Oasis Security just dropped a bombshell: any website you visit can silently take full control of your OpenClaw agent. No plugins needed. No user interaction. Just visit a malicious page.
Source: Oasis Security Research | Video PoC
The Attack Chain
- Developer has OpenClaw running on localhost (the default setup)
- Developer visits any malicious/compromised website
- JavaScript on the page opens a WebSocket to localhost on OpenClaw's gateway port
- WebSocket connections to localhost are NOT blocked by cross-origin policies
- Script brute-forces the gateway password — hundreds of attempts/second
- The gateway's rate limiter exempts localhost connections entirely
- Once authenticated, the script registers as a trusted device
- Gateway auto-approves device pairings from localhost with no user prompt
- Attacker has full control: read messages, exfiltrate files, execute shell commands
This is equivalent to full workstation compromise, initiated from a browser tab.
Why This Is Different
Previous OpenClaw vulnerabilities required either:
- An exposed instance (port open to internet)
- A malicious skill installed
- A compromised message/email (prompt injection)
This one requires nothing except visiting a website. The developer doesn't install anything, doesn't click anything, doesn't approve anything. Their OpenClaw agent is silently hijacked.
The Three Failures
- No rate limiting on localhost — brute-forcing passwords at hundreds of attempts/second
- Auto-approve localhost pairings — no user confirmation required
- WebSocket to localhost allowed — browsers don't enforce CORS on WebSocket
Each alone would be a concern. Combined, they create a zero-click full takeover.
What To Do Right Now
Immediate
- Change your gateway password to something long (32+ characters)
- Disable auto-approve for device pairings if your version supports it
- Check for unknown paired devices in your OpenClaw dashboard
Short-term
- Move OpenClaw off your development machine to a dedicated host
- Use a non-default gateway port
- Bind to a non-localhost IP (e.g., Tailscale address) so browser-based attacks can't reach it
Add Runtime Monitoring
npm install clawmoat
# Monitor for unauthorized access patterns
# Track all device pairings and authentication attempts
# Alert on unexpected WebSocket connections
npx clawmoat --tier worker --audit-log ./audit.json
ClawMoat monitors authentication events, tracks device pairings, and alerts on anomalous access patterns. It won't prevent the WebSocket connection (that's a browser-level issue), but it will detect and log the brute-force attempts and unauthorized pairings.
The Bigger Picture
This is now the fourth major attack vector disclosed this month:
| Attack | Vector | Impact |
|---|---|---|
| CVE-2026-25253 | One-click RCE | Full control via crafted link |
| ClawHavoc | Supply chain | 824+ malicious skills |
| 40K exposed instances | Misconfiguration | Full remote access |
| Oasis WebSocket hijack | Any website | Full agent takeover |
Every one of these would have been detected or mitigated by host-level monitoring — permission tiers, credential watching, audit trails, and anomaly detection.
The ecosystem is building security tooling fast (SecureClaw, Clawned.io, ClawMoat, ClawShell), but the vulnerability disclosure rate is outpacing the fixes. If you're running OpenClaw, assume you're a target.
Further reading:
Top comments (0)