OpenClaw has fixed a high-severity security issue that, if successfully exploited, could allow a malicious website to connect to and take control of a locally running artificial intelligence (AI) agent.
“Our vulnerability resides in the core system itself, with no plugins, marketplaces, or user-installed extensions, just a bare OpenClaw gateway that works as documented,” Oasis Security said in a report released this week.
The flaw has been codenamed “ClawJacked” by the cybersecurity firm.
This attack assumes the following threat model: The developer binds the gateway, a local WebSocket server to localhost, and sets up and runs OpenClaw on a password-protected laptop. The attack begins when a developer accesses an attacker-controlled website through social engineering or other means.
The infection sequence follows these steps:
Malicious JavaScript on the web page opens a WebSocket connection to localhost on the OpenClaw gateway port. This script leverages the missing rate limiting mechanism to brute force the gateway password. Upon successful authentication with administrator-level permissions, the script is secretly registered as a trusted device and automatically approved by the gateway without user prompting. Attackers gain complete control over the AI agent, allowing them to interact with it, dump configuration data, enumerate connected nodes, and read application logs.
“Any website you visit can open a website to your localhost. Unlike regular HTTP requests, browsers do not block these cross-origin connections,” Oasis Security said. “So when you’re browsing a website, JavaScript running on that page can silently open a connection to the local OpenClaw gateway without anything visible to the user.”
“That false trust has real consequences. The gateway relaxes several security mechanisms for local connections, such as silently approving new device registration without prompting the user. Typically, when a new device connects, the user must confirm the pairing, which is done automatically from the local host.”
Following responsible disclosure, OpenClaw pushed a fix within 24 hours in version 2026.2.25, released on February 26, 2026. We recommend that users apply the latest updates as soon as possible, regularly audit the access granted to AI agents, and apply appropriate governance controls for non-human (aka agent) identities.
This development comes amid extensive security scrutiny of the OpenClaw ecosystem. This is primarily due to the fact that AI agents have access to disparate systems and the ability to perform tasks across enterprise tools, leading to a significantly larger explosion radius in the event of a security breach.
Bitsight and NeuralTrust’s report details how OpenClaw instances that remain connected to the internet expand the attack surface, and how each integrated service further expands the blast radius and can be transformed into an attack weapon by embedding prompt injections into content processed by agents (such as emails or Slack messages) to perform malicious actions.
This disclosure comes after OpenClaw also patched a log poisoning vulnerability that allows an attacker to write malicious content to log files via a WebSocket request to a publicly accessible instance on TCP port 18789.
Because agents read their own logs to troubleshoot specific tasks, security loopholes can be exploited by attackers to embed indirect prompt injections and cause unintended consequences. This issue was resolved in version 2026.2.13, shipped on February 14, 2026.
“If the injected text is interpreted as meaningful operational information rather than untrusted input, it can impact decisions, recommendations, and automated actions,” EyeSecurity said. “Thus, the impact is not an ‘instant takeover’, but rather manipulation of the agent’s reasoning, impact on troubleshooting steps, possible data leakage if the agent is induced to reveal context, and indirect exploitation of connected integrations.”
In recent weeks, OpenClaw has received multiple vulnerabilities (CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-26319, CVE-2026-26322, CVE-2026-26329). is of moderate to high severity and can lead to remote code execution, command injection, server-side request forgery (SSRF), authentication bypass, and path traversal. This vulnerability is addressed in OpenClaw versions 2026.1.20, 2026.1.29, 2026.2.1, 2026.2.2, and 2026.2.14.
“As AI agent frameworks become more prevalent in enterprise environments, security analytics must evolve to address both traditional vulnerabilities and AI-specific attack surfaces,” Endor Labs said.
Elsewhere, new research has demonstrated that malicious skills uploaded to ClawHub, an open marketplace for downloading OpenClaw skills, are being used as a conduit to deliver a new variant of Atomic Stealer, a macOS information stealer developed and rented by a cybercriminal known as Cookie Spider.
“The infection chain begins with the usual SKILL.md that installs prerequisites,” Trend Micro said. “While this skill appears benign on the surface, it was even classified as such by VirusTotal. OpenClaw then visits the website to obtain installation instructions and proceeds with the installation if LLM determines that the instructions will be followed.”
Instructions hosted on the website “openclawcli.vercel”[.]app’ contains a malicious command that downloads a stealer payload from an external server (‘91.92.242’).[.]30”) and execute it.
Threat hunters also flagged a new malware distribution campaign in which a threat actor named @liuhui1010 was identified, leaving a comment on the legitimate skill listing page urging users to explicitly run the command provided in the Terminal app if the skill “does not work on macOS.”
This command is designed to retrieve the Atomic Stealer from “91.92.242”.[.]30” IP address has previously been documented by Koi Security and OpenSourceMalware for distributing the same malware via malicious skills uploaded to ClawHub.
Additionally, a recent analysis of 3,505 ClawHub skills by AI security firm Striker revealed over 71 malicious skills. Some of them masqueraded as legitimate cryptocurrency tools but contained hidden functionality that redirected funds to wallets controlled by threat actors.
Two other skills, bob-p2p-beta and runware, are believed to be the result of a multi-layered cryptocurrency scam that uses an agent-to-agent attack chain targeting the AI agent ecosystem. This skill is believed to be the work of a threat actor operating under the aliases “26medias” on ClawHub and “BobVonNeumann” on Moltbook and X.
“BobVonNeumann presents himself as an AI agent on Moltbook, a social network designed to allow agents to interact with each other,” said researchers Yash Somalkar and Dan Regalado. “From that standpoint, the attack directly promotes its malicious skills to other agents, exploiting the trust that agents are designed to extend to each other by default. This is a supply chain attack with a social engineering layer built on top.”
However, what bob-p2p-beta does is instruct other AI agents to store the Solana wallet’s private key in clear text, buy worthless $BOB tokens on pump.fun, and route all payments through attacker-controlled infrastructure. The second skill claims to provide a benign image generation tool to increase developer credibility.
Given that ClawHub is becoming a new hotbed for attackers, we recommend that users audit skills before installing them, avoid providing credentials or keys unless required, and monitor skill behavior.
The security risks associated with self-hosted agent runtimes like OpenClaw also led Microsoft to issue an advisory warning that if an agent can be tricked into acquiring and executing malicious code through a poisoned skill or prompt injection, unprotected deployments could open the door to credential leakage and exfiltration, memory tampering, and host compromise.
“These characteristics require OpenClaw to be treated as untrusted code execution with persistent credentials,” the Microsoft Defender Security Research Team said. “It is not appropriate to run on a standard personal or corporate workstation.”
“If an organization decides it needs to evaluate OpenClaw, it should only be deployed in a completely isolated environment, such as a dedicated virtual machine or a separate physical system. The runtime should use dedicated, non-privileged credentials and access only non-sensitive data. Continuous monitoring and rebuilding plans should be part of the operating model.”
Source link
