OpenClaw, a widely acclaimed open-source AI personal assistant, has notably crossed the 100,000 mark in GitHub stars; however, it recently encountered a significant security flaw that has raised considerable concerns among its users and the wider tech community. This AI tool is designed to autonomously handle developer workflows across various platforms, including laptops, messaging applications, and diverse development tools. The vulnerability discovered within OpenClaw was identified as a 0-click exploit—a serious type of vulnerability that doesn’t require any user interaction.
The major concern stems from the ability of malicious websites visited by developers to hijack the OpenClaw agent seamlessly. This exploit allows attackers to take control without requiring any plugins or extensions, effectively circumventing traditional security measures. Following the discovery of this flaw, the OpenClaw development team acted swiftly, classifying the issue as high severity and promptly releasing a fix within a mere 24 hours.
Notably, OpenClaw has evolved from its previous identities as Clawdbot and MoltBot, experiencing remarkable growth and garnering attention from leaders in the tech industry. Despite its success, the platform has faced notable security challenges. Earlier this year, a group of researchers uncovered over 1,000 malicious skills available in OpenClaw’s community marketplace, ClawHub, which contained information-stealing malware and backdoors, further complicating the platform’s safety profile.
The newly identified vulnerability stands out because it is rooted within the core gateway system of OpenClaw rather than originating from community-developed plugins, which are typically a prime area for such exploits. According to findings from researchers at Oasis Security, this situation underscores the escalating issue of “shadow AI.” This term refers to developer-adopted tools that operate outside the purview of IT oversight, possessing extensive access to local systems and credentials, thereby compounding the risk for organizations.
At the heart of OpenClaw’s operation is a local WebSocket server known as the gateway, responsible for managing authentication, chat sessions, configurations, and the orchestration of the AI agent. Various nodes, including companion applications for macOS and iOS devices, connect to this gateway to execute system commands and access local resources. The vulnerability arises from the gateway’s inherent trust in localhost connections. By default, this gateway binds only to localhost and employs either a token or a password for authentication.
A crucial flaw in this setup is that cross-origin policies do not prevent WebSocket connections to localhost. As a result, malicious JavaScript running on any visited website can establish a connection with the local OpenClaw gateway. The exploit’s attack chain initiates when a developer inadvertently visits a site controlled by an attacker. The malicious JavaScript can then open a WebSocket connection and begin brute-forcing the gateway password.
Due to the gateway’s configuration, which exempts localhost connections from rate limiting, attackers can perform numerous password guesses rapidly, making it feasible to bypass human-chosen passwords in a surprisingly short time. Upon successful authentication, the adversarial script can register as a trusted device, thus negating any need for user confirmation and granting the attacker full agency over the AI agent.
The repercussions of this access are profound. Attackers can interact with the AI agent and retrieve responses, access and modify gateway configurations—including AI providers and messaging channels—enumerate all connected nodes and their respective IPs, and analyze application logs for operational intelligence. This level of access also permits attackers to sift through Slack histories for sensitive API keys, view private communications, exfiltrate files, or even execute shell commands on any device linked to the network. In practical terms, this results in a full compromise of the affected workstation.
In light of these developments, it is paramount for users and organizations utilizing OpenClaw to update their systems immediately to version 2026.2.25 or later to mitigate risks associated with this severe vulnerability. Additionally, the incident highlights the critical need for enhanced visibility and governance around AI tools adopted by developers to effectively tackle the risks tied to shadow AI and prevent future security breaches.