ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket - The Hacker News

The "ClawJacked" flaw allows malicious websites to hijack locally running OpenClaw AI agents by exploiting a critical vulnerability in the gateway's WebSocket server. This attack leverages a missing rate-limiting mechanism for localhost connections to brute-force passwords and auto-register as a trusted device, granting full control and enabling data exfiltration.