GHSA-w9j9-w4cp-6wgr — MEDIUM AI Security Vulnerability

Q: Is GHSA-w9j9-w4cp-6wgr actively exploited?

No confirmed active exploitation of GHSA-w9j9-w4cp-6wgr has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-w9j9-w4cp-6wgr?

1. Patch immediately: upgrade openclaw to 2026.4.8 (verified fixed commit: d7c3210cd6f5fdfdc1beff4c9541673e814354d5). 2. Before patching, audit all environment variables present in shells where OpenClaw runs — rotate any cloud credentials, API keys, or tokens stored in shell profiles or dotfiles. 3. Apply env sanitization as a defense-in-depth measure: wrap OpenClaw invocations with 'env -i' or an explicit allowlist of required variables to prevent secret leakage even if a future regression occurs. 4. Audit installed OpenClaw skills against the ~17% malicious skill rate documented in AIID #1368 — uninstall unverified third-party skills. 5. Enable process-level monitoring on hosts running OpenClaw to detect anomalous child process spawning or unexpected outbound network connections.

Q: What systems are affected by GHSA-w9j9-w4cp-6wgr?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local developer tooling, CI/CD pipelines.

Q: What is the CVSS score for GHSA-w9j9-w4cp-6wgr?

No CVSS score has been assigned yet.

CISO Take

OpenClaw, a local AI agent (npm), allows host-executed subprocesses to inherit the full parent environment, exposing shell-stored credentials, API keys, and build tool tokens to manipulation by interpreters and scripts — a CWE-78 OS command injection flaw embedded in the agent's execution model. While no public exploit, CISA KEV listing, or EPSS score is currently available, this package carries 60 prior CVEs — a persistent security deficit that signals systemic code quality issues beyond this single advisory. The risk is amplified by the OpenClaw skills ecosystem: AIID #1368 documents malicious ClawHub skills already weaponized to exfiltrate credentials, and env var injection provides exactly the mechanism such skills need to escalate access silently. Patch to 2026.4.8 immediately and audit all environment variables exposed in shells where OpenClaw executes.

Sources: GitHub Advisory ATLAS AIID

Risk Assessment

Medium CVSS in isolation, but contextually elevated for AI agent deployments. The local execution scope limits direct remote exploitability, but the skills marketplace supply chain vector removes the requirement for physical access — a malicious skill installed from ClawHub can trigger the env var injection without additional user interaction beyond skill invocation. The 60 prior CVEs in this package are a strong signal that the security boundary around host-exec has not been rigorously maintained. Developer workstations and CI/CD pipelines running OpenClaw are the highest-risk environments due to the density of cloud credentials, tokens, and secrets typically present in those shell environments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Patch immediately: upgrade openclaw to 2026.4.8 (verified fixed commit: d7c3210cd6f5fdfdc1beff4c9541673e814354d5).
Before patching, audit all environment variables present in shells where OpenClaw runs — rotate any cloud credentials, API keys, or tokens stored in shell profiles or dotfiles.
Apply env sanitization as a defense-in-depth measure: wrap OpenClaw invocations with 'env -i' or an explicit allowlist of required variables to prevent secret leakage even if a future regression occurs.
Audit installed OpenClaw skills against the ~17% malicious skill rate documented in AIID #1368 — uninstall unverified third-party skills.
Enable process-level monitoring on hosts running OpenClaw to detect anomalous child process spawning or unexpected outbound network connections.

Classification

Code Execution Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0105 - Escape to Host AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 15 - Robustness, accuracy and cybersecurity

ISO 42001

A.6.1.2 - AI risk treatment A.6.1.3 - AI system design and implementation A.8.4 - External AI tools and third-party components

NIST AI RMF

MANAGE-2.2 - Risk treatments MS-2.5 - AI system testing and evaluation

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency LLM08:2025 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents malicious OpenClaw skills on ClawHub delivering credential stealers against the exact same package and skills ecosystem. This CVE's env var injection directly enables the credential exfiltration attack vector described in that incident by exposing shell environment secrets to host-exec subprocesses that malicious skills can trigger.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-w9j9-w4cp-6wgr?

OpenClaw, a local AI agent (npm), allows host-executed subprocesses to inherit the full parent environment, exposing shell-stored credentials, API keys, and build tool tokens to manipulation by interpreters and scripts — a CWE-78 OS command injection flaw embedded in the agent's execution model. While no public exploit, CISA KEV listing, or EPSS score is currently available, this package carries 60 prior CVEs — a persistent security deficit that signals systemic code quality issues beyond this single advisory. The risk is amplified by the OpenClaw skills ecosystem: AIID #1368 documents malicious ClawHub skills already weaponized to exfiltrate credentials, and env var injection provides exactly the mechanism such skills need to escalate access silently. Patch to 2026.4.8 immediately and audit all environment variables exposed in shells where OpenClaw executes.

Is GHSA-w9j9-w4cp-6wgr actively exploited?

No confirmed active exploitation of GHSA-w9j9-w4cp-6wgr has been reported, but organizations should still patch proactively.

How to fix GHSA-w9j9-w4cp-6wgr?

1. Patch immediately: upgrade openclaw to 2026.4.8 (verified fixed commit: d7c3210cd6f5fdfdc1beff4c9541673e814354d5). 2. Before patching, audit all environment variables present in shells where OpenClaw runs — rotate any cloud credentials, API keys, or tokens stored in shell profiles or dotfiles. 3. Apply env sanitization as a defense-in-depth measure: wrap OpenClaw invocations with 'env -i' or an explicit allowlist of required variables to prevent secret leakage even if a future regression occurs. 4. Audit installed OpenClaw skills against the ~17% malicious skill rate documented in AIID #1368 — uninstall unverified third-party skills. 5. Enable process-level monitoring on hosts running OpenClaw to detect anomalous child process spawning or unexpected outbound network connections.

What systems are affected by GHSA-w9j9-w4cp-6wgr?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local developer tooling, CI/CD pipelines.

What is the CVSS score for GHSA-w9j9-w4cp-6wgr?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact OpenClaw Host-Exec Environment Variable Injection. Host exec could inherit environment variables that influence interpreters, shells, or build tools. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.3.28` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @wsparks-vc for reporting.

Exploitation Scenario

An adversary publishes a seemingly useful OpenClaw skill to the ClawHub marketplace — a code formatter or productivity tool. A developer installs it and invokes it during a normal workflow. The skill internally triggers a host-exec call with a crafted argument designed to read specific environment variables (AWS_ACCESS_KEY_ID, ANTHROPIC_API_KEY, GITHUB_TOKEN) that OpenClaw inherited from the developer's shell. The subprocess exfiltrates these values via an outbound HTTPS request to an adversary-controlled endpoint, disguised as telemetry. The developer sees no error — the skill completes normally. The adversary now has live cloud credentials with the developer's full access scope.