GHSA-gfmx-pph7-g46x — HIGH AI Security Vulnerability

CISO Take

A trust boundary violation in OpenClaw's async event pipeline allows lower-privilege background runtime output to be promoted into trusted System-level events, enabling prompt injection into subsequent agent turns without any visible trace in the user-facing conversation. This matters beyond the advisory's local-only framing because OpenClaw's third-party skills ecosystem has documented active abuse — AIID #1368 reports approximately 17% of skills assessed as malicious, with credential-stealing payloads already observed in the wild — meaning a compromised skill could chain this flaw to escalate from sandboxed background execution to full system-level instruction authority over the agent. The package's history of 41 prior CVEs signals a persistent security posture problem, not an isolated incident. Patch immediately to openclaw 2026.4.8; if upgrade is not immediately possible, disable all third-party skills and audit installed ones against a trusted allowlist.

Sources: GitHub Advisory ATLAS

Risk Assessment

HIGH. Although scoped to local user-controlled deployments rather than multi-tenant infrastructure, the trust boundary violation directly enables a prompt injection escalation primitive — one of the highest-impact attack classes in agentic AI systems. CWE-501 in an async event handler is particularly dangerous because the injection is invisible to the user: it appears as a system-level instruction in a channel the user cannot inspect. The documented malicious skills ecosystem (AIID #1368) elevates exploitation likelihood substantially above theoretical, as a ready-made delivery mechanism already exists. No EPSS data or CVSS vector is available, but the combination of an exploitable delivery channel, a weaponizable trust escalation bug, and a package with 41 prior CVEs warrants treating exploitation as active until proven otherwise.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.2	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Upgrade to openclaw >= 2026.4.8 immediately — the fix is on npm and was regression-tested against the specific trust boundary logic.
If upgrade is blocked: disable all third-party and unverified skills; restrict OpenClaw to first-party or explicitly audited skills only.
Audit installed skills against a trusted allowlist; cross-reference against AIID #1368 for known-malicious skill indicators (AMOS stealer delivery, credential exfiltration patterns).
Review stored agent conversation logs and command histories for unexpected System-level instruction sequences that could indicate prior exploitation.
Subscribe to the OpenClaw GitHub advisory feed given the package's 41-CVE track record — treat future advisories as high priority.

Classification

Prompt Injection Auth Bypass Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0051 - LLM Prompt Injection AML.T0051.001 - Indirect AML.T0080 - AI Agent Context Poisoning AML.T0080.001 - Thread

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

8.4 - AI System Risk Controls

NIST AI RMF

GOVERN 1.2 - Accountability Structures

OWASP LLM Top 10

LLM01 - Prompt Injection LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents active exploitation of the OpenClaw skills ecosystem for credential theft via malicious skills distributed through ClawHub — the same package and delivery mechanism affected by this CVE. The trust boundary flaw described here provides an escalation primitive that strengthens the attack chain already observed in the wild: malicious skill delivery plus trust boundary bypass equals full system-level agent compromise without user-visible indicators.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-gfmx-pph7-g46x?

A trust boundary violation in OpenClaw's async event pipeline allows lower-privilege background runtime output to be promoted into trusted System-level events, enabling prompt injection into subsequent agent turns without any visible trace in the user-facing conversation. This matters beyond the advisory's local-only framing because OpenClaw's third-party skills ecosystem has documented active abuse — AIID #1368 reports approximately 17% of skills assessed as malicious, with credential-stealing payloads already observed in the wild — meaning a compromised skill could chain this flaw to escalate from sandboxed background execution to full system-level instruction authority over the agent. The package's history of 41 prior CVEs signals a persistent security posture problem, not an isolated incident. Patch immediately to openclaw 2026.4.8; if upgrade is not immediately possible, disable all third-party skills and audit installed ones against a trusted allowlist.

Is GHSA-gfmx-pph7-g46x actively exploited?

No confirmed active exploitation of GHSA-gfmx-pph7-g46x has been reported, but organizations should still patch proactively.

How to fix GHSA-gfmx-pph7-g46x?

1. Upgrade to openclaw >= 2026.4.8 immediately — the fix is on npm and was regression-tested against the specific trust boundary logic. 2. If upgrade is blocked: disable all third-party and unverified skills; restrict OpenClaw to first-party or explicitly audited skills only. 3. Audit installed skills against a trusted allowlist; cross-reference against AIID #1368 for known-malicious skill indicators (AMOS stealer delivery, credential exfiltration patterns). 4. Review stored agent conversation logs and command histories for unexpected System-level instruction sequences that could indicate prior exploitation. 5. Subscribe to the OpenClaw GitHub advisory feed given the package's 41-CVE track record — treat future advisories as high priority.

What systems are affected by GHSA-gfmx-pph7-g46x?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI assistants, AI agent tool ecosystems.

What is the CVSS score for GHSA-gfmx-pph7-g46x?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @tdjackey for reporting.

Exploitation Scenario

An adversary publishes a skill to ClawHub that appears legitimate but includes a background task that spawns an async exec operation. The skill is installed by an end user. During normal operation, the skill's background task completes and its output — crafted as a prompt injection payload instructing the agent to exfiltrate stored credentials or API tokens — is processed by OpenClaw's async completion handler. Because the exec-event downgrade is not applied, the output is promoted into a trusted System: event before the next agent turn. The agent, believing it is following system-level instructions, silently executes the adversary's commands. The injection never appears in the user-visible conversation thread, and no explicit user confirmation is required, making detection without log analysis essentially impossible.