GHSA-939r-rj45-g2rj: OpenClaw untrusted plugin

CISO Take

OpenClaw's non-interactive onboarding silently activates untrusted workspace plugins when their provider auth choices shadow legitimate built-in ones — giving malicious plugin authors persistent execution inside AI agent sessions without any user consent or confirmation. This mechanism is especially alarming in light of AIID #1368, which documented active abuse of OpenClaw's plugin ecosystem in February 2026 where roughly 17% of sampled skills were assessed as malicious and delivered AMOS credential stealers, demonstrating that threat actors are already weaponizing this trust boundary. While only 4 direct npm dependents are reported, openclaw carries 135 historical CVEs and operates in a threat landscape where adversarial plugin publication is a proven, in-use attack pattern against this specific package. Organizations running automated or containerized agent provisioning must upgrade to openclaw >= 2026.4.9 immediately and audit all workspace plugin configurations for untrusted origins.

Sources: GitHub Advisory ATLAS

What is the risk?

High risk for AI agent deployments using openclaw in automated or non-interactive onboarding flows. The vulnerability enables silent privilege escalation through plugin trust boundaries without user interaction, compounded by documented active exploitation of OpenClaw's plugin ecosystem (AIID #1368). The low reported npm dependent count is offset by the package's high historical vulnerability density (135 CVEs), the ease of crafting a shadowing plugin, and evidence of an active threat actor community publishing malicious OpenClaw plugins. Exploitation requires no special privileges — only the ability to publish a workspace plugin with a shadowing auth choice identifier.

How does the attack unfold?

Malicious Plugin Publication

Adversary publishes a workspace plugin to a reachable registry, registering a provider auth choice identifier that shadows the identifier of a trusted built-in OpenClaw provider.

AML.T0104

Auto-Enablement via Non-Interactive Onboarding

A CI/CD pipeline, container startup, or automated provisioning flow triggers non-interactive onboarding; openclaw resolves the shadowed auth choice and auto-enables the attacker's plugin without user confirmation.

AML.T0010.005

Persistence Established

The now-active malicious plugin persists across agent sessions, positioning itself to intercept all subsequent tool invocations and agent operations in that workspace.

AML.T0110

Credential Exfiltration and Impact

Plugin harvests credentials, API keys, and session tokens accessible to the agent environment and exfiltrates them to attacker-controlled infrastructure, replicating the AMOS stealer pattern from AIID #1368.

AML.T0083

Malicious Plugin Publication

Adversary publishes a workspace plugin to a reachable registry, registering a provider auth choice identifier that shadows the identifier of a trusted built-in OpenClaw provider.

AML.T0104

Auto-Enablement via Non-Interactive Onboarding

A CI/CD pipeline, container startup, or automated provisioning flow triggers non-interactive onboarding; openclaw resolves the shadowed auth choice and auto-enables the attacker's plugin without user confirmation.

AML.T0010.005

Persistence Established

The now-active malicious plugin persists across agent sessions, positioning itself to intercept all subsequent tool invocations and agent operations in that workspace.

AML.T0110

Credential Exfiltration and Impact

Plugin harvests credentials, API keys, and session tokens accessible to the agent environment and exfiltrates them to attacker-controlled infrastructure, replicating the AMOS stealer pattern from AIID #1368.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.9	`2026.4.9`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Upgrade openclaw to >= 2026.4.9 (first patched stable tag) or >= 2026.4.14 (latest npm release containing the fix).
Audit all existing workspace configurations: enumerate enabled plugins and verify each has a trusted provider origin before and after patching.
For unpatched environments, disable non-interactive onboarding and require explicit user confirmation for all plugin enablement steps.
Implement an allowlist of approved workspace plugin origins via organizational policy; reject plugins from unknown or unverified registries.
Review audit and provisioning logs for unexpected plugin activation events, especially for non-interactive sessions occurring after January 2026.
Treat any workspace with an active unknown plugin as potentially compromised and rotate credentials accessible from that agent environment.

How is it classified?

Supply Chain Auth Bypass Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0081 - Modify AI Agent Configuration AML.T0104 - Publish Poisoned AI Agent Tool AML.T0110 - AI Agent Tool Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.6 - AI system supply chain management

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place for third-party entities

OWASP LLM Top 10

LLM07:2023 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-939r-rj45-g2rj?

OpenClaw's non-interactive onboarding silently activates untrusted workspace plugins when their provider auth choices shadow legitimate built-in ones — giving malicious plugin authors persistent execution inside AI agent sessions without any user consent or confirmation. This mechanism is especially alarming in light of AIID #1368, which documented active abuse of OpenClaw's plugin ecosystem in February 2026 where roughly 17% of sampled skills were assessed as malicious and delivered AMOS credential stealers, demonstrating that threat actors are already weaponizing this trust boundary. While only 4 direct npm dependents are reported, openclaw carries 135 historical CVEs and operates in a threat landscape where adversarial plugin publication is a proven, in-use attack pattern against this specific package. Organizations running automated or containerized agent provisioning must upgrade to openclaw >= 2026.4.9 immediately and audit all workspace plugin configurations for untrusted origins.

Is GHSA-939r-rj45-g2rj actively exploited?

No confirmed active exploitation of GHSA-939r-rj45-g2rj has been reported, but organizations should still patch proactively.

How to fix GHSA-939r-rj45-g2rj?

1. Upgrade openclaw to >= 2026.4.9 (first patched stable tag) or >= 2026.4.14 (latest npm release containing the fix). 2. Audit all existing workspace configurations: enumerate enabled plugins and verify each has a trusted provider origin before and after patching. 3. For unpatched environments, disable non-interactive onboarding and require explicit user confirmation for all plugin enablement steps. 4. Implement an allowlist of approved workspace plugin origins via organizational policy; reject plugins from unknown or unverified registries. 5. Review audit and provisioning logs for unexpected plugin activation events, especially for non-interactive sessions occurring after January 2026. 6. Treat any workspace with an active unknown plugin as potentially compromised and rotate credentials accessible from that agent environment.

What systems are affected by GHSA-939r-rj45-g2rj?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD-integrated agent pipelines, automated provisioning environments.

What is the CVSS score for GHSA-939r-rj45-g2rj?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksCI/CD-integrated agent pipelinesautomated provisioning environments

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0081 Modify AI Agent Configuration

AML.T0104 Publish Poisoned AI Agent Tool

AML.T0110 AI Agent Tool Poisoning

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM07:2023

What are the technical details?

Original Advisory

## Summary Workspace provider auth choices could auto-enable untrusted provider plugins. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact Non-interactive onboarding could select a provider auth choice shadowed by an untrusted workspace plugin, auto-enabling that plugin during auth setup. ## Technical Details The fix prefers trusted provider origins for auth choices and excludes untrusted workspace choices unless they are explicitly enabled. ## Fix The issue was fixed in #62368. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `2d97eae53e212ae26f3aebcd6a50ffc6877f770d` - PR: #62368 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent for reporting this issue.

Exploitation Scenario

An adversary publishes a malicious npm workspace plugin to a public or internal registry, registering a provider auth choice identifier that shadows openclaw's trusted built-in provider entry. An organization running automated agent provisioning — for example, a DevSecOps pipeline spinning up ephemeral AI coding agents in CI/CD — triggers non-interactive onboarding. openclaw's auth choice resolution picks the attacker's plugin entry before the trusted one, auto-enabling the malicious plugin with no user prompt. The plugin is now live within the agent session and can intercept tool calls, exfiltrate credentials or session tokens via established C2 infrastructure, and maintain persistence across subsequent agent restarts — directly replicating the AMOS stealer delivery pattern documented in AIID #1368.

Weaknesses (CWE)

CWE-829 Inclusion of Functionality from Untrusted Control Sphere Primary

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere: The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
[Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.

Source: MITRE CWE corpus.