A vulnerability named ClawJacked was disclosed in February 2026: malicious websites can hijack local OpenClaw AI agents through WebSocket connections, redirecting autonomous agent behavior without the user's knowledge.
The patch is straightforward. The deeper problem is not.
What ClawJacked Revealed
ClawJacked exposed a class of attack that auth controls don't prevent. The agent was running with legitimate credentials. The session was authorized. The WebSocket connection appeared normal.
What changed was what the agent did inside that session — and there was no way to tell, after the fact, whether the actions it took were the ones it was supposed to take.
This is the gap that security teams are now scrambling to address: not just securing the perimeter around agents, but proving what happened inside an authorized session.
Patching Is Necessary. It's Not Sufficient.
WebSocket origin validation closes the specific ClawJacked vector. It doesn't address:
- Prompt injection attacks embedded in page content that redirect agent intent
- Agents executing correct code against manipulated page state
- Session tampering that leaves no trace in structured logs
- Compliance requirements to document what the agent actually did, not just what it was instructed to do
The common thread: these attacks don't show up in your text audit logs. The log records intended actions. It cannot record what the agent encountered on-screen at the moment each action fired.
The Evidence Layer That's Missing
When a ClawJacked-style attack succeeds — or when an auditor asks for proof that it didn't — you need more than logs. You need a recording.
Frame-by-frame video of an agent's browser session shows:
- The exact page state when each action executed
- Whether injected content or unexpected elements appeared mid-session
- The visual evidence that the agent completed the intended task on the intended page
- A tamper-evident artifact that compliance teams can review and sign off on
This is what separates "our logs say the session completed normally" from "here is the session recording — every frame, timestamped."
Adding Visual Proof to OpenClaw Deployments
After patching ClawJacked, the next step for enterprise deployments is session recording. PageBolt's /v1/video endpoint captures narrated browser sessions via API — add it as a post-action verification step in your agent workflow:
curl -X POST https://pagebolt.dev/api/v1/video \
-H "x-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"steps": [
{ "action": "navigate", "url": "https://completed-task-result.com" },
{ "action": "screenshot", "note": "Agent task complete — visual proof captured for audit trail" }
],
"output": { "format": "mp4" }
}' \
--output agent-session-$(date +%s).mp4
Store the recording alongside the session ID and agent run metadata. When a security incident review or compliance audit occurs, you have frame-by-frame evidence — not an inference from logs.
For multi-step agent workflows, /v1/sequence captures multiple checkpoints in a single browser session without the overhead of separate browser instances.
What ClawJacked Should Change About Enterprise Agent Policy
Every enterprise deploying autonomous browser agents should now have an answer to: "If this session was hijacked at step 12, how would we know?"
If the answer is "we'd look at the logs," that's not sufficient for a post-ClawJacked threat model.
The right answer is: "We have a session recording. We can play it back from step 1."
Patch ClawJacked. Then add the recording layer. That's the complete response.
[PageBolt free tier: 100 requests/month, no credit card required. pagebolt.dev]
Top comments (0)