ClawJacked: How Malicious Websites Hijack Local AI Agents via WebSocket

What Happened Oasis Security has disclosed ClawJacked , a high-severity vulnerability in OpenClaw — a popular open-source AI agent framework. The flaw allows any website a user visits to silently hijack locally running AI agents through WebSocket connections, granting attackers full control over the agent and all its connected integrations. The vulnerability was patched in OpenClaw version 2026.2.25 , released February 26, 2026 — within 24 hours of responsible disclosure. Technical Breakdown ClawJacked exploits a fundamental trust assumption: OpenClaw relaxes security mechanisms for localhost connections, including silent device registration approval. The attack chain works in four steps: Step 1: WebSocket Connection When a user visits a malicious webpage, JavaScript on the page opens a WebSocket connection to localhost on the OpenClaw gateway port. Browsers do not block localhost WebSocket connections — no CORS restrictions apply. // Attacker's page — connects to local AI agent const