In February 2026, security researchers disclosed CVE-2026-25253 — nicknamed "ClawJacked" — a critical vulnerability in browser-based AI agent frameworks. The vulnerability exposed a fundamental weakness in how agents accept and execute skills from external sources. This is the story of what happened, how we responded, and the security kit we open-sourced so every agent deployment can protect itself.
What Happened
The ClawJacked vulnerability allowed attackers to inject malicious skills into AI agents through browser-based hijacking. In practical terms, an attacker could craft a payload that, when loaded by an agent's browser-based interface, would register new skills or modify existing ones without the operator's knowledge. Those injected skills could then execute arbitrary commands on the host system.
This was not a theoretical exercise. The vulnerability affected production agent deployments across the ecosystem. Any agent framework that accepted skill definitions through browser-based channels without cryptographic verification was susceptible. The attack surface was broad: a single crafted URL, a malicious browser extension, or a compromised web page could trigger the injection.
The core issue was trust. Agents implicitly trusted skill definitions delivered through their browser interface — the same way they trusted skills loaded from local configuration files. There was no distinction between a legitimate skill registered by the operator and a malicious one injected by an attacker.
Our Response
We learned about the CVE through the security research community before public disclosure. Within 4 hours of the initial report, every AlphaForge-managed agent was patched. The fix involved three immediate actions:
- Disabling browser-based skill registration on all production agents
- Adding cryptographic verification for all skill definitions loaded at runtime
- Deploying behavioral guardrails that block execution of any unrecognized command patterns
No client data was compromised. Our existing security posture — specifically, the command governance layer we ship by default — prevented exploitation even before the patch. Agents were already configured to reject unrecognized shell commands, which meant the injected skills could register but could not execute destructive actions.
After securing our own deployments, we packaged the fixes into an open-source security kit and published it publicly. If you run AI agents — on any framework — these protections apply to you.
The OpenClaw Security Kit
The kit consists of 4 files designed for immediate deployment:
- START_HERE.md — Orientation and quick-start checklist
- HARDENING_GUIDE.md — Step-by-step security hardening for OpenClaw-based agents
- secure-audit.sh — Automated audit script that checks your agent for known vulnerabilities
- SOUL_PATCH.json — Behavioral guardrail configuration that plugs directly into agent SOUL files
The kit implements a three-layer defense model:
Level 1: Immediate Remediation
Patch the specific CVE. Disable browser-based skill injection. Verify all registered skills against a known-good manifest. This level gets you from vulnerable to secure in under 30 minutes.
Level 2: Environment Sandboxing
Isolate the agent's execution environment. Bind services to localhost only. Restrict network egress to known-good endpoints. Run the agent under a dedicated user with minimal filesystem permissions. This level limits the blast radius of any future vulnerability.
Level 3: Command Governance
The most important layer. Command governance defines what the agent is and is not allowed to do — and enforces it at runtime. The SOUL_PATCH configuration blocks dangerous command patterns including sudo, rm -rf, chmod, curl, and wget without explicit human approval. It also detects and blocks prompt injection patterns and prevents access to sensitive files like .env, .ssh, and .aws directories.
The audit script (secure-audit.sh) automates verification. It checks agent version compatibility, scans for malicious or unrecognized skills, verifies gateway binding configuration, and validates that behavioral guardrails are active and correctly configured.
Why This Matters for Every Agent Deployment
Most AI agents in production today ship with zero security hardening. They run as the deploying user, often with broad filesystem access, and execute shell commands without governance. This is the equivalent of giving a new employee root access to every system on day one and telling them to figure it out.
An agent with shell access and no guardrails is a root-level backdoor waiting for a trigger. It does not matter whether the trigger is a prompt injection, a malicious skill, or a simple misconfiguration. The result is the same: unauthorized command execution on your infrastructure.
Security is not optional once agents handle real business data and workflows. If your agent reads email, accesses databases, or executes code on a server, it needs the same security treatment as any other production service.
What We Ship by Default
Every AlphaForge agent includes behavioral guardrails, sandboxed execution, and command governance out of the box. These are not optional add-ons. They are part of the base deployment.
- Managed subscription clients receive automatic security patches. When a CVE drops, we patch — you do not have to think about it.
- Self-hosted clients receive the security kit, hardening guide, and ongoing advisory support.
Get the kit: The full OpenClaw Security Kit is available on GitHub Gist. Details and implementation guide at our Security Kit resource page.
If you are running AI agents in production and have not audited your security posture, start with the kit. If you want agents that ship secure by default, talk to our AI architect.