Oasis Security Discloses OpenClaw WebSocket Attack That Enabled Full Workstation Compromise
OpenClaw maintainers patched a vulnerability within 24 hours after Oasis Security’s Threat Research Team disclosed an attack that allowed any malicious JavaScript running in a developer’s browser to silently hijack their local OpenClaw agent. Elad Luz, Head of Research at Oasis Security, published the findings on TechRadar on June 8.
The vulnerability is fixed. The architectural pattern behind it matters for any team deploying always-on agents with local network access.
The Attack Chain
OpenClaw’s architecture uses a local WebSocket gateway that coordinates connected nodes. These nodes can execute system commands, access files, and interact with other platforms. The attack required no browser extensions, no plugins, and no user action beyond visiting a malicious website.
The sequence, according to Luz: malicious JavaScript connects to OpenClaw’s local WebSocket gateway, brute-forces the authentication password, and registers itself as a trusted device. Once authenticated, the attacker can access configuration data, enumerate all connected nodes, read logs, and execute commands across connected systems.
“Compromising a single AI agent could effectively compromise an entire workstation,” Luz wrote. The attack surface expanded to any system the OpenClaw agent was connected to, including messaging platforms, developer tools, and calendars.
The Governance Gap
Luz framed the disclosure as a symptom of a structural mismatch between agent deployment velocity and enterprise security readiness. He cited Deloitte data showing 74% of companies plan to deploy agentic AI within two years, while only 21% have mature governance frameworks in place.
“AI agents are now operational actors rather than simple productivity tools,” Luz wrote. “They act autonomously and silently, representing a new class of enterprise risk.”
OpenClaw’s design, always-on, local, and operating with broad authority over credentials and connected systems, makes it a particularly high-value target. The agent holds credentials, executes commands, and connects across systems without continuous human oversight. When employees adopt these tools independently, IT teams often discover them only after they are deeply embedded in daily workflows.
Relevance for Agent Builders
The WebSocket brute-force pattern is not unique to OpenClaw. Any agent framework that exposes a local network interface with password-based authentication faces the same class of risk. The specific lessons from this disclosure:
Local agent gateways need rate limiting and lockout policies on authentication attempts. Password-based auth on local WebSocket connections is insufficient when any browser tab on the same machine can attempt connections. Device registration should require out-of-band confirmation, not just successful authentication on the same channel.
The broader architectural question: should autonomous agents that hold credentials and execute system commands be reachable from browser JavaScript at all? Microsoft’s MXC (Microsoft Execution Containers) approach, which isolates agent execution at the operating system level, represents one answer. OpenClaw’s rapid patch cycle suggests the maintainers are responsive, but the vulnerability pattern will recur in every agent framework that trades isolation for convenience.