A ClawJacked attack is a high-severity vulnerability targeting the OpenClaw AI agent platform that allows malicious websites to hijack locally running AI agents via localhost WebSocket connections. ¹⁾ The attack exploits weak authentication to gain full control of the agent without user interaction or malware installation, effectively turning a trusted local AI assistant into a remote attack vector.

The ClawJacked attack exploits OpenClaw's local gateway design through a four-step sequence:

1. WebSocket Connection: Malicious JavaScript on a visited website connects to the OpenClaw gateway port on localhost. ²⁾
2. Brute-Force Authentication: Localhost connections bypass rate limiting, allowing hundreds of password guesses per second to crack weak or common passwords in seconds. ³⁾
3. Silent Device Registration: After authentication, the script registers as a trusted device, auto-approved without prompts or notifications for localhost origins.
4. Full Agent Control: The attacker gains admin access to send commands to the AI agent, enabling execution of shell commands, reading files and secrets, dumping configurations, and exfiltrating data. ⁴⁾

This attack leverages the confused deputy problem, where the trusted local agent misuses its elevated privileges on behalf of a remote attacker. ⁵⁾

The primary vector requires only visiting a malicious website (via phishing, ads, or social engineering) while OpenClaw runs locally. No clicks, downloads, or additional interaction is needed. ⁶⁾

Related risks include malicious ClawHub skills: researchers identified 71 malicious skills that deploy infostealers and crypto-miners, propagating via compromised agents. ⁷⁾

Oasis Security published a proof-of-concept demonstrating full takeover from a browser, including password guessing, device registration, agent interaction, and configuration dumping, all performed silently without user awareness. ⁸⁾

In the wild, infostealers such as Atomic Stealer have been observed distributing through malicious ClawHub skills, with tactics aligning with FIN7 and APT37 threat actor techniques for supply-chain and browser-based attacks. ⁹⁾

• Update OpenClaw: The vendor has patched the flaw; update to the latest version immediately ¹⁰⁾
• Strong Authentication: Enforce strong, unique passwords and enable rate limiting for all connections, including localhost
• Disable Auto-Approval: Require explicit user confirmation for all device pairing, including localhost origins
• Network Isolation: Bind gateways to non-loopback interfaces or use firewalls to block unauthorized localhost access
• Sandboxing: Run agents in containers and monitor all tool calls and logs
• Skill Auditing: Scan all ClawHub skills for malicious payloads before installation
• Privilege Limitation: Apply least-privilege principles to all agent capabilities

• Security Risks and Dangers of Using OpenClaw
• SaaS Security Blind Spots from Third-Party Agents
• Autonomous Threat Hunters in Cybersecurity