Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-qh2f-99mv-mrcf | OpenClaw: exec denylist bypass in bundled MCP loopback | openclaw | - |
| HIGH | GHSA-xww8-gqvh-92x9 | OpenClaw: truncated approval UI masks exec payload | openclaw | 8.0 |
| HIGH | GHSA-p73f-w79w-jqr5 | OpenClaw: owner-command auth bypass via native cmds | openclaw | - |
| HIGH | GHSA-j472-gf56-x589 | OpenClaw: PowerShell alias bypasses exec allowlist | openclaw | - |
| HIGH | GHSA-77q5-rr5v-x43q | OpenClaw: retry hostname check leaks auth material | openclaw | - |
| HIGH | GHSA-w5ww-7chg-mxcq | OpenClaw: Telegram callback bypasses sender allowlist | openclaw | - |
| MEDIUM | GHSA-4m3v-q747-pc6h | OpenClaw: slash token revocation lag allows reuse | openclaw | - |
| MEDIUM | GHSA-275c-xpvc-jgfw | OpenClaw: Slack/Zalo webhook secrets outlive rotation | openclaw | - |
| LOW | GHSA-3wqp-prf6-2m72 | OpenClaw: Feishu agent-binding auth bypass | openclaw | 3.1 |
| MEDIUM | GHSA-77pv-3w4q-vrj5 | OpenClaw: QQBot slash commands bypass allowFrom auth | openclaw | - |
| HIGH | GHSA-xr4f-mjxj-w6w5 | OpenClaw: chat auth bypass enables device pairing hijack | openclaw | 8.3 |
| MEDIUM | GHSA-hcm3-8f6r-6xwg | OpenClaw: missing authz reuses blocked SSRF tabs | openclaw | 6.5 |
| CRITICAL | GHSA-w4v6-g3wm-w36c | OpenClaw: QQBot admin auth bypass skips access checks | openclaw | - |
| MEDIUM | GHSA-gp79-m99v-gjmh | OpenClaw: fail-open bypasses Mattermost DM channel policy | openclaw | - |
| HIGH | GHSA-c29c-2q9c-pc86 | OpenClaw: Slack allowFrom bypass via display-name spoof | openclaw | - |
| MEDIUM | GHSA-cqwv-9qjx-vxw2 | OpenClaw: agent tool call bypasses skill approval gate | openclaw | 5.3 |
| HIGH | GHSA-jvm4-4j77-39p6 | OpenClaw: QQBot command bypasses config allowlist | openclaw | - |
| HIGH | GHSA-83w9-h5wv-j9xm | OpenClaw: TOCTOU race bypasses node approval scope | openclaw | - |
| MEDIUM | GHSA-wv26-j37q-2g7p | OpenClaw: exec approver can bypass plugin approval gate | openclaw | - |
| MEDIUM | GHSA-p2fh-f5fc-44hr | OpenClaw: memory-wiki ingest reads arbitrary local files | openclaw | 6.5 |