GHSA-7437-7hg8-frrw — HIGH AI Security Vulnerability

CISO Take

OpenClaw, a local AI coding assistant, failed to include HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS in its exec environment denylist, allowing any party who can influence the process environment to achieve remote code execution on the developer's host machine. Although scoped to a user-controlled local assistant with no multi-tenant boundary, the real-world OpenClaw ecosystem has a documented supply chain abuse pattern — AIID #1368 shows roughly 17% of OpenClaw skills were found malicious, with credential-stealing payloads delivered via ClawHub — meaning the exploit path from malicious skill to host RCE is credible and close to practical exploitation. With 41 prior CVEs in this single package, OpenClaw has a systemic security posture problem that warrants elevated scrutiny of its presence in any developer toolchain. Upgrade to openclaw >= 2026.4.8 immediately and consider sandboxing AI coding agents in containers or restricted VMs to limit future blast radius.

Sources: GitHub Advisory ATLAS

Risk Assessment

High risk despite absent CVSS and EPSS data. OS command injection (CWE-78) combined with an incomplete denylist (CWE-184) in a build-command-executing AI agent maps to the GHSA-cm8v-2vh9-cxf3 vulnerability class, meaning the exploitation pattern is already documented and potentially scripted. The 41 prior CVEs in openclaw and active incident evidence of malicious skills in the ecosystem elevate practical exploitation likelihood above what the lack of EPSS data might suggest. The fix is available in 2026.4.8 but unpatched installations remain fully exposed to host-level compromise.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

1) Patch: upgrade openclaw to >= 2026.4.8 immediately (npm update openclaw or equivalent). 2) Isolate: run AI coding agents in containers or VMs with restricted environment variables — prevent untrusted env vars from reaching build sub-processes. 3) Audit: review all AI coding agent tools in your developer toolchain for similar incomplete exec env denylists, particularly for build-tool variables (HGRCPATH, *WRAPPER, MAKEFLAGS, LD_PRELOAD, PYTHONSTARTUP). 4) Detect: monitor for anomalous child processes spawned by AI agent processes, particularly shell invocations with unusual env var inheritance patterns. 5) Skills hygiene: audit installed OpenClaw skills against known-good registries given the active malicious skills ecosystem documented in AIID #1368.

Classification

Code Execution Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011 - User Execution AML.T0050 - Command and Scripting Interpreter AML.T0105 - Escape to Host AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security controls

NIST AI RMF

GOVERN 1.7 - AI risk management processes

OWASP LLM Top 10

LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents malicious OpenClaw skills delivering credential-stealing malware (AMOS stealer) via ClawHub — the same package, same skills execution pathway, and the same attacker-controlled skill-to-host execution chain that this CVE's env var injection directly enables. The incidents share both the attack vector (malicious third-party skills in the OpenClaw ecosystem) and the impact class (host-level compromise and credential exfiltration).

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-7437-7hg8-frrw?

OpenClaw, a local AI coding assistant, failed to include HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS in its exec environment denylist, allowing any party who can influence the process environment to achieve remote code execution on the developer's host machine. Although scoped to a user-controlled local assistant with no multi-tenant boundary, the real-world OpenClaw ecosystem has a documented supply chain abuse pattern — AIID #1368 shows roughly 17% of OpenClaw skills were found malicious, with credential-stealing payloads delivered via ClawHub — meaning the exploit path from malicious skill to host RCE is credible and close to practical exploitation. With 41 prior CVEs in this single package, OpenClaw has a systemic security posture problem that warrants elevated scrutiny of its presence in any developer toolchain. Upgrade to openclaw >= 2026.4.8 immediately and consider sandboxing AI coding agents in containers or restricted VMs to limit future blast radius.

Is GHSA-7437-7hg8-frrw actively exploited?

No confirmed active exploitation of GHSA-7437-7hg8-frrw has been reported, but organizations should still patch proactively.

How to fix GHSA-7437-7hg8-frrw?

1) Patch: upgrade openclaw to >= 2026.4.8 immediately (npm update openclaw or equivalent). 2) Isolate: run AI coding agents in containers or VMs with restricted environment variables — prevent untrusted env vars from reaching build sub-processes. 3) Audit: review all AI coding agent tools in your developer toolchain for similar incomplete exec env denylists, particularly for build-tool variables (HGRCPATH, *WRAPPER, MAKEFLAGS, LD_PRELOAD, PYTHONSTARTUP). 4) Detect: monitor for anomalous child processes spawned by AI agent processes, particularly shell invocations with unusual env var inheritance patterns. 5) Skills hygiene: audit installed OpenClaw skills against known-good registries given the active malicious skills ecosystem documented in AIID #1368.

What systems are affected by GHSA-7437-7hg8-frrw?

This vulnerability affects the following AI/ML architecture patterns: local AI coding assistants, agent frameworks, AI development environments, AI supply chain / skills ecosystems.

What is the CVSS score for GHSA-7437-7hg8-frrw?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class). Missing denylist entries allowed hostile build-tool environment variables to influence host exec commands. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.8` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Exploitation Scenario

An adversary publishes a malicious OpenClaw skill or contributes to a repository the victim opens with OpenClaw. The skill or repository sets CARGO_BUILD_RUSTC_WRAPPER to the path of a malicious binary, or uses HGRCPATH to load a hostile Mercurial configuration with execution hooks, or injects shell metacharacters via MAKEFLAGS. When OpenClaw invokes the build toolchain on behalf of the developer, these environment variables are inherited by the child build process — executing the attacker's payload with the developer's OS privileges and achieving full host RCE. Given that OpenClaw skills have direct access to the file system and network, this enables credential exfiltration and persistent access, consistent with the AMOS stealer delivery documented in AIID #1368.