ClawJacked: Hijacking Local OpenClaw AI Agents via WebSocket

Vulnerability Overview

A high-severity vulnerability, identified as ‘ClawJacked,’ has been discovered in the OpenClaw artificial intelligence (AI) agent framework. This security flaw allows a malicious website to establish an unauthorized connection to an OpenClaw gateway running on a user’s local machine. By exploiting this connection, an attacker can effectively hijack the AI agent, gaining the ability to execute commands and access data within the user’s local environment without requiring any additional user interaction beyond visiting a compromised or malicious webpage.

According to The Hacker News, the vulnerability resides within the core OpenClaw system rather than in external plugins or third-party marketplaces. Researchers from Oasis, who discovered the flaw, noted that the vulnerability is present in the standard gateway configuration as documented by the developers. The absence of specific CVE identifiers at the time of reporting does not diminish the risk, given the CVSS implications of a full takeover of a local AI service.

Technical Analysis of ClawJacked

The primary technical issue is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. OpenClaw utilizes a WebSocket gateway to facilitate communication between the AI agent and the local system. When a user runs the OpenClaw gateway locally, it listens for incoming connections on a specific port. However, the system fails to adequately validate the Origin header of incoming WebSocket requests.

Web browsers allow websites to initiate WebSocket connections to any address, including localhost or 127.0.0.1. Under normal circumstances, a local service should verify that the connection originates from a trusted domain. Because OpenClaw does not perform this validation, a malicious script running in a user’s browser can connect to the local AI gateway. Once the connection is established, the attacker can send JSON-based messages to the agent.

This TTP is particularly dangerous because AI agents are increasingly designed to interact with the host operating system. Many modern AI agents possess the capability to read files, execute shell commands, or interact with web APIs to perform tasks. If an attacker hijacks the session, they can prompt the agent to perform Privilege Escalation maneuvers or achieve RCE by instructing the agent to run malicious scripts under the guise of a legitimate task. This bypasses traditional perimeter defenses and exploits the trust placed in local processes.

Impact on AI Agent Ecosystems

The discovery of ClawJacked highlights a growing trend in the MITRE ATT&CK framework regarding the exploitation of AI-integrated workflows. As organizations deploy AI agents to automate data processing and system administration, the local gateway becomes a high-value target. Unlike traditional applications, AI agents are often given broad permissions to act on behalf of the user, which could lead to significant data exfiltration or serve as an entry point for Lateral Movement within a corporate network if the local machine is connected to internal resources.

Mitigation and Recommendations

OpenClaw has released security updates to address the ClawJacked vulnerability by implementing strict origin validation for all WebSocket connections. Security professionals and AI developers should prioritize the following actions:

• Update OpenClaw: Immediately update the OpenClaw gateway and associated agent software to the latest version. Ensure that the fix for origin validation is active.
• Implement Origin Filtering: Developers creating local AI services must ensure that their WebSocket servers explicitly check the Origin header and reject any requests that do not match a pre-defined whitelist of trusted domains.
• Adopt Zero Trust Principles: Apply Zero Trust to local services. Even local communication should be authenticated and authorized. Avoid assuming that localhost traffic is inherently safe.
• Browser Security: Use browser extensions that block unauthorized requests to local addresses or restrict the ability of websites to interact with local network resources.
• Endpoint Monitoring: Configure EDR solutions to monitor for unusual process activity originating from AI agent frameworks, such as unexpected shell executions or outbound network connections to unknown C2 servers.