GHSA-39pp-xp36-q6mg: Remote Code Execution via Environment Variable Injection in OpenClaw

OpenClaw is a personal AI assistant platform designed to automate tasks by executing commands on the host system. The platform employs "skills" that define specific workflows, which frequently require overriding standard environment variables during task execution.

A critical vulnerability, tracked as GHSA-39pp-xp36-q6mg, exists in the platform's environment variable sanitization routines. The flaw allows malicious inputs to bypass filtering mechanisms, enabling attackers to inject sensitive shell-control variables into the execution context.

When these manipulated environment variables are processed by the underlying shell, they alter the shell's configuration loading sequence. This architectural oversight leads directly to unauthenticated remote code execution on the system hosting the OpenClaw Node component.

The OpenClaw architecture utilizes a bifurcated execution model, dividing responsibilities between a Gateway and a Node. The Gateway processes incoming requests and API interactions, while the Node handles physical task execution on the host operating system. Each component independently implemented logic to sanitize environment variable keys supplied by skill configurations.

The vulnerability stems from an inconsistency between these two sanitization paths within the Skill Env Handler component, specifically inside the applySkillConfigEnvOverrides function. The Gateway component applied a permissive filter, allowing specific high-risk environment variables to pass through the initial validation boundary.

Upon receiving the payload, the Node component inherited the pre-processed keys without re-validating them against the global "Shared Host Environment Policy." This failure to enforce defense-in-depth permitted attackers to inject configuration-altering variables such as HOME, ZDOTDIR, or BASH_ENV directly into the execution environment.

Exploitation requires the attacker to supply a crafted skill configuration to the OpenClaw Gateway. The configuration must include environment variable overrides targeting specific shell initialization parameters. For example, setting ZDOTDIR=/tmp/payload_dir instructs the /bin/zsh executable to look for its .zshenv initialization file in the specified directory rather than the user's actual home directory.

Once the crafted environment variables bypass the Gateway and are accepted by the Node, the OpenClaw platform attempts to execute the requested skill task. The system spawns a new shell process, which immediately consumes the injected environment variables during its startup sequence.

The shell runtime processes the manipulated variables and executes the attacker-controlled configuration file. This sequence grants the attacker arbitrary code execution privileges matching the user context of the OpenClaw Node process, entirely bypassing intended application restrictions.

The remediation, implemented in Pull Request #51207 by developer joshavant, fundamentally restructures the environment variable handling logic. The patch deprecates the fragmented validation approach in favor of a unified, strict sanitization flow utilized concurrently by both the Gateway and the Node.

The patched applySkillConfigEnvOverrides function introduces explicit blocklists for shell-sensitive variables. Keys such as HOME, ZDOTDIR, PATH, and LD_PRELOAD are now categorically rejected regardless of where they enter the pipeline.

Additionally, the patch implements a fail-closed mechanism for task execution. If a blocked or malformed override key is detected during processing, the system explicitly aborts the task rather than silently dropping the invalid key. This design prevents partial execution states that might otherwise be leveraged for subsequent variant attacks.

The ability to execute arbitrary code on the host system represents a complete compromise of the OpenClaw Node. Because personal AI assistants require broad permissions to manage local development environments and system tasks, the OpenClaw process typically operates with elevated privileges or extensive filesystem access.

An attacker successfully exploiting this vulnerability gains persistent access to the host operating system. This access facilitates the exfiltration of sensitive personal data, source code, and persistent credentials stored within the local environment.

Furthermore, the compromised Node can serve as a pivot point for lateral movement within a broader network. The execution context granted by the vulnerability allows attackers to install persistent backdoors, deploy secondary payloads, or manipulate the AI assistant's ongoing operations without detection.