A recently uncovered vulnerability in OpenClaw, an open-source AI agent that has rapidly gained popularity among developers, highlights the increasing security risks associated with deploying AI tools without proper oversight. This vulnerability, which has now been patched, allowed malicious websites to take control of a developer's AI agent without any need for plug-ins or user interaction.
The flaw arose from OpenClaw's inability to differentiate between trusted connections from the developer's own applications and malicious ones from external sites. OpenClaw has experienced a meteoric rise in adoption since its launch last November, making this vulnerability particularly concerning.
High Severity Vulnerability
The OpenClaw team classified this issue as high severity and promptly released a patch within 24 hours of being alerted by researchers from Oasis Security. They emphasized the need for immediate updates, stating that the fix is included in version 2026.2.25 and later. Developers are urged to treat this update with the same urgency as any critical security patch.
OpenClaw, previously known as MoltBot and Clawdbot, functions as a personal AI assistant running locally on users' systems. It integrates with various messaging apps, calendars, and developer tools, enabling users to automate workflows, manage files, execute shell commands, and perform other autonomous tasks. Its flexibility and local control have contributed to its rapid popularity, and within three months of its launch, it became the most starred project on GitHub, surpassing even the React JavaScript library.
A Growing List of Security Issues
However, the unprecedented speed of adoption has exposed organizations to significant security vulnerabilities. These include issues such as CVE-2026-25253, which allowed attackers to steal authentication tokens, as well as other command injection and prompt injection vulnerabilities. Researchers have identified several specific CVEs that pose a threat to users.
Additionally, a rise in malicious skills on ClawHub and SkillsMP has been noted. A recent analysis found over 820 malicious skills out of 10,700 on ClawHub, a sharp increase from earlier counts. Threat actors have exploited these skills to distribute malware, such as the Atomic macOS info stealer.
The vulnerability discovered by Oasis Security arose from OpenClaw's flawed assumption that any connection from localhost is trustworthy. If a developer visits a compromised website, JavaScript from that site could open a WebSocket connection to the OpenClaw gateway without alerting the user. Furthermore, OpenClaw did not implement rate limits for incorrect password attempts, leaving it vulnerable to brute-force attacks.
The Need for a New Approach
This vulnerability is emerging at a time when there is growing concern about the unchecked proliferation of AI tools in organizations. Randolph Barr, the Chief Information Security Officer at Cequence Security, advocates for stronger security measures between AI agents and the applications they interact with. While OpenClaw has some basic security features, they are insufficient if the agent runs locally with extensive access to files and systems.
According to Barr, comprehensive protection requires a layered security approach that includes Mobile Device Management (MDM) enforcement, the removal of unnecessary admin rights, scoped credentials, API monitoring, rate limiting, and sandboxing. These measures may not prevent every exploit, but they significantly mitigate the potential damage from a compromised agent.
Organizations with robust identity management and API security protocols should consider moving their security controls to the execution layer. In contrast, those with less mature systems should shift from a model of "authenticate and trust" to one of continuous behavior verification, especially for non-human identities like AI agents.
Furthermore, Jason Soroko, a senior fellow at Sectigo, advises treating any local AI gateway reachable via a browser as if it were an Internet-facing service. He recommends removing direct browser access, implementing strict Origin allowlisting, and requiring robust client identity verification methods. Organizations should also limit the capabilities of agents to minimize risk, especially concerning sensitive actions like shell execution or accessing credentials.
