====== What Is a Clawjacked Attack ======

A ClawJacked attack is a high-severity vulnerability targeting the OpenClaw AI agent platform that allows malicious websites to hijack locally running AI agents via localhost WebSocket connections. ((Source: [[https://www.oasis.security/blog/openclaw-vulnerability|Oasis Security — OpenClaw Vulnerability]])) The attack exploits weak authentication to gain full control of the agent without user interaction or malware installation, effectively turning a trusted local AI assistant into a remote attack vector.

===== How the Attack Works =====

The ClawJacked attack exploits OpenClaw's local gateway design through a four-step sequence:

  - **WebSocket Connection**: Malicious JavaScript on a visited website connects to the OpenClaw gateway port on localhost. ((Source: [[https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html|The Hacker News — ClawJacked Flaw]]))
  - **Brute-Force Authentication**: Localhost connections bypass rate limiting, allowing hundreds of password guesses per second to crack weak or common passwords in seconds. ((Source: [[https://www.oasis.security/blog/openclaw-vulnerability|Oasis Security — OpenClaw Vulnerability]]))
  - **Silent Device Registration**: After authentication, the script registers as a trusted device, auto-approved without prompts or notifications for localhost origins.
  - **Full Agent Control**: The attacker gains admin access to send commands to the AI agent, enabling execution of shell commands, reading files and secrets, dumping configurations, and exfiltrating data. ((Source: [[https://www.bleepingcomputer.com/news/security/clawjacked-attack-let-malicious-websites-hijack-openclaw-to-steal-data/|BleepingComputer — ClawJacked Attack]]))

This attack leverages the confused deputy problem, where the trusted local agent misuses its elevated privileges on behalf of a remote attacker. ((Source: [[https://dev.to/rainkode/clawjacked-when-visiting-a-website-hijacks-your-ai-agent-p3a|Dev.to — ClawJacked: When Visiting a Website Hijacks Your AI Agent]]))

===== Attack Vectors =====

The primary vector requires only visiting a malicious website (via phishing, ads, or social engineering) while OpenClaw runs locally. No clicks, downloads, or additional interaction is needed. ((Source: [[https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html|The Hacker News — ClawJacked Flaw]]))

Related risks include malicious ClawHub skills: researchers identified 71 malicious skills that deploy infostealers and crypto-miners, propagating via compromised agents. ((Source: [[https://www.rescana.com/post/clawjacked-vulnerability-in-openclaw-allows-malicious-websites-to-hijack-local-ai-agents-and-steal-d|Rescana — ClawJacked Vulnerability]]))

===== Real-World Demonstrations =====

Oasis Security published a proof-of-concept demonstrating full takeover from a browser, including password guessing, device registration, agent interaction, and configuration dumping, all performed silently without user awareness. ((Source: [[https://www.oasis.security/blog/openclaw-vulnerability|Oasis Security — OpenClaw Vulnerability]]))

In the wild, infostealers such as Atomic Stealer have been observed distributing through malicious ClawHub skills, with tactics aligning with FIN7 and APT37 threat actor techniques for supply-chain and browser-based attacks. ((Source: [[https://www.rescana.com/post/clawjacked-vulnerability-in-openclaw-allows-malicious-websites-to-hijack-local-ai-agents-and-steal-d|Rescana — ClawJacked Vulnerability]]))

===== Defenses and Mitigations =====

  * **Update OpenClaw**: The vendor has patched the flaw; update to the latest version immediately ((Source: [[https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html|The Hacker News — ClawJacked Flaw]]))
  * **Strong Authentication**: Enforce strong, unique passwords and enable rate limiting for all connections, including localhost
  * **Disable Auto-Approval**: Require explicit user confirmation for all device pairing, including localhost origins
  * **Network Isolation**: Bind gateways to non-loopback interfaces or use firewalls to block unauthorized localhost access
  * **Sandboxing**: Run agents in containers and monitor all tool calls and logs
  * **Skill Auditing**: Scan all ClawHub skills for malicious payloads before installation
  * **Privilege Limitation**: Apply least-privilege principles to all agent capabilities

===== See Also =====

  * [[openclaw_security_risks|Security Risks and Dangers of Using OpenClaw]]
  * [[saas_security_agents|SaaS Security Blind Spots from Third-Party Agents]]
  * [[autonomous_threat_hunters|Autonomous Threat Hunters in Cybersecurity]]

===== References =====