A critical zero-interaction vulnerability in OpenClaw, one of the fastest-growing open-source AI agent frameworks in history, has been discovered by Oasis Security researchers, allowing any malicious website to silently seize full control of a developer’s AI agent without requiring plugins, extensions, or any user action.

OpenClaw, a self-hosted AI agent formerly known as Clawdbot and MoltBot, rocketed to over 100,000 GitHub stars in just five days and has become a default personal assistant for thousands of developers worldwide.

The tool runs locally on developer laptops, connecting to messaging apps, calendars, development tools, and local filesystems, taking autonomous actions on the user’s behalf. That extensive access is precisely what makes this vulnerability so dangerous.

How the Attack Works

OpenClaw operates through a local WebSocket gateway that binds to localhost and acts as the central orchestration layer for the agent. Connected “nodes” such as macOS companion apps, iOS devices, or other machines register with the gateway and expose capabilities including system command execution, file access, and contact reading.

The attack requires only one condition: the developer visits a malicious or compromised website in their browser.

The full exploitation chain unfolds as follows:

• A victim visits any attacker-controlled website in their normal browser
• JavaScript on the page opens a WebSocket connection to the OpenClaw gateway on localhost permitted because browsers do not block cross-origin WebSocket connections to loopback addresses
• The script brute-forces the gateway password at hundreds of attempts per second; the gateway’s rate limiter completely exempts localhost connections, meaning failed attempts are not counted, throttled, or logged
• Once authenticated, the script silently registers as a trusted device the gateway auto-approves pairings from localhost with no user prompt
• The attacker gains full admin-level control of the agent

The root cause combines three flawed design assumptions: that localhost connections are inherently trustworthy, that browser-originated traffic cannot reach local services, and that rate limiting does not need to apply to loopback addresses. Each assumption is incorrect in modern browser environments.

With an authenticated session established, a remote attacker can interact directly with the AI agent, instruct it to search Slack history for API keys, read private messages, exfiltrate files from connected nodes, and execute arbitrary shell commands.

For a developer with typical OpenClaw integrations, the researchers describe this as equivalent to a full workstation compromise initiated from a browser tab, with no visible indication to the victim.

Oasis Security’s proof-of-concept demonstrated the complete attack chain end-to-end, successfully cracking the gateway password and interacting with a live agent instance from an unrelated browser session.

Mitigation Steps

• Update immediately to OpenClaw version 2026.2.25 or later
• Inventory all OpenClaw instances across developer machines, including shadow installations outside IT visibility
• Audit and revoke unnecessary credentials, API keys, and node permissions granted to agent instances
• Establish governance policies for AI agent identities, treating them with the same rigor as human users and service accounts

The OpenClaw team classified this as high severity and shipped a patch within 24 hours a commendable response for a volunteer-driven open-source project. However, given the tool’s rapid adoption, organizations should assume unpatched instances exist across developer fleets and treat remediation with the same urgency as any critical patch.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.