ClawJacked Flaw Exposed: Malicious Sites Could Hijack Local OpenClaw AI Agents

The ClawJacked vulnerability has been officially patched by OpenClaw after security researchers discovered a high-severity flaw that allowed malicious websites to seize control of locally running artificial intelligence agents. Disclosed by Oasis Security, this vulnerability resided in the core system of the OpenClaw gateway rather than in third-party plugins or extensions. If a developer running an OpenClaw instance on their laptop visited a compromised website, the site could execute JavaScript to open a silent WebSocket connection to the developer's localhost. Unlike standard external connections, the OpenClaw gateway was found to relax security protocols for local traffic, automatically approving new device registrations without requiring user confirmation.

In response to the responsible disclosure, OpenClaw released version 2026.2.25 on February 26, 2026, to permanently close the ClawJacked loophole. Security experts strongly advise all users to update immediately to prevent unauthorized agent takeovers. This release follows another critical fix deployed in version 2026.2.13 on February 14, 2026, which addressed a log poisoning vulnerability. That specific flaw allowed attackers to write malicious content to log files via WebSocket requests directed at a publicly accessible instance on TCP port 18789. Eye Security noted that while log poisoning might not result in an instant takeover, it could manipulate the agent's reasoning by injecting untrusted input that the AI interprets as operational data, potentially leading to data disclosure or incorrect troubleshooting steps.

The OpenClaw ecosystem has faced intense scrutiny recently, with multiple vulnerabilities identified including CVE-2026-25593, CVE-2026-24763, and CVE-2026-25157. These flaws ranged from remote code execution to server-side request forgery (SSRF) and were addressed in a series of updates culminating in versions 2026.1.20 through 2026.2.14. Beyond code vulnerabilities, the platform's marketplace, ClawHub, has become a vector for malware distribution. Trend Micro reported that malicious skills are being used to deliver a variant of Atomic Stealer, a macOS information stealer linked to the cybercrime actor Cookie Spider. The infection chain often begins with a seemingly benign skill that fetches installation instructions from openclawcli.vercel.app, which then executes a command to download the payload from the external IP address 91.92.242.30.

Threat hunters have identified specific social engineering tactics used to spread these malicious tools. A threat actor operating under the handle @liuhui1010 was observed leaving comments on legitimate skill listing pages, urging users to run specific terminal commands if a skill failed to work on macOS. These commands were designed to retrieve the Atomic Stealer malware from the same documented IP address, 91.92.242.30. Furthermore, an analysis of 3,505 ClawHub skills by Straiker revealed 71 malicious entries, including skills named bob-p2p-beta and runware, which were part of a multi-layered cryptocurrency scam designed to redirect funds to attacker-controlled wallets.

The discovery of ClawJacked highlights a dangerous blind spot in the rapid adoption of agentic AI: the assumption that "localhost" implies safety. Developers often treat local environments as trusted zones, but as AI agents gain the authority to execute system-level tasks, they become high-value targets for browser-based attacks. The shift from simple data theft to active agent hijacking means that security governance for non-human identities is no longer optional. Organizations must treat AI agents not just as software tools, but as privileged users that require strict network isolation and continuous access auditing, regardless of whether they are running in the cloud or on a local machine.