GHSA-7g8c-cfr3-vqqr: OpenClaw trust escalation

CISO Take

The openclaw npm agent framework allowed externally supplied hook metadata to bypass sanitization and be enqueued as trusted system events, letting attackers inject instructions into the agent's privileged execution context — a CWE-269 (Improper Privilege Management) root cause. This trust boundary violation is particularly dangerous in agentic pipelines where agents autonomously invoke tools, access files, and call external services based on event context. Blast radius is limited by only 4 direct npm dependents and no CISA KEV listing, but the threat is material: a Feb. 2026 Bitdefender report (AIID #1368) found 17% of OpenClaw skills were malicious, and this vulnerability is the mechanism that elevates a poisoned skill from untrusted-user-level to system-level privilege. Upgrade to openclaw >= 2026.4.10 immediately; the latest stable release 2026.4.14 includes the fix.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium base severity but elevated in production agentic deployments. Trust boundary violations in agent event systems carry outsized risk because agents operate with delegated tool-call permissions — file access, API calls, data queries — and will act on whatever context is in the trusted queue. No EPSS score is available and the vulnerability is not in CISA KEV, reducing immediate urgency. However, the 135-CVE history of this package, active malicious skills ecosystem (AIID #1368), and the novelty of hook-based trust escalation as an attack class justify treating this as higher than baseline medium for organizations running openclaw in production agent workflows.

How does the attack unfold?

Malicious Skill Delivery

Adversary publishes or social-engineers installation of a malicious openclaw skill that controls hook metadata supplied during agent operation.

AML.T0010.005

Hook Metadata Injection

The malicious skill supplies crafted hook names and metadata to the agent hook dispatch system, bypassing sanitization controls.

AML.T0080

Trust Boundary Bypass

Unsanitized hook metadata is enqueued as a trusted system event, granting attacker-controlled instructions system-level execution context within the agent.

AML.T0051.001

Privileged Agent Action

Agent executes attacker instructions under elevated trust, enabling unauthorized tool invocations such as credential access, file reads, or exfiltration to adversary-controlled endpoints.

AML.T0053

Malicious Skill Delivery

Adversary publishes or social-engineers installation of a malicious openclaw skill that controls hook metadata supplied during agent operation.

AML.T0010.005

Hook Metadata Injection

The malicious skill supplies crafted hook names and metadata to the agent hook dispatch system, bypassing sanitization controls.

AML.T0080

Trust Boundary Bypass

Unsanitized hook metadata is enqueued as a trusted system event, granting attacker-controlled instructions system-level execution context within the agent.

AML.T0051.001

Privileged Agent Action

Agent executes attacker instructions under elevated trust, enabling unauthorized tool invocations such as credential access, file reads, or exfiltration to adversary-controlled endpoints.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.10	`2026.4.10`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade openclaw to >= 2026.4.10; latest stable 2026.4.14 already includes the fix.
Audit all third-party skills installed in openclaw deployments — cross-reference against the Feb. 2026 Bitdefender findings (AIID #1368) reporting 17% malicious skill rate.
Review agent hook configurations and restrict which external sources can supply hook metadata.
Monitor agent event logs for anomalous system event patterns or hook names not present in your defined skill inventory.
If immediate upgrade is blocked, sandbox or disable hook dispatch from untrusted external sources as a temporary compensating control.

How is it classified?

Auth Bypass Prompt Injection Agent Framework Plugin AML.T0010.005 - AI Agent Tool AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system security

NIST AI RMF

MANAGE-2.2 - Risk Treatments for AI Risks

OWASP LLM Top 10

LLM01 - Prompt Injection LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-7g8c-cfr3-vqqr?

The openclaw npm agent framework allowed externally supplied hook metadata to bypass sanitization and be enqueued as trusted system events, letting attackers inject instructions into the agent's privileged execution context — a CWE-269 (Improper Privilege Management) root cause. This trust boundary violation is particularly dangerous in agentic pipelines where agents autonomously invoke tools, access files, and call external services based on event context. Blast radius is limited by only 4 direct npm dependents and no CISA KEV listing, but the threat is material: a Feb. 2026 Bitdefender report (AIID #1368) found 17% of OpenClaw skills were malicious, and this vulnerability is the mechanism that elevates a poisoned skill from untrusted-user-level to system-level privilege. Upgrade to openclaw >= 2026.4.10 immediately; the latest stable release 2026.4.14 includes the fix.

Is GHSA-7g8c-cfr3-vqqr actively exploited?

No confirmed active exploitation of GHSA-7g8c-cfr3-vqqr has been reported, but organizations should still patch proactively.

How to fix GHSA-7g8c-cfr3-vqqr?

1. Upgrade openclaw to >= 2026.4.10; latest stable 2026.4.14 already includes the fix. 2. Audit all third-party skills installed in openclaw deployments — cross-reference against the Feb. 2026 Bitdefender findings (AIID #1368) reporting 17% malicious skill rate. 3. Review agent hook configurations and restrict which external sources can supply hook metadata. 4. Monitor agent event logs for anomalous system event patterns or hook names not present in your defined skill inventory. 5. If immediate upgrade is blocked, sandbox or disable hook dispatch from untrusted external sources as a temporary compensating control.

What systems are affected by GHSA-7g8c-cfr3-vqqr?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent pipelines, plugin and skill ecosystems.

What is the CVSS score for GHSA-7g8c-cfr3-vqqr?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent pipelinesplugin and skill ecosystems

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0051.001 Indirect

AML.T0053 AI Agent Tool Invocation

AML.T0080 AI Agent Context Poisoning

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM01, LLM06

What are the technical details?

Original Advisory

## Summary Agent hook events could enqueue trusted system events from unsanitized external input. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Agent hook dispatch could turn externally supplied hook metadata into trusted system events, allowing untrusted input to enter the agent as higher-trust context. ## Technical Details The fix sanitizes hook names and marks agent hook system events as untrusted before enqueueing them. ## Fix The issue was fixed in #64372. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `e3a845bde5b54f4f1e742d0a51ba9860f9619b29` - PR: #64372 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An adversary publishes a malicious openclaw skill — consistent with the abuse pattern documented in AIID #1368 — that, once installed by the victim, supplies crafted hook names and metadata during normal agent operation. Before the fix, this hook metadata bypassed sanitization and was enqueued as a trusted system event. The agent processes the adversary's instructions with system-level trust, potentially triggering tool calls to exfiltrate credentials, read sensitive files, or pivot to connected services, all without triggering the lower-trust safeguards that would block the same instructions if submitted through an untrusted channel.

Weaknesses (CWE)

CWE-269 Improper Privilege Management Primary

CWE-269 — Improper Privilege Management: The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Follow the principle of least privilege when assigning access rights to entities in a software system.

Source: MITRE CWE corpus.