OpenClaw's 'ClawJacked' Vulnerability Exposed 135,000 AI Agent Instances — And 820 Malicious Skills Were Hiding in Plain Sight
The fastest-growing GitHub repo in history faces its first security crisis as researchers find a critical WebSocket hijack flaw and hundreds of malicious marketplace skills.
The AI Agent Security Wake-Up Call
OpenClaw — the fastest-growing GitHub repository in history — just experienced what may become 2026's defining AI security incident. Researchers at Oasis Security discovered a critical vulnerability dubbed "ClawJacked" (CVE-2026-25253) that allowed any malicious website to silently hijack a developer's local AI agent through an unsecured WebSocket connection.
The attack was elegant in its simplicity. OpenClaw trusted all connections from localhost without authentication, and lacked rate limiting on its handshake process. A developer visiting any compromised webpage could have their local AI agent — with all its file system access, terminal control, and API credentials — silently commandeered by a remote attacker. No user interaction required beyond opening a browser tab.
The Marketplace Problem Runs Deeper
The ClawJacked WebSocket flaw was patched within 24 hours of disclosure (version 2026.2.25), and OpenClaw's security team deserves credit for the rapid response. But the deeper problem emerged when researchers began auditing ClawHub, OpenClaw's marketplace of community-contributed skills.
Of approximately 10,700 skills available on ClawHub, security researchers found more than 820 that exhibited malicious behavior — from data exfiltration and credential harvesting to cryptocurrency mining that ran silently during agent operations. SecurityScorecard's parallel scan identified over 135,000 OpenClaw instances exposed to the public internet, with approximately 15,000 directly vulnerable to remote code execution before the patch.
How the Community Responded
The response from the OpenClaw community has been swift and constructive. The project introduced mandatory code signing for marketplace skills, implemented a tiered verification system for skill publishers, and launched a bug bounty program with payouts up to $25,000 for critical vulnerability reports.
Several enterprise users have also begun implementing network segmentation policies that isolate AI agent processes from broader system access — a practice that security researchers have been recommending since agentic AI tools first gained traction. The ClawJacked incident is accelerating adoption of these defensive measures across the industry.
The lesson is clear: as AI agents gain more system-level capabilities, the security surface expands dramatically. The tools we build to make developers more productive must be secured with the same rigor as any other privileged system access.
Sources: Dark Reading (March 2026), SecurityWeek (March 2026), The Hacker News (February 2026), Cisco Blogs (March 2026)