eye Security in 2026 allowed attackers to inject indirect prompt injections into OpenClaw logs via TCP port 18789.
- A recent analysis of 3,505 ClawHub skills by Straiker uncovered 71 malicious skills, including bob-p2p-beta which targets Solana wallet private keys.
- Atomic Stealer malware is being distributed through ClawHub using SKILL.md files that fetch payloads from external servers like 91.92.242.30, reported by Trend Micro in 2026.
Practical Applications
- Deployment of OpenClaw in isolated virtual machines; Pitfall: Running agents on standard enterprise workstations can lead to credential exfiltration and host compromise.
- Periodic auditing of AI agent access and connected nodes; Pitfall: Relying on default localhost trust allows silent, unauthorized device registration without user confirmation.
References:
Continue reading
Next article
Accelerating Portfolio Development with GitHub's Spec-kit and AI Workflows
Related Content
Securing Agentic AI: From MCPs and Tool Access to Shadow API Key Sprawl
AI agents now automate software tasks, and a recent flaw (CVE-2025-6514) in an OAuth proxy impacted 500,000 developers, highlighting the risks of compromised Machine Control Protocols.
ServiceNow AI Agents Can Be Tricked Into Acting Against Each Other via Second-Order Prompts
Second-order prompt injection exploits ServiceNow agent discovery, enabling unauthorized data access and privilege escalation.
Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release
Cisco addressed CVE-2026-20029, a medium-severity flaw in ISE and Snort 3, after a public proof-of-concept exploit became available.