ClawJacked shows why localhost is not a security boundary
The ClawJacked disclosure is a strong reminder that a local gateway is still reachable from a malicious browser tab if the surrounding trust model is weak.
Why this matters
- Oasis Security reported a website-to-local-agent takeover chain affecting OpenClaw and said the issue was fixed in version 2026.2.25 or later.
- Loopback access alone does not make a gateway safe when any website can reach localhost through browser primitives such as WebSockets.
- Local exceptions in authentication, rate limiting, or device pairing can quietly turn convenience features into takeover paths.
- Inventory, rapid patching, and strict local hardening belong in every serious AI-agent deployment program.
What Oasis Security disclosed
On February 26, 2026, Oasis Security published a technical write-up describing a website-to-local-agent takeover path in OpenClaw. Their report said a malicious website could reach the local gateway over WebSockets, brute-force the password because loopback traffic was exempt from rate limits, and then register itself as a trusted device.
The important detail is not just the exploit chain. It is the trust assumption behind it: the gateway treated localhost as if it were automatically safe, even though modern browsers routinely let remote sites initiate connections to local services.
Why defenders should care even after the patch
Oasis said the OpenClaw team classified the issue as high severity and shipped a fix within 24 hours, with the fix included in version 2026.2.25 or later. That response is encouraging, but the strategic lesson remains. Browser-accessible local services are part of your attack surface whether you intended them to be or not.
This matters well beyond a single bug. Agent gateways hold model credentials, device pairings, logs, session history, and tool access. Once the gateway is compromised, the attacker is no longer arguing with the model. They are steering it.
What to do today if you run OpenClaw
The immediate fix is to patch, but serious operators should use the disclosure as a trigger to review their entire local trust model.
- Update every instance to 2026.2.25 or later.
- Use strong token-based authentication and review any legacy password-based setups.
- Lock down local WebSocket exposure and avoid convenience exceptions for loopback traffic.
- Run OpenClaw's security audit regularly after config changes.
- Keep browser control, shell execution, and other high-agency tools disabled unless there is a clear business need.
- Use dedicated machines, OS users, and browser profiles for agent runtimes instead of mixing them with day-to-day personal browsing.
The broader takeaway for TrustSkills
Marketplace scanning is only one layer. A trustworthy operator posture also needs runtime hardening, short patch cycles, explicit trust boundaries, and a refusal to treat 'local' as a synonym for 'safe'.
That broader posture is what security leaders expect from a serious AI-agent platform. Our blog should keep reinforcing that TrustSkills understands both the supply-chain layer and the runtime layer.
Trusted sources
Oasis Security
OpenClaw Vulnerability: Website-to-Local Agent Takeover
Primary disclosure for the ClawJacked issue, including the exploit chain and the version guidance for the fix.
OpenClaw Docs
Security
Used to anchor the hardening advice around local auth, browser control risk, and dedicated trust boundaries.