Latest OpenClaw Flaw Can Let Malicious Websites Hijack Local AI Agents
The list of vulnerabilities and other security problems connected to the OpenClaw AI personal assistant introduced in late January has grown rapidly over those few weeks, creating a situation where the tool is widely popular with developers and o
Researchers warn about ChatGPT’s new health service
The list of vulnerabilities and other security problems connected to the OpenClaw AI personal assistant introduced in late January has grown rapidly over those few weeks, creating a situation where the tool is widely popular with developers and other users but deemed a significant risk by security researchers.As two Cisco analysts wrote last month, “from a capability perspective, OpenClaw is groundbreaking. This is everything personal AI assistant developers have always wanted to achieve. From a security perspective, it’s an absolute nightmare.”It’s a self-hosted AI agent that is integrated with WhatsApp, Telegram, Discord, and similar apps and used for everything from summarizing conversations and scheduling meetings to executing code, managing calendars, and booking flights. Users interact with it through a web dashboard or terminal.Gartner analysts called the agent’s security risks “unacceptable,” noting that its design is “insecure by default.” The danger is that OpenClaw is highly autonomous, designed for capability rather than security, and often operates full system privileges. It has access to sensitive data, can interact with untrusted content, and – through such actions as writing and sending emails and posting messages on social media – can act outside of a user’s system.According to Oasis Security researchers, “for many organizations, OpenClaw installations represent a growing category of shadow AI: developer-adopted tools that operate outside IT’s visibility, often with broad access to local systems and credentials, and no centralized governance.”The ClawJacked VulnerabilityOasis in recent days added to the expanding library of OpenClaw-related security concerns, writing in a report that a vulnerability – dubbed “ClawJacked” – they found lets any website silently take full control of a developer’s AI agent without the need for plugins, extensions, or user interaction. They’re urging OpenClaw users to immediately upgrade to version 2026.2.25 or later, with the latest version including a fix for the flaw.The OpenClaw security team developed the fix within 24 hours of being notified about the vulnerability.The threat they found is different from other security issues, which have included researchers finding thousands of malicious skills in OpenClaw’s ClawHub marketplace, OpenClaw instances left connected to the internet, a log poisoning vulnerability, and the AI tool being used to deliver malware.‘Inherent Trust’ Raises the RiskThe risk in the case found by Oasis is the inherent trust that OpenClaw’s gateway – a local WebSocket server that handles authentication, manages chat sessions, stores configuration, and orchestrates the agent – has with locally originating connections, the researchers wrote in the report.“This makes sense when you think about the intended use case – local tools like the CLI, the macOS companion app, or the web dashboard all connect from localhost,” they wrote. “But the designers likely did not consider this scenario: a third-party website, controlled by an attacker, whose code also runs in the browser and originates from localhost in the context of the connection. That misplaced trust has real consequences.”OpenClaw not only includes the gateway, but it’s also connected to nodes, which “can be the macOS companion app, an iOS device, or other machines. Nodes register with the gateway and expose capabilities, running system commands, accessing the camera, reading contacts, and more.”“The gateway binds to localhost by default, based on the assumption that local access is inherently trusted,” they wrote. “That assumption is where things break down.”Silent CompromiseThe problem comes if the user visits a malicious site. With WebSockets, any site can open a connection to the localhost and the browser won’t block it. JavaScript running on the page can silently open a connect to a user’s OpenClaw gateway without the user knowing.The malicious script can brute force the gateway’s password at hundreds of attempts per second because the feature limiting the number of attempts exempts localhost connections. Once authenticated, the scripts silently register as a trusted device, with the gateway automatically approving the device pairings from localhost without the need of a user prompt.“The attacker then has full control,” the researchers wrote. “They can interact with the AI agent, dump configuration data, enumerate connected devices, and read logs.”What to DoAlong with updating the latest version of OpenClaw, organizations need to inventory the AI assistants and agents being used by developers, review the access that is give to agents, audit the credentials and capabilities of each instance of OpenClaw, and create governance for non-human identities.“AI agents are a new class of identity in your organization – they authenticate, hold credentials, and take autonomous actions,” they wrote. “They need to be governed with the same rigor as human users and service accounts. … As AI agents become standard tools in every developer’s workflow, the question isn’t whether to adopt them, it’s whether you can govern them.”Usefulness Over SecurityClawJacked highlighted the ongoing problem of the development of AI and agents outpacing the security for them.“What stands out is that it’s clear that product usefulness improved faster than security,” Cequence Security CISO Randolph Barr said. “The design focused on making the developer experience as smooth as possible by using local binding, automatic device pairing, and less friction for connectivity. This made adoption faster but also made defensive controls less effective.”“What elevates this from a routine patching exercise to an industry warning is the blast radius of locally hosted AI agents,” said Jason Soroko, Senior Fellow at Sectigo. “We are exposing autonomous workflow engines given privileges with access to local file systems, credential stores, and enterprise infrastructure. The browser has been weaponized to bypass the developer’s physical perimeter, turning a simple background tab into an effective lock-pick.”
About Author
