ClawJacked: High-Severity Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket

Security firm Oasis Security disclosed a high-severity vulnerability dubbed ClawJacked in OpenClaw, a locally running AI agent tool, that allows a malicious website to connect to the agent's local WebSocket gateway and take full control of it without the user's knowledge. The attack requires only that a developer has OpenClaw running on their laptop with the gateway bound to localhost — a standard configuration — and then visits an attacker-controlled webpage, which uses JavaScript to exploit the WebSocket interface. OpenClaw has issued a fix, but the flaw underscores a structural risk in AI agent frameworks that expose local WebSocket gateways without robust origin validation.

Key Takeaways

• ClawJacked flaw: malicious website JavaScript connects to OpenClaw's localhost WebSocket gateway and takes control of the AI agent — no plugins or extensions required, affects the base OpenClaw installation
• Oasis Security research confirms the attack works when a developer runs OpenClaw on localhost with its default gateway configuration; the attack is initiated by visiting a malicious webpage
• OpenClaw is the same AI agent at the center of the Clinejection npm supply chain attack (Feb 2026) and Bing AI malware distribution campaign — multiple active threat vectors now exploit OpenClaw's user base

Original source: The Hacker News / Oasis Security