GHSA-2FGQ-7J6H-9RM4: Remote Code Execution via Environment Injection in OpenClaw

OpenClaw is a personal AI agent designed to execute tasks on a local machine, relying on a system.run capability to invoke shell commands. While the application implements an allowlist to restrict which commands the agent can execute, it historically allowed the agent (and by extension, the Large Language Model or a prompt injector) to specify environment variables for these subprocesses.

The vulnerability lies in the lack of filtering for dangerous environment variables that influence the behavior of the Unix shell itself. Specifically, the Bash shell respects environment variables that configure debugging and prompt expansion. By manipulating these variables, an attacker can turn a harmless command execution into a vehicle for arbitrary code execution. This flaw is a variant of environment injection, leveraging specific "Bash-isms" to achieve execution flow hijacking.

The root cause is the unchecked propagation of environment variables to the bash process combined with Bash's handling of the SHELLOPTS and PS4 variables. This is a known attack vector against scripts or applications that pass user-controlled environments to bash.

1. SHELLOPTS: This variable allows the caller to enable shell options via the environment. Setting SHELLOPTS=xtrace is equivalent to running set -x or bash -x. It forces Bash to print each command to stderr before executing it.
2. PS4: This variable defines the prompt printed before each line when xtrace is active. Crucially, Bash performs variable and command substitution on the value of PS4 every time it prints a trace line.

When system.run spawns a shell with these variables injected, Bash initializes, sees xtrace is on, and immediately attempts to print the trace for the command being run. To do so, it evaluates PS4. If PS4 contains a command substitution like $(malicious_cmd), Bash executes malicious_cmd immediately. This execution happens implicitly during the shell's startup logic, completely bypassing the OpenClaw command allowlist.

The vulnerability existed in both the Node.js host (src/node-host/invoke-system-run.ts) and the macOS companion app (HostEnvSanitizer.swift). Prior to the fix, the application passed the env object from the request directly to the child process with insufficient filtering.

The fix, applied in commit e80c803fa887f9699ad87a9e906ab5c1ff85bd9a, implements a multi-layered defense strategy. It introduces a HostEnvSanitizer that explicitly blocks dangerous keys and enforces a strict allowlist for shell wrappers.

Key Changes in the Patch:

1. Blocklist Implementation: The sanitizer now explicitly rejects SHELLOPTS and PS4 (along with other potentially dangerous variables like BASH_ENV) if they appear in the request environment.
2. Shell Wrapper Detection: The system detects if the command being executed is a shell wrapper (e.g., bash, sh, zsh).
3. Strict Allowlist: If a shell wrapper is detected, the environment is stripped of all variables except for a safe allowlist (TERM, LANG, LC_ALL, LC_CTYPE, LC_MESSAGES, COLORTERM, NO_COLOR, FORCE_COLOR).

// Conceptual representation of the fix logic
const DANGEROUS_KEYS = ['SHELLOPTS', 'PS4', 'BASH_ENV', 'PERL5OPT'];
 
function sanitizeEnv(inputEnv) {
  // 1. Block dangerous keys globally
  for (const key of DANGEROUS_KEYS) {
    if (inputEnv[key]) throw new Error(`Blocked dangerous env key: ${key}`);
  }
 
  // 2. If running a shell, enforce strict allowlist
  if (isShellWrapper(command)) {
    return pick(inputEnv, SAFE_ALLOWLIST);
  }
  
  return inputEnv;
}

To exploit this vulnerability, an attacker must be able to influence the arguments passed to the system.run tool. This could be achieved through a malicious prompt (Prompt Injection) that tricks the AI agent into executing a specific tool call, or by directly interacting with the API if the attacker has network access.

Attack Scenario:

1. Injection: The attacker crafts a system.run request that includes specific environment variable overrides.
2. Payload Construction:
   • SHELLOPTS is set to xtrace.
   • PS4 is set to a command substitution string, such as $(cat /etc/passwd > /tmp/exfil).
3. Execution: The OpenClaw agent executes the allowed command (e.g., echo hello) using bash.
4. Trigger: Bash starts, sees xtrace, and expands PS4 to print the trace for echo hello. During this expansion, cat /etc/passwd is executed.

This technique is particularly dangerous because it does not require the primary command to be malicious. The allowed command echo is sufficient to trigger the vulnerability because the payload executes as a side effect of the shell's debugging features.

The impact of this vulnerability is Critical (CVSS 9.8). Successful exploitation results in Remote Code Execution (RCE) on the host machine running OpenClaw. The code executes with the same privileges as the OpenClaw process.

Consequences include:

• Total System Compromise: If OpenClaw is running as a user with sudo access or Administrator privileges, the attacker gains full control over the operating system.
• Data Exfiltration: Attackers can read sensitive files (SSH keys, credentials, personal documents) and exfiltrate them via network requests.
• Persistence: The attacker can install backdoors, reverse shells, or malware to maintain access even after the OpenClaw process is restarted.
• Lateral Movement: The compromised host can be used as a pivot point to attack other devices on the local network.