March 1, 2026

ClawJacked Flaw Allows Malicious Sites to Access Local OpenClaw AI Agents Via WebSocket

daksh kataria March 1, 2026
clawjacked-flaw-allows-malicious-sites
Post Views: 7

“Latest news explained how ClawJacked Flaw Allowed Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket.”

A high-severity security flaw that may have allowed a malicious website to connect to a locally running artificial intelligence (AI) agent and seize control if it had been successfully exploited has been addressed by OpenClaw.

Oasis Security, Report

Our vulnerability is found in the OpenClaw gateway itself, operating exactly as described. There are no plugins, marketplaces, or user-installed extensions.”

The cybersecurity firm has termed the vulnerability ClawJacked.

The following threat model is assumed by the attack: On a developer’s laptop, OpenClaw is installed and operational. Its gateway, a local WebSocket server, is password-protected and connected to localhost.

When the developer visits a website that is controlled by the attacker via social engineering or another method, the attack begins.

The steps below are the next phases in the infection sequence:

  • A WebSocket connection to localhost on the OpenClaw gateway port is established by malicious JavaScript on the webpage.
  • The software exploits a lack of a rate-limiting mechanism to brute-force the gateway password.
  • Following successful admin-level authorization, the script quietly registers as a trusted device, which the gateway automatically approves without requiring user input.
  • With total control over the AI agent, the attacker can read application logs, communicate with it, dump configuration data, and count connected nodes.

Oasis Security

“You can open one to your localhost from any page you visit. These cross-origin connections are not blocked by the browser, in contrast to standard HTTP requests.”

“Therefore, JavaScript on any page you are viewing can secretly establish a connection to your local OpenClaw gateway. Nothing is visible to the user.”

“There are serious repercussions to that mistaken faith. For local connections, the gateway loosens a number of security measures, such as accepting new device registrations covertly and without the user’s knowledge. Usually, the user has to verify the pairing when a new device connects. Localhost does it automatically.”

 

Less than a day after responsible disclosure, OpenClaw published a fix, releasing version 2026.2.25 on February 26, 2026. It is recommended that users implement the most recent updates as quickly as feasible, audit access granted to AI agents on a regular basis, and establish suitable governance rules for non-human (also known as agentic) identities.

The development coincides with increased security scrutiny of the OpenClaw ecosystem, which is mainly due to the fact that AI agents have entrenched access to various systems and the power to carry out tasks across enterprise tools, which could result in a much larger blast radius in the event that they are compromised.

According to reports from Bitsight and NeuralTrust, OpenClaw instances that are left online present a larger attack surface, and each integrated service increases the blast radius. These instances can be turned into attack weapons by inserting prompt injections into content (like emails or Slack messages) that the agent processes in order to carry out malicious actions.

The revelation coincides with OpenClaw’s patching of a log poisoning vulnerability that let attackers use WebSocket queries to a publicly available instance on TCP port 18789 to write malicious material to log files.

 

image shows clawjacked-flaw

 

A threat actor might exploit the security flaw to insert indirect prompt injections, which could have unexpected repercussions, because the agent reads its own logs to debug specific activities. Version 2026.2.13, which was released on February 14, 2026, fixed the problem.

Eye Security

The injected text may affect choices, recommendations, or automated actions if it is perceived as useful operational knowledge rather than unreliable input.”

 

“Therefore, the effects would not be “instant takeover,” but rather manipulation of agent thinking, influence over troubleshooting procedures, possible data exposure if the agent is instructed to divulge context, and indirect abuse of linked integrations.”

Additionally, several vulnerabilities (CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-26319, CVE-2026-26322, and CVE-2026-26329) ranging from moderate to high severity that could lead to remote code execution, server-side request forgery (SSRF), authentication bypass, and path traversal.

 

OpenClaw versions 2026.1.20, 2026.1.29, 2026.2.1, 2026.2.2, and 2026.2.14 have fixed the vulnerabilities.

Endor Labs

“Security analysis needs to change to handle both conventional vulnerabilities and attack surfaces unique to AI as AI agent frameworks proliferate in enterprise settings.”

A new version of Atomic Stealer, a macOS information stealer created and rented by a cybercrime actor known as Cookie Spider, is being distributed through malicious skills uploaded to ClawHub, an open marketplace for downloading OpenClaw skills, according to other research.

Trend Micro

A standard SKILL.md that installs a requirement starts the infection chain.”

“On the surface, the skill seems innocuous, and VirusTotal even classified it as benign. If the LLM chooses to follow the instructions, OpenClaw then visits the website, retrieves the installation instructions, and starts the installation.”

 

The website “openclawcli.vercel[.]app” contains instructions that include a malicious command to download and execute a stealer payload from an external server (“91.92.242[.]30”).

Additionally, a threat actor known as @liuhui1010 has been spotted by threat hunters as part of a new malware delivery operation. This threat actor has left comments on legitimate skill listing pages, asking users to explicitly run a command they gave on the Terminal app if the skill “doesn’t work on macOS.”

In order to distribute the same malware via malicious skills published to ClawHub, Koi Security, and OpenSourceMalware, previously documented the IP address “91.92.242[.]30,” from which the command is intended to retrieve Atomic Stealer.

Furthermore, the AI security firm Straiker recently analyzed 3,505 ClawHub talents and found at least 71 fraudulent ones, some of which pretended to be genuine cryptocurrency tools but had hidden features that redirected money to wallets controlled by threat actors.

Runware and bob-p2p-beta are two additional talents that have been linked to a multi-layered cryptocurrency fraud that targets the AI agent ecosystem through an agent-to-agent assault chain. A threat actor who goes by the identities “26medias” on ClawHub and “BobVonNeumann” on Moltbook and X has been identified as the source of the skills.

Yash Somalkar & Dan Regalado, Researchers

“On Moltbook, a social network created for agents to communicate with one another, BobVonNeumann poses as an AI agent.”

 

“From there, it takes advantage of the trust that agents naturally offer to one another by promoting its own harmful abilities straight to other agents. It is a supply chain attack that has been layered with social engineering.”

 

However, bob-p2p-beta instructs other AI agents to buy worthless $BOB tokens on the pump and store Solana wallet private keys in plaintext.enjoyable, and sends all payments via an infrastructure under the control of an attacker.

In order to increase the developer’s confidence, the second skill promises to provide a harmless image-generating tool.

Users are encouraged to audit skills before installing them, refrain from giving passwords and keys unless absolutely necessary, and keep an eye on skill behavior because ClawHub is turning into a new breeding ground for attackers.

Microsoft has issued an advisory due to the security risks associated with self-hosted agent runtimes such as OpenClaw. The advisory warns that unguarded deployment could lead to memory modification, host compromise, and credential exposure/exfiltration if the agent can be tricked into retrieving and executing malicious code through prompt injections or poisoned skills.

Microsoft Defender Security Research Team

“OpenClaw should be regarded as an untrusted code execution with persistent credentials due to these features.”

“Running it on a typical personal or business workstation is inappropriate.”

“OpenClaw should only be implemented in a completely isolated environment, such as a separate physical system or virtual machine, if an organization decides that it has to be examined. The runtime should only access non-sensitive data and use specific, non-privileged credentials. The operating model should include a rebuild strategy and ongoing monitoring.”

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Read More:

npm Malware Spreads Automatically, Cisco SD-WAN Exploited in 2023 Zero-Day Vulnerability

About Author

daksh kataria

See author's posts

More Stories

Hackers-Utilize-Claude-AI-Code-in-Sophisticated-Mexican-Government-Cyberattackdata

Hackers Utilize Claude AI Code in Sophisticated Mexican Government Cyberattack

Vaibhav March 1, 2026
New-Zealand-Medical-Cyberattack-Patient-Records-Compromised-Thousands-Affecteddata

New Zealand Medical Cyberattack: Patient Records Compromised, Thousands Affected

Vaibhav February 25, 2026
Optimizely-Ad-Tech-Company-Hit-by-Cyberattack-Data-Security-Concerns-Risedata

Optimizely Ad Tech Company Hit by Cyberattack: Data Security Concerns Rise

Vaibhav February 25, 2026

Latest Cyber Security News

Samsung-TVs-to-Stop-Collecting-Texans-Data-Without-Express-Consentdata

Samsung TVs to Stop Collecting Texans’ Data Without Express Consent

Vaibhav March 1, 2026
2-52-Crore-Digital-Arrest-Scam-Exposed-Four-Arrested-Cyber-Fraud-Network-Unraveled-Across-Delhi-and-Other-Statesdata

₹2.52 Crore Digital Arrest Scam Exposed: Four Arrested, Cyber Fraud Network Unraveled Across Delhi and Other States

Vaibhav March 1, 2026
Baghpat-Police-Arrests-3-in-4-63-Crore-Online-Share-Market-Scamdata

Baghpat Police Arrests 3 in ₹4.63 Crore Online Share Market Scam

Vaibhav March 1, 2026
Delhi-Police-Busts-Cyber-Fraud-Gang-in-Nationwide-Raids-27-Arrested-Across-11-Statesdata

Delhi Police Busts Cyber Fraud Gang in Nationwide Raids, 27 Arrested Across 11 States

Vaibhav March 1, 2026
Hackers-Utilize-Claude-AI-Code-in-Sophisticated-Mexican-Government-Cyberattackdata

Hackers Utilize Claude AI Code in Sophisticated Mexican Government Cyberattack

Vaibhav March 1, 2026
en_USEnglish
en_USEnglish