Oasis Security published research today showing that any website can silently take full control of an OpenClaw agent via localhost WebSocket. Zero-click. No plugins needed.
We shipped ClawMoat v0.7.1 with a new GatewayMonitor module to detect this exact attack pattern. 25 new tests, 205 total, still zero dependencies.
What the Attack Does
- You visit a website
- JavaScript opens WebSocket to
localhost:18789 - Brute-forces your gateway password (rate limiter exempts localhost!)
- Auto-registers as trusted device (no user prompt for localhost!)
- Full agent control: messages, files, shell commands
What ClawMoat v0.7.1 Detects
1. Brute-Force Authentication
const { GatewayMonitor } = require('clawmoat');
const monitor = new GatewayMonitor({
bruteForceThreshold: 10,
onAlert: (alert) => {
console.error('ALERT:', alert.message);
}
});
// Hook into auth handler
monitor.recordAuthAttempt({
source: req.ip,
success: false,
origin: req.headers.origin // detects cross-origin attacks
});
2. Suspicious WebSocket Origins
The key insight: the attack comes from a different website via WebSocket. ClawMoat flags any non-localhost origin connecting to your gateway.
3. Auto-Approved Device Pairings
monitor.recordDevicePairing({
deviceId: 'unknown-xyz',
source: 'localhost',
autoApproved: true
});
// => CRITICAL: 'Localhost auto-approve is the exact vector
// used in the Oasis WebSocket hijack'
4. Gateway Config Audit
const audit = monitor.auditGatewayConfig();
console.log('Score:', audit.score + '/100');
console.log('Oasis vulnerable:', audit.oasisVulnerable);
// Checks: password strength, binding, rate limits,
// auto-approve, default port
Hardened Config Generator
const config = GatewayMonitor.getHardenedConfig();
// Returns config with:
// - 64-char random token
// - Non-default port
// - Auto-approve disabled
// - Localhost rate limiting enabled
What You Should Do NOW
- Change gateway password to 32+ characters
- Check for unknown paired devices
- Disable auto-approve for pairings
-
Install ClawMoat:
npm install clawmoat - Bind to Tailscale IP instead of localhost
Four Attack Vectors in One Month
| Attack | Vector | ClawMoat Module |
|---|---|---|
| CVE-2026-25253 | Crafted link | CVE verifier |
| ClawHavoc | Supply chain | Skill integrity |
| 40K exposed | Misconfiguration | Gateway audit |
| Oasis hijack | Any website | Gateway monitor (NEW) |
Runtime monitoring is no longer optional.
Install: npm install clawmoat
GitHub: github.com/darfaz/clawmoat — 205 tests, zero deps, MIT license
Full writeup: clawmoat.com/blog/oasis-websocket-hijack.html
Top comments (0)