ClawJacked: Any Website Can Silently Hijack Your OpenClaw Agent

Visit the wrong website. Lose control of your AI agent. That's the reality of ClawJacked — a critical vulnerability discovered by Oasis Security that lets any webpage silently take full control of a self-hosted OpenClaw instance.

No plugins required. No user interaction. Just a browser tab.

How ClawJacked Works

OpenClaw runs a gateway service on your local machine that exposes a WebSocket interface on localhost. The problem: browsers don't block cross-origin WebSocket connections to localhost. Unlike regular HTTP requests, CORS doesn't apply here.

The attack chain:

1. You visit a malicious or compromised website
2. Hidden JavaScript opens a WebSocket connection to your local OpenClaw gateway
3. The gateway has no rate limiting for localhost — the script brute-forces your password at hundreds of attempts per second
4. Once authenticated, localhost connections are auto-approved as trusted devices
5. The attacker now has full admin access to your agent

"A developer has OpenClaw running on their laptop... They're browsing the web and accidentally land on a malicious website. That's all it takes," Oasis Security wrote in their disclosure.

What an Attacker Gets

Full control. Specifically:

• Read your private messages — Slack history, stored conversations

• Steal API keys — dump the entire gateway config including LLM provider credentials

• Execute commands — run system commands on connected devices

• Exfiltrate files — pull documents from your machine through the agent

For developers with typical integrations, ClawJacked means full workstation compromise from a browser tab.

The Fix

OpenClaw classified ClawJacked as high severity and shipped a patch in version 2026.2.25 — less than 24 hours after disclosure. If you self-host OpenClaw, update immediately.

Oasis Security praised the turnaround, especially for a volunteer-driven open-source project.

Why Managed Hosting Isn't Affected

ClawJacked depends on one thing: a gateway running on your local machine. The entire attack chain starts with a WebSocket connection to localhost.

With managed hosting, your OpenClaw gateway runs on a remote server — not your laptop. There's no localhost gateway to connect to. The attack vector doesn't exist.

Self-hosted means every browser tab is a potential attack surface. Managed means your agent lives behind server-level firewalls and network isolation, completely separated from your browsing environment.