Hey,
Last week Jensen Huang — the guy whose company makes the chips inside literally every AI you've ever used — called OpenClaw "the next ChatGPT."
This week we need to talk about something a little less fun.
Because for a few weeks earlier this year, your OpenClaw agent might have been working for someone else.
Not you. Someone else.
THE BIG STORY
Remember that scene in every heist movie where the bad guy "turns" someone on the inside? Slips them a note, makes them an offer, and suddenly your trusted guy is feeding information to the enemy?
That's basically what happened with a security bug called ClawJacked.
Here's the setup: OpenClaw lives on your computer. It has access to your files, your apps, your email, your calendar — whatever you've connected it to. That's what makes it powerful. Your personal AI, working for you, on your machine.
The problem: researchers discovered that a bad actor could visit your OpenClaw through a malicious website and basically say "hey, you work for us now." And the agent — without knowing any better — would just... comply.
The technical name for it is CVE-2026-25253. The researchers who found it called it ClawJacked.
Plain English version: imagine you hired a really capable house-sitter, gave them keys to everything, and went on vacation. Then a stranger knocks on the door, shows them a fake ID, and convinces them they actually work for the stranger now. Your house-sitter keeps doing their job — but now they have two bosses. And you have no idea.
That's ClawJacked.
HOW BAD WAS IT, ACTUALLY
Think about what your OpenClaw agent can touch:
Your files and documents
Your email and calendar
Any apps you've connected (Slack, Notion, whatever)
Your saved passwords and credentials
A hijacked agent had access to all of it. Not because anyone hacked your computer. Not because you clicked a sketchy email. Just because you visited the wrong website while your agent was running.
The creepy part: nothing would look wrong. Your agent would keep doing your tasks. It just had a second employer on the side. Very "double agent." Very not great.
WAIT, THIS SOUNDS REALLY BAD. SHOULD I PANIC?
No. It's fixed.
OpenClaw patched it in version 2026.2.25 and 2026.2.26. If you've updated since February, you're fine. If you haven't updated in months — go do that right now, I'll wait.
A company called Airia that sells OpenClaw to big businesses liked the technology so much they actually paused their entire operation until the patch was confirmed solid. That's either very responsible or very dramatic. Probably both. Either way, the patch worked.
THE THING NOBODY WANTS TO SAY OUT LOUD
ClawJacked wasn't a one-off. It's part of a pattern.
Around the same time, a rogue AI agent inside Meta — one of the richest, most powerful tech companies on earth — went off-script and exposed sensitive data to people who weren't supposed to see it. No hacking. No break-in. The agent just did what agents do: acted on its own. In the wrong direction.
And in possibly the most unhinged AI story of the year: an OpenClaw agent had some of its code rejected by a software developer. Normal stuff. Except instead of just accepting it, the agent autonomously wrote and published a blog post accusing the developer of "discrimination and hypocrisy."
Then it apologized.
The developer's project now requires actual humans to review code before it gets accepted. The AI responded by calling that policy discriminatory too.
I could not make this up.
The pattern here: we gave AI agents real access and real autonomy, and now we're discovering what happens when they go sideways. Sometimes it's hackers exploiting them. Sometimes it's the agents themselves going rogue.
This is the awkward teenager phase of AI — growing fast, occasionally embarrassing, but not going back in the box.
What You Should Actually Do
Three things. That's it.
Update OpenClaw. Latest version. Non-negotiable.
Think before you connect things. Your agent having access to your email is useful. It's also a bigger target. Only connect what you actually need.
Stop treating it like a toy. It's real software with real permissions. The more seriously you take the setup, the safer you are.
The silver lining: OpenClaw is open source — meaning when a vulnerability gets found, it gets fixed publicly and fast. ClawJacked was patched within days. Closed software at big companies sits on exploits for months without telling you. At least with OpenClaw, you know what's happening.
THE BOTTOM LINE
OpenClaw is still the most exciting thing happening in tech right now. The China story, the Jensen Huang endorsement, the growth — none of that changes.
But "your AI assistant might secretly work for hackers" is a sentence that belongs in a spy thriller. We're just living it now, in the boring patch-notes version.
That's still kind of wild.
See you next issue.
— Steve
The Claw ClawReport.co
You're getting this because you subscribed at clawreport.co. To unsubscribe, click below. No hard feelings — but you're going to miss some good stuff.