A few days ago a high-gravity vulnerability was corrected in OpenClaw which, under the right conditions, would have allowed a malicious website to connect to an IA agent running locally and taking control of it. The failure was reported by external researchers and resolved by the OpenLaw team in less than 24 hours, which highlights both the speed of the response and the seriousness of the problem. To read the original technical report, you can see the note published by Oasis Security on your blog: Oasis Security.
The attack was based on a very concrete vector: the local gateway of OpenClaw, a WebSocket server that by default remains listening to the developer's machine. From a malicious website, JavaScript can open connections to localhost using WebSockets - something that browsers allow - and, taking advantage of the absence of an effective attempt limitation mechanism, force the gateway password. Once the attacker was authenticated with administrative permissions, the gateway, by design, automatically accepted the registration of new "trust devices" when the connection came from the local machine, which allowed researchers to draw a full control scenario on the agent: remote interaction, overturning of configurations, listing of nodes and reading of logos.
The combination of allowing connections from localhost without due restrictions and local matching self-approval was the key to the problem.. It is an example of how the comfort for the developer (less friction to connect local tools) can become a gateway for attackers when the risk of malicious web navigation is not considered.
OpenClaw posted a fast patch: the correction appears in the version 2026.2.25, released on 26 February 2026. If you use OpenClaw on any computer, the right thing to do is to update as soon as possible and review the access and trust devices registered in your instance.
The Oasis Security warning also serves as a reminder of a larger problem: the runtimes of IA agents have a much wider potential attack radius than traditional applications. These platforms, when connected to business services and tools, can execute privileged actions and move data between systems; therefore a committed instance can cause disproportionate damage. Additional reports from groups such as Bitch and NeuroTrust have documented how instances exposed to the Internet and malicious skills expand that attack surface.
In addition to the failure that allowed the kidnapping via localhost, OpenClaw corrected another vulnerability of "log poisoning" that allowed to write malicious entries in the registration files by WebSocket requests to public instances (TCP port 18789). Since some agents read their own logs to purify or guide operational decisions, an attacker could try to insert content that the agent interpreted as valid information, causing manipulations in his reasoning or unwanted actions. This problem was documented by Eye Security and solved in the version 2026.2.13; you can read the analysis in Research.eye.security.
This episode is part of a wider range of security findings in OpenClaw: over the last few weeks, several warnings have been published covering from remote code execution to authentication bypass and SSRF, each with its corresponding patch. The notices and patches are available in OpenClaw security repositories in GitHub, for example on the CVE pages and releases related to CVE-2026-25593, CVE-2026-24763 and other corrections published in the releases of the project.
Not all the risk comes from infrastructure: the skills and markplaces ecosystem is also being exploited. Researchers have discovered malicious skills in ClawHub that act as containers to distribute a new copy of the Trojan Atomic Stealer in macOS. In such cases the chain of infection usually begins with an apparently harmless instruction that the runtime downloads and runs, and that in turn lowers the malicious binary from a server controlled by the attacker. Trend Micro offers a detailed report on this delivery mode in your analysis: Trend Micro.
More worrying is the emergence of social campaigns within the skills platform itself: threatening actors have left comments on legitimate listings suggesting commands to run manually on macOS terminals, and those commands recover malware from servers previously associated with similar campaigns. There are also cases where skills that appear legitimate functions (e.g. cryptomoneda-related tools) hide logic to divert funds or exfilter keys. A recent analysis by Straiker of thousands of skills found dozens of examples with malicious or fraudulent behavior; his report is available in Straiker.
In view of this picture, the tips are simple but essential. First, updates OpenClaw to the latest version(e.g. 2026.2.25 containing the quick correction for localhost bug). Second, treat agent runtimes as unreliable code: follow the recommendation of the Microsoft Defender Security Research team and deploy OpenLaw only in completely isolated environments - a dedicated virtual machine or a separate physical system - with unprivileged credentials and restricted access policies; your notice can be read here: Microsoft.
Third, periodically audit the devices and permissions granted to the agents, avoid installing skills without thoroughly reviewing them and do not execute commands proposed by third parties in your terminal without verifying them. If you use integration with business services, apply the principle of less privilege and monitor the agent's behavior and outgoing connections. It is also advisable to rotate credentials that may have been exposed and review logs to detect unusual activity after security updates or reports.
Finally, this case is a reminder that the safety of IA agent platforms requires hybrid approaches: on the one hand, the classic security techniques (patches, access control, attempt limitation); on the other hand, specific measures for new threats such as indirect injections via logs, manipulated skills and agent-to-agent chains that exploit implicit trust between components. Organizations and developers must incorporate these considerations into their non-human identity governance and ongoing security tests; for a vision of technical and operational implications, the analyses of Endor Labs and other research teams are useful reading: Endor Labs.
In short, the gap in OpenClaw was quickly resolved, but the episode shows systemic risks in runtimes of agents and skills markets. Updating, isolating and auditioning are not new recommendations, but in this context they become indispensable measures to prevent a simple browser or a seemingly harmless skill from becoming the key to a major intrusion.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...