Openclaw has a vulnerability that was patched in v2026.2.25 that fixes a major vulnerability that can allow malicious websites to hijack local AI agents.
The gist of it is this:
- Openclaw visits website
- Javascript opens connection to gateway via web sockets
- The gateway token is brute forced
- Remote site registers itself as a trusted device
- Game Over Man
This of course requires your gateway to be exposed to the Internet, which none of you are doing, right? RIGHT?
You can read more about the vulnerability here
You can enable auto updates in your openclaw.json configuration if you want to auto update.
Just add this section to your openclaw.json file, I like to have it up top right after "wizard" as it is most appropriate there.
"update": {
"channel": "stable",
"checkOnStart": false,
"auto": {
"enabled": true,
"stableDelayHours": 6,
"stableJitterHours": 12,
"betaCheckIntervalHours": 1
}
},
Are you using openclaw?
If so, say something in the comments. I thought about posting some tips on using openclaw as I get deeper into it.
If you are using it, what are you using it for?