From Assistant to Assassin: Weaponizing An OpenClaw Vulnerability to Achieve 1-Click RCE
Mav Levin
BSidesSF 2026 · Day 1 · AMC Theatre 10
In this compelling talk at BSides SF, security researcher Mav Levin unveiled a critical **one-click Remote Code Execution (RCE)** vulnerability within **OpenClaw**, a popular agentic assistant. Levin meticulously demonstrated how a chain of three seemingly benign features, when combined, could be weaponized to exfiltrate an administrator's authentication token and subsequently achieve full RCE, even bypassing OpenClaw's most secure configurations and multiple layered defenses.
AI review
Levin delivers a clean, technically honest vulnerability chain against a real agentic system — CSRF on a static endpoint, attacker-controlled gateway redirect, and automatic auth token transmission combine into one-click RCE that burns through every layered defense OpenClaw offers. The pairing mode bypass via MitM proxy is the sharpest bit of the research, and the localhost evasion via browser-side JS is a nice touch that keeps the attack realistic rather than lab-contrived.