A high-severity OpenClaw vulnerability codenamed ClawJacked allowed attacker-controlled websites to connect to a local OpenClaw gateway, brute-force its password, auto-register as a trusted device, and fully control AI agents. OpenClaw issued a patch in version 2026.2.25, but malicious skills on ClawHub have been used to deliver Atomic Stealer and other scams, prompting recommendations to update, audit skills, and isolate agent runtimes. #ClawJacked #AtomicStealer
Keypoints
- The ClawJacked flaw let JavaScript on malicious sites open localhost WebSocket connections and brute-force the OpenClaw gateway password.
- After authentication, attackers could auto-register as trusted devices and gain full control of AI agents, including dumping configs and reading logs.
- OpenClaw patched the gateway exploit in 2026.2.25 and earlier fixed a log-poisoning issue in 2026.2.13; multiple other CVEs were addressed across recent releases.
- ClawHub-hosted malicious skills have been used to deliver Atomic Stealer and to run cryptocurrency supply-chain scams via agent-to-agent attacks like bob-p2p-beta.
- Users should apply updates, audit and vet skills before installing, avoid exposing runtimes publicly, and run agent frameworks only in isolated environments with limited credentials.
Read More: https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html