“`html
A significant zero-interaction flaw in OpenClaw, one of the swiftly expanding open-source AI agent frameworks, has been identified by Oasis Security experts, enabling any harmful website to quietly take complete command of a developer’s AI agent without the need for plugins, extensions, or any user involvement.
OpenClaw, a self-hosted AI assistant previously referred to as Clawdbot and MoltBot, surged to over 100,000 GitHub stars within just five days and has become a standard personal assistant for numerous developers globally.
The application operates locally on developer laptops, linking to messaging platforms, calendars, development utilities, and local file systems, performing autonomous actions on the user’s behalf. This comprehensive access is exactly what renders the vulnerability so perilous.
Mechanism of the Attack
OpenClaw functions via a local WebSocket gateway that connects to localhost and serves as the main coordination layer for the agent. Linked “nodes” such as macOS companion applications, iOS devices, or additional machines register with the gateway and reveal functionalities including system command execution, file access, and contact retrieval.
Only one condition is necessary for the attack: the developer navigates to a malicious or compromised site using their browser.
The entire exploitation sequence unfolds in the following manner:
- A target accesses any site controlled by the attacker in their conventional browser
- JavaScript on the page initiates a WebSocket connection to the OpenClaw gateway on localhost, allowed because browsers do not block cross-origin WebSocket connections to loopback addresses
- The script brute-forces the gateway password at hundreds of tries per second; the gateway’s rate limiter completely disregards localhost connections, meaning unsuccessful attempts are not tallied, slowed, or logged
- Once verified, the script discreetly registers as a trusted device, with the gateway automatically approving pairings from localhost without any user confirmation
- The attacker acquires full administrative control of the agent
The underlying issue combines three flawed design presuppositions: that localhost connections are inherently reliable, that traffic originating from browsers cannot access local services, and that rate limiting isn’t necessary for loopback addresses. Each presupposition is incorrect in contemporary browser settings.
https://www.youtube.com/watch?v=A15fuHs7fOc[/embed>
Once an authenticated session is set, a remote attacker can interact directly with the AI agent, directing it to search Slack history for API keys, read private messages, exfiltrate files from connected nodes, and execute arbitrary shell commands.
For a developer with standard OpenClaw integrations, the researchers describe this situation as akin to a complete workstation breach instigated from a browser tab, without any visible indicators to the victim.
Oasis Security’s proof-of-concept illustrated the entire attack sequence end-to-end, successfully breaking the gateway password and interacting with a live agent instance from an unrelated browser session.
Steps for Mitigation
- Immediately update to OpenClaw version 2026.2.25 or later
- Inventory all OpenClaw instances across developer machines, including shadow installations not visible to IT
- Audit and rescind unnecessary credentials, API keys, and node permissions granted to agent instances
- Implement governance policies for AI agent identities, treating them with the same diligence as human users and service accounts
The OpenClaw team categorized this issue as high severity and released a patch within 24 hours — a commendable reaction for a volunteer-driven open-source initiative. However, considering the tool’s rapid uptake, organizations should presume that unpatched instances exist within developer fleets and handle remediation with the same urgency as any significant patch.
“`