OpenClaw has fixed a high-severity security issue that, if successfully exploited, could allow a malicious website to connect to and take control of a locally running artificial intelligence (AI) agent.
“Our vulnerability resides in the core system itself – no plugins, no marketplace, no user-installed extensions – just the open OpenClave gateway, running exactly as documented,” Oasis Security said in a report published this week.
The defect is codenamed clawjacked By cyber security company.
The attack assumes the following threat model: A developer has installed and turned on OpenGL on his laptop, with its gateway connected to a local WebSocket server, localhost, and protected by a password. The attack begins when the developer accesses an attacker-controlled website through social engineering or any other means.
The transition sequence then follows the steps given below –
- Malicious JavaScript on a web page opens a WebSocket connection to localhost on the OpenGL gateway port.
- The script brutes the gateway password by taking advantage of a missing rate-limiting mechanism.
- After successful authentication with administrator-level permissions, the script silently registers itself as a trusted device, which is automatically approved by the gateway without any user prompting.
- The attacker gains full control over the AI agent, allowing them to interact with it, dump configuration data, enumerate connected nodes, and read application logs.
Oasis Security said, “Any website you visit may open one to your localhost. Unlike regular HTTP requests, the browser does not block these cross-origin connections.” “So when you’re browsing a website, the JavaScript running on that page can silently open a connection to your local OpenClause gateway. The user doesn’t see anything.”
“That misplaced trust has real consequences. Gateways relax many security mechanisms for local connections – including silently approving new device registrations without prompting the user. Normally, when a new device connects, the user must confirm the pairing. From localhost, this is automatic.”
Following the responsible disclosure, OpenClaw made the fix in less than 24 hours by releasing version 2026.2.25 on February 26, 2026. Users are advised to apply the latest updates as soon as possible, provide periodic audit access to AI agents, and implement appropriate governance controls for non-human (aka agentic) identification.
This development comes amid extensive security scrutiny of the OpenCloud ecosystem, which primarily stems from the fact that AI agents have strong access to disparate systems and the authority to execute tasks in enterprise tools, making the blast radius significantly larger if compromised.
Bitsight and NeuralTrust’s report details how Internet-connected OpenClaw instances create an expanded attack surface, with each integrated service broadening the blast radius and turning it into an attack weapon by embedding instant injections into the content processed by the agent (for example, an email or a Slack message) to carry out malicious actions.
The disclosure came after OpenClaw also patched a log poisoning vulnerability that allowed attackers to write malicious content to log files via WebSocket requests to a publicly accessible instance on TCP port 18789.
Since the agent reads its own logs to troubleshoot certain actions, the security flaw could be exploited by a threat actor to perform indirect instant injection, which could lead to unintended consequences. The issue was addressed in version 2026.2.13, which shipped on February 14, 2026.
“If the injected text is interpreted as meaningful operational information rather than untrusted input, it could influence decisions, suggestions, or automated actions,” iSecurity said. “The impact will therefore not be ‘immediate takeover’, but rather: manipulation of the agent’s logic, influencing troubleshooting steps, potential data disclosure if the agent is directed to reveal the context, and indirect misuse of linked integrations.”
In recent weeks, OpenClaw has been found to be vulnerable to several vulnerabilities (CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-26319, CVE-2026-26322, CVE-2026-26329), ranging from medium to high severity, can result in remote code execution, command injection, server-side request forgery (SSRF), authentication bypass, and path traversal. The vulnerabilities have been addressed in OpenClaw versions 2026.1.20, 2026.1.29, 2026.2.1, 2026.2.2, and 2026.2.14.
“As AI agent frameworks become more prevalent in enterprise environments, security analytics must evolve to address both traditional vulnerabilities and AI-specific attack surfaces,” Andor Labs said.
Elsewhere, new research has revealed that malicious skills uploaded to ClawHub, an open marketplace for downloading OpenClaw skills, are being used as a medium to distribute a new version of Atomic Steal, a macOS information stealer developed and hired by the cybercrime actor known as Cookie Spider.
“The infection chain starts with a simple SKILL.md that establishes a condition,” Trend Micro said. “The skill appears harmless on the surface and was even labeled as benign on VirusTotal. OpenClaw then goes to the website, receives installation instructions, and proceeds with the installation if the LLM decides to follow the instructions.”
Instructions are hosted on the website “openclawcli.vercel”[.]app” contains a malicious command to download a stealth payload from an external server (“91.92.242[.]30”) and run it.
Threat hunters also flagged a new malware distribution campaign identifying a threat actor named @liuhui1010 who is leaving comments on legitimate skill list pages, urging users to explicitly run the given command on the Terminal app if the skill “does not work on macOS.”
The command is designed to retrieve the nuke stealer from “91.92.242”[.]30,” an IP address that was previously documented by Koei Security and OpenSourceMalware to distribute the same malware via malicious skills uploaded to Clawhub.
Additionally, a recent analysis of 3,505 Clawhub skills by AI security company Stryker revealed at least 71 malicious skills, some of which were presented as legitimate cryptocurrency tools but contained hidden functionality to redirect funds to threat actor-controlled wallets.
Two other skills, BOB-P2P-BETA and Runware, have been attributed to a multi-layered cryptocurrency scam that employs an agent-to-agent attack chain targeting the AI agent ecosystem. The skill has been attributed to a threat actor who operates under the alias “26medias” on Clawhub and “bobvonnewman” on Moltbuk and X.
Researchers Yash Somalkar and Dan Regalado said, “Bobvonnewman presents itself as an AI agent on Moltbuk, a social network designed for agents to interact with each other.” “From that position, it promotes its own malicious skills directly to other agents, exploiting the trust that agents are designed to extend to each other by default. This is a supply chain attack with a social engineering layer built on top of it.”
However, bob-p2p-beta instructs other AI agents to store Solana wallet private keys in plaintext, purchase worthless $BOB tokens on pump.fun, and route all payments through an attacker-controlled infrastructure. The second skill claims to offer a benign image creation tool to build developer credibility.
Given that Clawhub is becoming a new fertile ground for attackers, users are advised to audit skills before installing them, avoid providing credentials and keys unless it is necessary, and monitor skill behavior.
Security risks associated with self-hosted agent runtimes such as OpenClaw have also prompted Microsoft to issue an advisory, warning that if the agent can be tricked into retrieving and running malicious code through poisoned skills or rapid injection, deployment without protection could lead to credential exposure/exfiltration, memory modification, and host compromise.
The Microsoft Defender Security Research Team said, “Because of these characteristics, OpenCL should be treated as untrusted code execution with persistent credentials.” “It is not appropriate to run on a standard personal or enterprise workstation.”
“If an organization determines that OpenClause should be evaluated, it should only be deployed in a completely isolated environment, such as a dedicated virtual machine or separate physical system. The runtime should use dedicated, non-privileged credentials and should only have access to non-sensitive data. Continuous monitoring and rebuilding plans should be part of the operating model.”
