Package Instance

OpenClaw: Reject symlinks in local skill packaging script
- Potential unintentional disclosure of local files from the packaging machine into a generated `.skill` artifact.
- Requires local execution of the packaging script on attacker-controlled skill contents.

OpenClaw has command injection via Windows shell fallback in Lobster tool execution
The Lobster extension tool execution path used a Windows shell fallback (`shell: true`) after spawn failures (`EINVAL`/`ENOENT`). In that fallback path, shell metacharacters in command arguments can be interpreted by the shell, enabling command injection.

OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags
`tools.exec.safeBins` could be bypassed for filesystem access when `sort` output flags (`-o` / `--output`) or recursive `grep` flags were allowed through safe-bin execution paths.

OpenClaw's owner-only gateway tool access checks were incomplete in specific authenticated DM flows
In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions.

OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()
OpenClaw’s Feishu media download flow used untrusted Feishu media keys (`imageKey` / `fileKey`) when building temporary file paths in `extensions/feishu/src/media.ts`.
Because those keys were interpolated directly into temp-file paths, traversal segments could escape the temp directory and redirect writes outside `os.tmpdir()`.

OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP
OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (`...:5efe:w.x.y.z`). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths.

OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)
Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens.

Before the fix:
- SCP used `StrictHostKeyChecking=accept-new` in the remote attachment path.
- `channels.imessage.remoteHost` was not validated as a strict SSH host token.

OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling
OpenClaw Windows Scheduled Task script generation allowed unsafe argument handling in generated `gateway.cmd` files. In vulnerable versions, cmd metacharacter-only values could be emitted without safe quoting/escaping, which could lead to unintended command execution when the scheduled task runs.

OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks
`tools.exec.safeBins` allowlist checks could be bypassed by PATH-hijacked binaries, allowing execution of attacker-controlled trojan binaries under an allowlisted executable name.

OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption
Concurrent `updateRegistry`/`removeRegistryEntry` operations for sandbox containers and browsers could lose updates or resurrect removed entries under race conditions.

The registry writes were read-modify-write in a window with no locking and permissive fallback parsing, so concurrent registry updates could produce stale snapshots and overwrite each other.

That desyncs sandbox state and can affect `sandbox list`, `sandbox prune`, and `sandbox recreate --all` behavior.

OpenClaw plugin runtime command execution is part of trusted plugin boundary
OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (`runtime.system.runCommandWithTimeout`).

OpenClaw hardened cron webhook delivery against SSRF
## Affected Packages / Versions

- `openclaw` npm package versions `<= 2026.2.17`.

## Vulnerability
Cron webhook delivery in `src/gateway/server-cron.ts` used `fetch()` directly, so webhook targets could reach private/metadata/internal endpoints without SSRF policy checks.

## Fix Commit(s)
- `99db4d13e`
- `35851cdaf`

Thanks @Adam55A-code for reporting.

OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction
`extensions/feishu/src/bot.ts` constructed `new RegExp()` directly from Feishu mention metadata (`mention.name`, `mention.key`) in `stripBotMention()` without escaping regex metacharacters.

OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint
When the optional Chrome extension relay is enabled, `/extension` accepted unauthenticated WebSocket upgrades while `/json/*` and `/cdp` required auth.

OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs
- Local ACP sessions may become less responsive when very large prompts are submitted
- Larger-than-expected model usage/cost when oversized text is forwarded
- No privilege escalation and no direct remote attack path in the default ACP model

OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write
OpenClaw `exec` allowlist/safeBins policy could be bypassed with attached short-option payloads (for example `sort -o/tmp/poc`), enabling file-write operations while still satisfying safeBins checks.

OpenClaw safeBins file-existence oracle information disclosure
An information disclosure vulnerability in OpenClaw's `tools.exec.safeBins` approval flow allowed a file-existence oracle.

When safe-bin validation examined candidate file paths, command allow/deny behavior could differ based on whether a path already existed on the host filesystem. An attacker could probe for file presence by comparing outcomes for existing vs non-existing filenames.

OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation
A command injection vulnerability existed in Windows Scheduled Task script generation for OpenClaw. Environment values were written into `gateway.cmd` using unquoted `set KEY=VALUE`, which allowed Windows shell metacharacters in config-provided environment variables to break out of assignment context.

OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
On Windows, the Lobster extension previously retried certain spawn failures (`ENOENT`/`EINVAL`) with `shell: true` for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by `cmd.exe` if fallback was triggered.

ZDI-CAN-29311: OpenClaw Canvas Authentication Bypass Vulnerability

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
OpenClaw - OpenClaw

-- VULNERABILITY DETAILS ------------------------
* Version tested: openclaw 2026.2.17
* Platform tested: macOS 26.3

---

OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
When iMessage remote attachment fetching is enabled (`channels.imessage.remoteHost`), `stageSandboxMedia` accepted arbitrary absolute paths and used SCP to copy them into local staging.

If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged.