GHSA-7wv4-cc7p-jhxc: OpenClaw .env injection

CISO Take

OpenClaw, an AI agent framework, allows a malicious workspace .env file to override runtime-control variables including update sources, gateway URLs, ClawHub resolution, and browser executable paths — effectively letting a compromised or attacker-supplied workspace redirect the agent's entire trust chain. With only 4 direct dependents and no EPSS data or active KEV listing, opportunistic exploitation is limited to environments that load untrusted workspaces, but the blast radius includes full agent behavior redirection and supply chain poisoning via ClawHub — a vector directly tied to real-world credential theft via AMOS stealer (AIID #1368). Organizations running OpenClaw in multi-tenant or shared workspace environments face the highest exposure. Upgrade immediately to openclaw >= 2026.4.9 (npm latest: 2026.4.14); audit .env files in all workspaces for unexpected OPENCLAW_* keys and verify ClawHub endpoints resolve to expected domains.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Medium risk overall, elevated in shared or CI/CD workspace environments. Exploitation requires an attacker to control or influence a workspace .env file — a plausible scenario in multi-user development environments, compromised repositories, or malicious open-source workspaces. The attack is pre-authentication from the agent's perspective, requires no elevated privileges, and the configuration variables it affects (ClawHub resolution, update sources, browser paths) represent high-value pivot points for persistence and supply chain compromise. The 135 other CVEs in the same package suggest an active vulnerability research target.

How does the attack unfold?

Malicious Workspace Delivery

Adversary distributes a crafted workspace (e.g., via public GitHub repo or shared dev environment) containing a .env file with OPENCLAW_* runtime-control keys pointing to attacker-controlled infrastructure.

AML.T0010.001

Configuration Injection

OpenClaw loads the workspace .env without filtering runtime-control keys, silently overriding ClawHub resolution URL, update sources, gateway endpoints, and browser executable path.

AML.T0081

Trust Chain Hijack

Agent connects to attacker-controlled ClawHub server and update sources, which serve malicious skills or a backdoored agent update while appearing legitimate to the user.

AML.T0110

Credential Exfiltration & Persistence

Delivered malicious skills harvest credentials, session tokens, and local secrets from the developer's environment, with ongoing access maintained via the redirected gateway.

AML.T0055

Malicious Workspace Delivery

Adversary distributes a crafted workspace (e.g., via public GitHub repo or shared dev environment) containing a .env file with OPENCLAW_* runtime-control keys pointing to attacker-controlled infrastructure.

AML.T0010.001

Configuration Injection

OpenClaw loads the workspace .env without filtering runtime-control keys, silently overriding ClawHub resolution URL, update sources, gateway endpoints, and browser executable path.

AML.T0081

Trust Chain Hijack

Agent connects to attacker-controlled ClawHub server and update sources, which serve malicious skills or a backdoored agent update while appearing legitimate to the user.

AML.T0110

Credential Exfiltration & Persistence

Delivered malicious skills harvest credentials, session tokens, and local secrets from the developer's environment, with ongoing access maintained via the redirected gateway.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.9	`2026.4.9`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Upgrade openclaw (npm) to >= 2026.4.9; latest stable is 2026.4.14.
Audit all workspace .env files for OPENCLAW_* prefixed keys, especially those affecting update sources or ClawHub URLs.
Enforce .env file integrity checks (e.g., git-tracked with signed commits) in shared/CI environments.
Monitor outbound connections from OpenClaw processes for unexpected ClawHub or gateway domains.
In containerized deployments, consider mounting .env files from trusted volumes only, not from workspace directories.
If immediate patching is not possible, strip or blocklist OPENCLAW_* variables from workspace .env loading via environment preprocessing scripts.

How is it classified?

Supply Chain Code Execution Auth Bypass Agent Plugin Framework AML.T0002.002 - AI Agent Configuration AML.T0010.001 - AI Software AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration AML.T0110 - AI Agent Tool Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system configuration management A.8.4 - AI supply chain management

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-7wv4-cc7p-jhxc?

OpenClaw, an AI agent framework, allows a malicious workspace .env file to override runtime-control variables including update sources, gateway URLs, ClawHub resolution, and browser executable paths — effectively letting a compromised or attacker-supplied workspace redirect the agent's entire trust chain. With only 4 direct dependents and no EPSS data or active KEV listing, opportunistic exploitation is limited to environments that load untrusted workspaces, but the blast radius includes full agent behavior redirection and supply chain poisoning via ClawHub — a vector directly tied to real-world credential theft via AMOS stealer (AIID #1368). Organizations running OpenClaw in multi-tenant or shared workspace environments face the highest exposure. Upgrade immediately to openclaw >= 2026.4.9 (npm latest: 2026.4.14); audit .env files in all workspaces for unexpected OPENCLAW_* keys and verify ClawHub endpoints resolve to expected domains.

Is GHSA-7wv4-cc7p-jhxc actively exploited?

No confirmed active exploitation of GHSA-7wv4-cc7p-jhxc has been reported, but organizations should still patch proactively.

How to fix GHSA-7wv4-cc7p-jhxc?

1. Upgrade openclaw (npm) to >= 2026.4.9; latest stable is 2026.4.14. 2. Audit all workspace .env files for OPENCLAW_* prefixed keys, especially those affecting update sources or ClawHub URLs. 3. Enforce .env file integrity checks (e.g., git-tracked with signed commits) in shared/CI environments. 4. Monitor outbound connections from OpenClaw processes for unexpected ClawHub or gateway domains. 5. In containerized deployments, consider mounting .env files from trusted volumes only, not from workspace directories. 6. If immediate patching is not possible, strip or blocklist OPENCLAW_* variables from workspace .env loading via environment preprocessing scripts.

What systems are affected by GHSA-7wv4-cc7p-jhxc?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, computer-use agents, plugin/skill ecosystems, CI/CD pipelines with AI agents, developer workspaces.

What is the CVSS score for GHSA-7wv4-cc7p-jhxc?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworkscomputer-use agentsplugin/skill ecosystemsCI/CD pipelines with AI agentsdeveloper workspaces

MITRE ATLAS Techniques

AML.T0002.002 AI Agent Configuration

AML.T0010.001 AI Software

AML.T0055 Unsecured Credentials

AML.T0081 Modify AI Agent Configuration

AML.T0110 AI Agent Tool Poisoning

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6, A.8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

## Summary Workspace .env could inject OpenClaw runtime-control variables. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact A malicious workspace `.env` file could set OpenClaw runtime-control variables affecting update sources, gateway URLs, ClawHub resolution, browser executable paths, and related behavior. ## Technical Details The fix blocks OpenClaw runtime-control keys and key families from workspace `.env` loading. ## Fix The issue was fixed in #62660. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `dbfcef319618158fa40b31cdac386ea34c392c0c` - PR: #62660 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab for reporting this issue.

Exploitation Scenario

An adversary publishes an attractive open-source OpenClaw workspace on GitHub containing a crafted .env file that sets OPENCLAW_CLAWHUB_URL to an attacker-controlled server and OPENCLAW_BROWSER_PATH to a malicious binary. A developer clones the workspace and launches OpenClaw. The agent silently resolves ClawHub skills from the attacker's server (delivering AMOS-style credential stealers as seen in AIID #1368), uses the substituted browser executable for computer-use tasks (enabling keylogging or screenshot capture), and phones home via the redirected gateway — all while appearing to function normally from the user's perspective.

Weaknesses (CWE)

CWE-15 External Control of System or Configuration Setting Primary

CWE-15 — External Control of System or Configuration Setting: One or more system settings or configuration elements can be externally controlled by a user.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
[Implementation, Architecture and Design] Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.

Source: MITRE CWE corpus.