Last Wednesday, security researchers at Oasis Security published what might be the most alarming OpenClaw vulnerability yet. They called it ClawJacked, and the attack is elegant in the worst possible way.
Here's the short version: any website you visited could silently connect to your local OpenClaw agent, brute-force your password at hundreds of attempts per second, and take full control of your AI agent. No plugins required. No user interaction. Just a browser tab.
The OpenClaw team patched it within 24 hours — credit where it's due — but the vulnerability reveals something deeper about the security model of running AI agents on your personal machine.
How the Attack Works
OpenClaw runs a gateway on your laptop — a WebSocket server that acts as the brain of the whole operation. It handles authentication, manages conversations, and orchestrates everything the agent does. By default, it binds to localhost.
The assumption is simple: if a connection comes from localhost, it's you. Your CLI, your macOS companion app, your dashboard — they all connect from localhost.
But here's what the OpenClaw team apparently didn't consider: your browser also runs on localhost. And WebSocket connections to localhost aren't blocked by cross-origin policies. Any website you visit can open a WebSocket connection straight to your OpenClaw gateway. The browser happily allows it.
That's step one. Step two is worse.
No Rate Limiting. At All.
The gateway's rate limiter — the thing that's supposed to prevent brute-force attacks — completely exempts localhost connections. Failed password attempts from localhost aren't counted, aren't throttled, and aren't logged.
Oasis Security's researchers achieved hundreds of password guesses per second from browser JavaScript alone. A common password list gets exhausted in under a second. A dictionary attack takes minutes. As their report puts it: "A human-chosen password doesn't stand a chance."
Once the password is guessed, the attacker's script silently registers as a trusted device. The gateway auto-approves device pairings from localhost without any user prompt. No notification. No confirmation dialog. Nothing.
What an Attacker Gets
With a fully authenticated session, the attacker can:
- Talk to your AI agent — send messages, get responses, instruct it to do whatever it's capable of doing
- Dump your configuration — see which AI providers, models, and messaging channels you've connected
- See every connected device — enumerate all nodes paired with your gateway, including platforms and IP addresses
- Read your logs — gain operational intelligence about everything your agent has been doing
In practice? An attacker could instruct your agent to search your Slack history for API keys. Read your private messages. Exfiltrate files from connected devices. Execute shell commands on any paired node.
Oasis demonstrated the full chain end-to-end: from a random website, their proof-of-concept guessed the password, connected with full permissions, and interacted with the victim's agent. The user saw nothing.
This Wasn't the Only Problem
The same disclosure period revealed a pile of additional issues. The Hacker News reported that OpenClaw patched ClawJacked alongside a log poisoning bug and multiple CVEs. Separately, 71 malicious ClawHub skills were found spreading malware and crypto scams. And Pago Networks documented a malicious npm package impersonating the OpenClaw installer — a supply chain attack targeting people who were trying to install OpenClaw for the first time.
All of this in the span of a few days.
The Deeper Problem
ClawJacked is patched. Update to v2026.2.25 or later and this specific attack goes away. But the underlying architecture hasn't changed.
OpenClaw still runs on your laptop. It still binds to localhost. It still has access to your files, your credentials, and your connected services. The next vulnerability — and there will be a next one — will find a different path to the same destination.
The pattern is familiar if you've worked in security: every piece of software that runs locally with broad permissions eventually gets exploited through some creative combination of trusted access and unexpected attack surface. The WebSocket-to-localhost trick that ClawJacked used isn't new — it's been used against development tools, local servers, and desktop applications for years. It just hadn't been applied to AI agents before.
What makes it worse with AI agents is the blast radius. A compromised development server leaks source code. A compromised AI agent leaks everything the agent can access — which, in the case of OpenClaw, is typically everything on your machine plus every service it's connected to.
What You Should Do Right Now
If you're running OpenClaw locally:
- Update immediately to v2026.2.25 or later
- Rotate any API keys or tokens your agent has access to — assume they may have been compromised
- Review your ClawHub installed skills and remove anything you didn't explicitly install
- Check your agent's saved state for unexpected persistent rules or newly trusted sources
If you're thinking about deploying OpenClaw:
Don't run it on your personal machine. The ClawJacked patch fixes one vulnerability, but it doesn't fix the fundamental problem: a powerful AI agent running on the same machine where you keep everything that matters.
Run it on isolated infrastructure where a compromise doesn't cost you everything. Dedicated cloud instances with proper authentication in front of every request, network isolation between the agent and your personal data, and API key proxying so credentials never touch the agent's environment.
That's what we built Clawdy to do — not because we predicted ClawJacked specifically, but because the security model of localhost-first AI agents was always going to produce vulnerabilities like this. When your agent runs on isolated infrastructure behind an auth proxy, there is no localhost to attack.
Running OpenClaw? Deploy it where ClawJacked can't reach. Clawdy provisions isolated cloud instances with authentication, network isolation, and API key proxying — in under 60 seconds. Get started at clawdy.app.