Executive Summary

The ClawJacked vulnerability represents a critical security flaw in the widely adopted open-source AI agent platform OpenClaw. This vulnerability enables malicious websites to hijack locally running OpenClaw instances by exploiting a localhost authentication bypass, resulting in unauthorized access, data exfiltration, and potential full system compromise. The attack leverages browser-based JavaScript to brute-force authentication over WebSocket connections to the local OpenClaw service, bypassing intended rate-limiting protections. The flaw was responsibly disclosed by Oasis Security and patched in OpenClaw version 2026.2.26. Organizations and individuals using OpenClaw are strongly urged to update immediately and review their deployment for signs of compromise.

Threat Actor Profile

While no advanced persistent threat (APT) group has been directly attributed to the exploitation of ClawJacked as of this report, the tactics, techniques, and procedures (TTPs) observed align with those used by both financially motivated cybercriminals and espionage-focused actors. Notably, the attack chain is consistent with the operational patterns of groups such as FIN7 and APT37, who are known for leveraging supply chain vulnerabilities and browser-based attack vectors. Additionally, aliases such as @liuhui1010, 26medias, and BobVonNeumann have been observed distributing malicious "skills" and social engineering content within the OpenClaw ecosystem, indicating a blend of opportunistic and targeted exploitation.

Technical Analysis of Malware/TTPs

The ClawJacked vulnerability arises from the design of the OpenClaw gateway service, which binds to localhost and exposes a WebSocket management interface. Modern browser cross-origin policies do not restrict JavaScript from establishing WebSocket connections to localhost, allowing a malicious website to interact directly with the local OpenClaw instance.

The authentication mechanism in OpenClaw is intended to prevent brute-force attacks via rate limiting. However, to avoid locking out legitimate local command-line interface (CLI) sessions, the rate limiter exempts connections from the loopback address (127.0.0.1). This exemption inadvertently allows unlimited password attempts from the local browser context.

A typical attack sequence involves a user visiting a malicious website while OpenClaw is running locally. JavaScript on the site silently initiates a WebSocket connection to ws://127.0.0.1:<OpenClawPort>, rapidly brute-forcing the management password. Upon successful authentication, the attacker registers as a trusted device, which is auto-approved from localhost, and gains administrative access. This access enables the attacker to exfiltrate sensitive data, execute arbitrary shell commands, and propagate further compromise by uploading malicious "skills" to the ClawHub repository.

Malicious skills such as bob-p2p-beta and runware have been identified, some of which deploy infostealers like Atomic Stealer or crypto-miners. Attackers have also used social engineering tactics, such as posting comments that urge users to execute terminal commands, further expanding the attack surface.

Exploitation in the Wild

Proof-of-concept exploits for ClawJacked have been publicly demonstrated by Oasis Security, showing that the attack can be executed from a browser tab with no user interaction beyond visiting a malicious page. Real-world exploitation has been observed, including the deployment of infostealers and crypto-miners via malicious skills uploaded to ClawHub. Skills such as bob-p2p-beta and runware have been linked to cryptocurrency scams and agent-to-agent attack chains. Malicious infrastructure has been identified, including payload delivery from 91.92.242[.]30 and skill instructions hosted at openclawcli.vercel[.]app.

No confirmed nation-state APT attribution exists as of this report, but the attack methodology is consistent with both cybercrime and espionage operations. The opportunistic nature of the attack means that any user running a vulnerable OpenClaw instance is at risk, regardless of sector or geography.

Victimology and Targeting

The ClawJacked attack is opportunistic and global in scope, targeting any individual or organization running a vulnerable version of OpenClaw. Sectors most at risk include developers, enterprises, and organizations that deploy AI agent frameworks for automation, integration, and workflow orchestration. The attack does not discriminate by country, as it relies on users visiting malicious websites while running OpenClaw locally. The presence of malicious skills in the ClawHub repository further amplifies the risk, as compromised agents can propagate the attack within organizational networks and supply chains.

Mitigation and Countermeasures

Immediate mitigation requires upgrading OpenClaw to version 2026.2.26 or later, which addresses the authentication bypass and strengthens rate-limiting protections. Organizations should review all trusted device registrations for anomalies, audit installed ClawHub skills for unauthorized or suspicious uploads, and monitor for unusual WebSocket activity from browsers to localhost.

Additional best practices include deploying OpenClaw only in isolated environments with non-privileged credentials, avoiding the provision of sensitive credentials or keys to skills unless absolutely necessary, and continuously monitoring skill behavior and agent access. Security teams should also educate users about the risks of visiting untrusted websites while running local agent services and implement network monitoring to detect suspicious localhost WebSocket connections.

Indicators of compromise include outbound WebSocket connections from browsers to ws://127.0.0.1:<OpenClawPort>, new trusted devices registered from localhost without user confirmation, and the presence of skills with obfuscated or suspicious code. Known malicious skill IDs include bob-p2p-beta and runware.

References

BleepingComputer: ClawJacked attack let malicious websites hijack OpenClaw to steal data

The Hacker News: ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI

CSO Online: Your personal OpenClaw agent may also be taking orders from malicious websites

HackRead: OpenClaw Vulnerability in OpenClaw Lets Websites Hijack AI Agents

LinkedIn: The Cyber Security Hub™ ClawJacked post

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced analytics and continuous monitoring capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization, we are happy to answer questions at ops@rescana.com.