OpenClaw recently addressed a critical security vulnerability that could have allowed a malicious website to seize control of a locally running AI agent. Dubbed “ClawJacked” by Oasis Security, the flaw resided in the core system of OpenClaw itself, making it a standalone issue without any additional plugins or extensions.
The attack scenario involved an attacker-controlled website leveraging a WebSocket connection to localhost on the OpenClaw gateway port. By exploiting a missing rate-limiting mechanism, the malicious script could brute-force the gateway password and gain admin-level permissions to register as a trusted device, granting complete control over the AI agent.
Following responsible disclosure, OpenClaw swiftly released version 2026.2.25 to patch the vulnerability. Users are urged to update to the latest version, review access permissions granted to AI agents, and enforce governance controls for non-human identities.
Security scrutiny of the OpenClaw ecosystem has intensified in light of recent vulnerabilities. Reports from Bitsight and NeuralTrust have highlighted the expanded attack surface posed by internet-connected OpenClaw instances, emphasizing the need for enhanced security measures.
In addition to the ClawJacked vulnerability, OpenClaw also addressed a log poisoning issue that could allow attackers to manipulate agent reasoning and potentially disclose sensitive data. The security loophole was fixed in version 2026.2.13.
Furthermore, OpenClaw has patched multiple vulnerabilities, ranging from moderate to high severity, such as remote code execution and authentication bypass. Endor Labs emphasized the importance of evolving security analysis to address both traditional vulnerabilities and AI-specific attack vectors.
Recent research has uncovered malicious skills on ClawHub being used to distribute the Atomic Stealer macOS information stealer. Threat actors have leveraged legitimate skill listings to deliver malware payloads, highlighting the importance of auditing skills before installation and monitoring their behavior.
Microsoft has issued an advisory cautioning against unguarded deployment of self-hosted agent runtimes like OpenClaw, citing risks of credential exposure and host compromise. Organizations are advised to deploy OpenClaw in isolated environments with dedicated credentials and continuous monitoring.
