A critical flaw in open source AI agent OpenClaw let malicious websites silently seize control of developers’ machines. Rapid GitHub adoption and a growing plug-in ecosystem have amplified enterprise risk despite a swift patch.
A high-severity vulnerability in OpenClaw, the fast-rising open-source AI agent, allowed malicious websites to hijack a developer’s locally running agent without plug-ins, extensions, or any user interaction, exposing full device control.
Attackers could open WebSocket connections to the local gateway, brute-force passwords due to missing rate limits, register malicious scripts as trusted, and effectively take over the system.
The issue was disclosed by Oasis Security, which urged immediate action:
“If OpenClaw is installed, update immediately. The fix for this vulnerability is included in version 2026.2.25 and later. Ensure all instances are updated — treat this with the same urgency as any critical security patch.”
OpenClaw’s risk is amplified by its design. The tool runs locally with deep file and shell access, automates workflows, and has become the most starred project on GitHub, surpassing React. That explosive growth has expanded the enterprise attack surface.
The flaw stemmed from trusting all localhost traffic and failing to distinguish browser-originated connections, enabling silent takeover attempts.
Security concerns extend beyond this bug. Multiple CVEs, command and prompt injection issues, and a compromised marketplace persist. Koi Security found 820 malicious skills on ClawHub, while Trend Micro observed attackers using 39 skills to spread malware.
Randolph Barr, CISO at Cequence Security, warned: “But those controls don’t eliminate risk if the agent runs locally with broad access to files, credentials, and connected systems.”
Jason Soroko, senior fellow at Sectigo, advised removing browser access paths and limiting agent capabilities to reduce blast radius.
The episode underscores a broader reality: open-source AI agents are scaling faster than their security governance.
