How a Website Can Hijack Your Local AI Agent in Under a Second

OpenClaw passed 200K GitHub stars. It runs locally, connects to your filesystem, your API keys, and your integrations. Then CVE-2026-25253 dropped: CVSS 8.8. Any website you visit can take full control of it. The fix exists — but the underlying pattern affects every locally-running AI agent. What happened OpenClaw is an open-source AI agent platform. It handles WhatsApp, Telegram, Discord, Slack, and more. It reads files, runs shell commands, manages calendars, and spawns sub-agents — all from a chat message. It runs a WebSocket-based gateway on localhost that acts as the control plane for the entire agent. In January 2026, security researchers 0xacb and mavlevin reported a critical flaw: OpenClaw's Control UI accepted a gatewayUrl parameter from the browser's query string without validation and automatically connected to it, sending the stored authentication token in the WebSocket payload. An attacker only needed to get a user to click a crafted link. One click, and the attacker had o