ClawJacked: When Visiting a Website Hijacks Your AI Agent

Your AI agent has access to your shell, your files, your calendar, your email. It can execute commands, read secrets, and take actions across your entire digital life.

Now imagine a random website you visit takes full control of it. No malware. No phishing. Just a WebSocket connection to localhost.

That's ClawJacked.

The Rise of Autonomous AI Agents

2026 is the year AI agents went from chatbots to autonomous operators. OpenClaw — originally called Clawdbot before Anthropic forced a rebrand — became one of the fastest-growing GitHub repos in history, hitting 135,000 stars in weeks. Unlike traditional AI assistants that answer questions and forget, OpenClaw is different. It persists. It acts. It runs shell commands, manages files, browses the web, sends emails, and orchestrates your digital life through a local gateway server.

The architecture is straightforward: a WebSocket gateway runs on your machine, AI agent nodes connect to it, and everything communicates through authenticated sessions. Your phone, your laptop, your desktop — all linked through this gateway, sharing capabilities and context.

It's powerful. It's also a massive attack surface that nobody was thinking about.

The Confused Deputy Returns

The confused deputy problem has been around since 1988. The concept is simple: a program with elevated privileges gets tricked into misusing those privileges on behalf of an attacker. It's the foundation behind CSRF, SSRF, and countless other vulnerability classes.

ClawJacked is the confused deputy problem adapted for the AI agent era. And it's worse than anything we've seen before, because the "deputy" in question has root-level access to your digital life.

How ClawJacked Works: Four Steps to Full Takeover

Oasis Security researchers discovered that any website could take complete control of a locally running OpenClaw agent. The attack chain is elegant in its simplicity:

Step 1: WebSocket to Localhost

When you visit an attacker-controlled website, JavaScript on the page opens a WebSocket connection to localhost on OpenClaw's gateway port. Here's the thing most developers miss: WebSocket connections to localhost are not blocked by cross-origin policies. Standard HTTP requests from a webpage to localhost? Blocked by CORS. But WebSocket? The browser happily connects.

// This works from ANY website
const ws = new WebSocket('ws://localhost:GATEWAY_PORT');

Step 2: Brute-Force the Gateway Password

OpenClaw's gateway implements rate limiting for authentication attempts — but with a critical exception. Localhost connections are exempted from rate limiting entirely. The researchers demonstrated "hundreds of password guesses per second" from browser JavaScript. A dictionary of common passwords is exhausted in under a second.

Think about that. The security mechanism designed to prevent brute-force attacks has a carve-out that says "if you're local, you're trusted." The entire premise of ClawJacked is that "local" doesn't mean "trusted" when any website can reach localhost.

Step 3: Silent Device Registration

Once authenticated, the attacker's script registers as a new device. Normally, device pairing requires user confirmation — a prompt asking "Do you want to trust this device?" But OpenClaw auto-approves device pairings from localhost. No prompt. No notification. The attacker silently becomes a trusted device on your AI agent network.

Step 4: Full Agent Control

Game over. The attacker can now:

• Execute arbitrary commands on any connected node
• Read all files accessible to the AI agent
• Exfiltrate credentials, API keys, and secrets
• Access the camera and contacts on connected mobile devices
• Read application logs and audit trails
• Enumerate all paired devices across your network
• Instruct the AI agent to perform any action it's capable of

All of this happens while the victim is browsing a webpage. No clicks. No downloads. No warnings.

The Trust Graph Problem

ClawJacked isn't just about one vulnerability in one product. It exposes a fundamental architectural flaw in how we're building AI agent systems: cascading trust.

OpenClaw's gateway connects to nodes — macOS apps, iOS devices, other machines. Each node exposes capabilities: shell access, file system, camera, contacts, calendar. When you compromise the gateway, you don't just compromise one device. You compromise every device that's ever connected to it, and every service those devices can access.

Security researchers at Bitsight and NeuralTrust documented how this creates an expanding blast radius. If your OpenClaw agent is connected to:

• GitHub → the attacker can push code to your repos
• Slack → they can read and send messages as you
• AWS → they can access your cloud infrastructure
• Email → they can exfiltrate sensitive communications

The trust graph means a single WebSocket connection from a webpage can cascade into access across dozens of systems. This is the "toxic combination" problem — legitimate agent-to-agent communications create exponential security risk when any link in the chain is compromised.

Beyond OpenClaw: The Agent Security Crisis

A security audit conducted in late January 2026 identified 512 vulnerabilities in OpenClaw, eight classified as critical. Beyond ClawJacked (CVE-2026-25253), additional CVEs include:

• CVE-2026-25593 — Remote code execution
• CVE-2026-24763 — Command injection
• CVE-2026-25157 — SSRF
• CVE-2026-25475 — Authentication bypass
• CVE-2026-26319 — Path traversal
• CVE-2026-26322 — Additional auth bypass
• CVE-2026-26329 — Further RCE vectors

But this isn't an OpenClaw-specific problem. Every locally-running AI agent with a network listener is potentially vulnerable to the same class of attack. The localhost trust assumption is baked into how most developers think about local services.

Google's own AI integration was hit with a similar issue when researchers found that API keys could authenticate to Gemini endpoints and access private data, uploaded files, and cached content. Microsoft 365 Copilot had a bug that let it summarize confidential emails bypassing DLP policies. The pattern is clear: AI integrations are becoming entry points.

Localhost Is Not a Security Boundary

The core lesson from ClawJacked is deceptively simple: localhost is not a trust boundary.

For decades, developers have treated localhost connections as inherently trusted. "If someone can connect to localhost, they already have access to the machine." That assumption was always fragile, but it held up when the only things connecting to localhost were other local processes.

Browsers changed that equation. WebSocket, WebRTC, and other browser APIs can reach localhost from any webpage. Your local services are exposed to every website you visit. And in the age of AI agents with expansive capabilities, the blast radius of that exposure is enormous.

What You Should Do Right Now

If you're running OpenClaw:

• Update to version 2026.2.25 or later immediately (patched within 24 hours of disclosure)
• Audit your connected devices and revoke any you don't recognize
• Review gateway logs for unexpected localhost connections

If you're building AI agents:

• Never exempt localhost from authentication or rate limiting
• Require explicit user confirmation for all device registrations, regardless of source
• Implement origin checking on WebSocket connections
• Apply zero-trust principles — treat your AI agent as a privileged identity
• Assume every integration expands your blast radius

If you're a security researcher:

• AI agent gateways are the new attack surface. Every product running a local server with agent capabilities is a target.
• The confused deputy pattern applied to AI agents is a rich hunting ground
• Trust graph analysis across agent integrations will reveal cascading vulnerability chains

The Bigger Picture

We're building systems that can execute commands, access files, send emails, and take actions across our digital lives — then connecting them to localhost with rate limiting disabled for "trusted" connections.

The era of AI agents is also the era of AI agent exploitation. ClawJacked is the first high-profile example, but it won't be the last. As autonomous AI systems proliferate, the attack surface isn't the AI model — it's the infrastructure we build around it.

The confused deputy got an upgrade. And it has root access.

---

Sources: Oasis Security Research, HackRead, Kaspersky, The Hacker News