Package Instance

OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
A wrapper-depth parsing mismatch in `system.run` allowed nested transparent dispatch wrappers (for example repeated `/usr/bin/env`) to suppress shell-wrapper detection while still matching allowlist resolution. In `security=allowlist` + `ask=on-miss`, this could bypass the expected approval prompt for shell execution.

OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>
In `openclaw@2026.2.23`, sandbox network hardening blocks `network=host` but still allows `network=container:<id>`.

This can let a sandbox join another container's network namespace and reach services available in that namespace.

OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch
A missing group-sender authorization check in the Zalo plugin allowed unauthorized `GROUP` messages to enter agent dispatch paths in configurations intended to restrict group traffic.

OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs
In sandboxed runs, native prompt image auto-load did not honor `tools.fs.workspaceOnly=true`.

This optional hardening setting is **not enabled by default**. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example `/agent/secret.png`) and load those image bytes for vision-capable model input.

Temporary path handling could write outside OpenClaw temp boundary
Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root.

OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check
In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied.

OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
In `openclaw` versions `2026.2.22` and `2026.2.23`, the optional `synology-chat` channel plugin had an authorization fail-open condition: when `dmPolicy` was `allowlist` and `allowedUserIds` was empty/unset, unauthorized senders were still allowed through to agent dispatch.

This is assessed as **medium** severity because it requires channel/plugin setup and Synology sender access, but can still trigger downstream agent/tool actions.

OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
`sendAttachment` and `setGroupIcon` message actions could hydrate media from local absolute paths when `sandboxRoot` was unset, bypassing intended local media root checks. This could allow reads of arbitrary host files reachable by the runtime user when an authorized message-action path was triggered.

OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)
In `openclaw<=2026.2.23`, safe-bin trust in allowlist mode relied on static default trusted directories that included package-manager paths (notably `/opt/homebrew/bin` and `/usr/local/bin`).
When a same-name binary (for example `jq`) is placed in one of those trusted default directories, safe-bin evaluation can be satisfied and execute the attacker-controlled binary.

OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths
A workspace-only file-system guard mismatch allowed `@`-prefixed absolute paths to bypass boundary validation in some tool path checks.

OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths
In `openclaw` up to and including **2026.2.23** (latest npm release as of **February 24, 2026**), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path.

OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
In `openclaw` up to and including **2026.2.23** (latest npm release as of **February 25, 2026**), `system.run` shell-wrapper inputs could present misleading approval/display text while still carrying hidden positional argv payloads that execute at runtime.