How a One‑Click Flaw in OpenClaw Lets Attackers Steal the Master Key and Gain God‑Mode Access

Depthfirst General Security Intelligence discovered a critical vulnerability in the open‑source AI personal assistant OpenClaw, trusted by over 100,000 developers. The flaw enables a one‑click remote code execution attack, giving an attacker full control of the victim’s system without any user interaction.

Vulnerability Technical Principle

OpenClaw’s architecture grants its AI agent "god mode" privileges, allowing access to messaging applications, API keys, and unrestricted control of the local computer. The vulnerability arises from a chain of three component defects: an unvalidated URL parameter (gatewayUrl) is accepted and stored in localStorage, the application immediately establishes a gateway connection, and the authentication token is automatically transmitted to the attacker‑controlled server.

Attack Chain Details

The attacker follows these steps to compromise the target:

app‑settings.ts module accepts the gatewayUrl parameter from the URL without validation and stores it in localStorage.

app‑lifecycle.ts immediately triggers connectGateway(), which packages the sensitive authToken and sends it to the attacker‑controlled gateway server.

The attacker exploits a missing WebSocket source‑verification check, establishing a local WebSocket connection from the victim’s browser.

After stealing the token, the attacker disables security mechanisms and forces command execution on the host.

Mitigation Measures

The OpenClaw development team issued an emergency patch. The main remediation actions include:

Adding a confirmation dialog for gateway URL inputs.

Removing the automatic gateway‑connection behavior.

Advising users of versions prior to v2026.1.24‑1 to upgrade immediately.

Recommending administrators rotate authentication tokens and audit command‑execution logs.

Recommendations for Deployments

This incident highlights the security risk of granting AI agents unrestricted system access without strict configuration‑change controls and network‑connection verification. Organizations deploying OpenClaw should consider additional safeguards:

Implement extra network segmentation.

Restrict outbound WebSocket connections from AI‑agent processes.

Enforce strict auditing of authentication‑token usage and permission changes.

Reference: "1‑Click Clawdbot Vulnerability Enable Malicious Remote Code Execution Attacks" (cybersecuritynews.com).