What happened: Security researchers disclosed a flaw in OpenClaw’s local gateway that could let a malicious website connect to a developer’s localhost WebSocket and, after guessing the password, gain admin-level control of the running agent.

Why it matters: The risk isn’t just a data leak: once an attacker can pair as a trusted device, they can drive the agent, inspect configuration, enumerate connected nodes, and read logs — turning “I visited the wrong page” into full agent compromise.

Wider context: Agent runtimes concentrate credentials and permissions across tools, so their security model has to assume a bigger blast radius than a typical developer service — especially when browsers can reach localhost over WebSockets without the usual cross-origin protections.

Background: The report describes the exploit chain as relying on missing rate-limiting for localhost password attempts plus automatic approval of new device registrations from localhost. OpenClaw shipped a fix after responsible disclosure, advising users to update and audit granted access.

ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket — The Hacker News

Singularity Soup Take: If your agent’s control plane treats “localhost” as inherently trustworthy, the browser becomes an attack surface by default — and the practical fix isn’t just patching one bug, but designing for hostile local origins and relentlessly minimizing standing privileges.

Key Takeaways:

• Browser-to-Localhost Pivot: The attack described starts with a user visiting an attacker-controlled page, where JavaScript opens a WebSocket to a locally running OpenClaw gateway — something browsers allow even when cross-origin HTTP requests would be restricted.
• Password Guessing Without Local Limits: Researchers said the gateway’s localhost path lacked rate limiting, enabling brute-force attempts against the gateway password until authentication succeeds.
• Silent Device Trust: After authentication, the attacker can register as a trusted device that gets auto-approved from localhost without a user prompt, enabling ongoing admin-level interaction with the agent.
• Patch and Hygiene Still Matter: OpenClaw released a fix (v2026.2.25, per the report) and urged users to update quickly, audit which devices have access, and apply governance controls for non-human identities that can act across connected systems.

Relevant Resources

Understanding AI Risks: What You Should Know — A practical primer on the kinds of failure modes and attack surfaces that become more important as software gains autonomy and access.

Your AI Privacy Guide: Protecting Yourself — Useful context on reducing exposure when tools and agents can touch personal accounts, devices, and local environments.