OpenClaw Framework Hit by Major Security Flaw
A critical vulnerability dubbed “ClawJacked” was exposed in the popular OpenClaw agent framework, affecting over 100,000 users. The flaw allowed malicious websites to bypass local authentication and hijack agents, leading to data theft and workflow takeovers. A patch has been rushed out, but the incident is fueling a run on Mac Minis as companies scramble to isolate their agent endpoints.
The "ClawJacked" vulnerability, discovered by Oasis Security, stemmed from the OpenClaw framework's local WebSocket gateway, which implicitly trusted all connections from the user's own machine ("localhost"). This design oversight allowed a malicious website's JavaScript to connect to the gateway silently, bypassing the browser's usual cross-origin security checks that block such interactions for standard HTTP requests. Attackers could then brute-force the agent's password without any rate limiting, with researchers achieving hundreds of guesses per second. Once authenticated, the script could register itself as a trusted device without user confirmation, granting the attacker full admin-level control to read logs, extract data, and execute commands through the AI agent. The entire compromise could be initiated simply by a user visiting a compromised webpage, with no other interaction needed. This incident is not the first security issue for the rapidly growing OpenClaw project. Prior attacks have involved malicious "skills" distributed through the ClawHub community marketplace, representing a supply chain vulnerability. The ClawJacked flaw, however, was a more fundamental issue within the core framework itself, affecting even standard installations. Microsoft has previously warned that self-hosted agent runtimes like OpenClaw should be treated as untrusted code execution and are not appropriate for standard workstations. The vulnerability highlights a critical challenge in the architecture of multi-agent systems: securing the communication and trust between agents and external tools. As agents become more autonomous, the risk of "prompt injection," where malicious data is disguised as instructions, becomes a significant threat vector that can lead to data exfiltration or unintended actions. This has led to calls for a "zero trust" model for agents, where every action and interaction is verified. In China, the popularity of OpenClaw has prompted cloud providers like Alicloud and Tencent Cloud to offer dedicated hosting solutions. However, the Ministry of Industry and Information Technology has issued a warning about the security risks of improperly configured OpenClaw instances, urging organizations to conduct thorough security audits and implement stronger access controls. This official caution reflects a broader concern about the security and control of increasingly powerful and autonomous AI agents within the country's tech ecosystem.
