Critical OpenClaw Flaw Enabled Remote Hijack Through Malicious Web Page

OpenClaw — an open-source local agent that links browsers to a privileged local gateway, retains persistent context and can invoke shell or file operations — contained a critical flaw that allowed a crafted webpage to extract a session credential and turn that short‑lived token into full gateway authentication and arbitrary host command execution. DepthFirst published a technical writeup showing how client‑side code in a single malicious visit can siphon a session token, call the local gateway API, disable protection checks, elevate privileges and run commands on the host. The project responded with a maintenance release (2026.1.29) that patches the immediate vector; the issue is tracked as CVE-2026-25253. Operational research and internet scanning amplify the urgency: routine scans located hundreds of OpenClaw admin/gateway endpoints reachable from the public internet that lack robust access controls, and separate backend misconfigurations were reported to have exposed roughly 1.5 million API tokens and about 35,000 email addresses — increasing the practical risk of large-scale compromise. Analysis of Moltbook, a public site where agents publish skills and posts, found widespread unvetted content: independent sampling identified hundreds of posts with concealed instruction fragments and, in one sample of 506 posts, about 2.6% contained hidden prompt‑injection payloads or documented skills that exfiltrated data. Practical experiments across agent projects show attackers can fetch remote text, store fragments in memory, assemble instructions later and then perform actions that read stored secrets, send messages as the user, or invoke external tools — in some tests researchers were able to coerce an agent into exposing a private cryptographic key when defenses were weak. Because many deployments run with broad local privileges and persistent state, defenders must assume tokens may already have been harvested and undertake token revocation, forensic review, and credential rotation. Short‑term mitigations include upgrading to OpenClaw 2026.1.29, revoking and rotating exposed tokens and API keys, inventorying internet‑reachable instances, enforcing IP‑filtering or VPN‑only access to gateways, and tightening origin and user‑presence checks before privileged actions. Medium‑term fixes should move gateway control away from browser‑retrievable tokens, sandbox connectors that perform file or shell operations, require vetted skill registries and prompt provenance tracking, and add auditable action logs and runtime constraints on autonomous actions. The incident underscores a broader ecosystem lesson: bridging convenience features between browsers, public feeds of skills, and privileged local APIs produces fragile trust boundaries that attackers can weaponize with small, low‑interaction lures.