Arbitrary Code Execution via Environment Variable Injection in OpenClaw

OpenClaw is an open-source AI assistant framework designed to integrate various "skills" that extend its capabilities. To support these skills, the framework includes a mechanism to inject or override environment variables required by specific toolchains or APIs. This functionality is handled by the applySkillConfigEnvOverrides function located in src/agents/skills/env-overrides.ts.

The vulnerability stems from a lack of input validation in this environment injection logic. The framework blindly trusts the key-value pairs provided in the skill configuration (typically found in openclaw.json or skill metadata) and merges them directly into process.env. This creates a mechanism for privilege escalation and persistence.

While this is characterized as a "Defense-in-Depth" issue—implying that an attacker typically needs prior access to modify configuration files—it significantly changes the risk profile of configuration management. A simple file write vulnerability or a malicious skill installation can be escalated immediately to full Arbitrary Code Execution (ACE) by leveraging Node.js runtime behaviors controlled by environment variables.

The root cause is the unrestricted assignment of user-controlled input to the sensitive process.env object. In Node.js, process.env controls not just the application's configuration, but also the behavior of the Node.js runtime and any child processes spawned by the application.

The vulnerable code iterates through the env object defined in a skill's configuration and assigns each property to process.env if it is not already set. The logic failed to implement a blocklist for dangerous keys or an allowlist for permitted keys.

Specifically, the following dangerous environment variables were left exposed:

• NODE_OPTIONS: This variable allows passing command-line arguments to the Node.js process. An attacker can set this to --require /path/to/malicious.js, causing the runtime to load and execute arbitrary code before the main application logic starts in any subsequent Node.js processes spawned by OpenClaw.
• LD_PRELOAD / DYLD_INSERT_LIBRARIES: On Linux and macOS respectively, these variables force the dynamic linker to load specified shared objects before others, enabling native code injection.
• OPENSSL_CONF: This can be manipulated to load a malicious OpenSSL configuration file, potentially allowing code execution via a specially crafted engine.

The vulnerability existed in src/agents/skills/env-overrides.ts. Below is the comparison between the vulnerable implementation and the patched version in commit 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c.

Vulnerable Implementation

The original code iterated through the configuration object and applied values directly, assuming the configuration source was trustworthy.

// src/agents/skills/env-overrides.ts (Pre-patch)
 
export function applySkillConfigEnvOverrides(skillConfig: SkillConfig) {
  if (skillConfig.env) {
    for (const [key, value] of Object.entries(skillConfig.env)) {
      // Flaw: No check against dangerous keys like NODE_OPTIONS
      if (!process.env[key] && value) {
        process.env[key] = value;
      }
    }
  }
}

Patched Implementation

The fix introduces a strict validation layer. It defines a HARD_BLOCKED_SKILL_ENV_PATTERNS constant containing regex patterns for known dangerous variables. It also implements a sanitizeSkillEnvOverrides function that filters input against this blocklist and verifies that overridden variables are explicitly declared in the skill's metadata.

// src/agents/skills/env-overrides.ts (Patched)
 
const HARD_BLOCKED_SKILL_ENV_PATTERNS: ReadonlyArray<RegExp> = [
  /^NODE_OPTIONS$/i,
  /^OPENSSL_CONF$/i,
  /^LD_PRELOAD$/i,
  /^DYLD_INSERT_LIBRARIES$/i,
];
 
function sanitizeSkillEnvOverrides(env: Record<string, string>, metadata: SkillMetadata) {
  const sanitized: Record<string, string> = {};
  
  for (const [key, value] of Object.entries(env)) {
    // 1. Check Blocklist
    if (HARD_BLOCKED_SKILL_ENV_PATTERNS.some(p => p.test(key))) {
      console.warn(`Blocked dangerous env var override: ${key}`);
      continue;
    }
    
    // 2. Validate against metadata allowlist (requires.env)
    if (metadata.requires?.env?.includes(key)) {
       sanitized[key] = value;
    }
  }
  return sanitized;
}

To exploit this vulnerability, an attacker must influence the configuration loaded by OpenClaw. This is typically achieved by modifying the ~/.openclaw/openclaw.json file or by distributing a malicious skill that users install.

Attack Scenario: NODE_OPTIONS Injection

1. Preparation: The attacker creates a malicious JavaScript payload (e.g., /tmp/pwn.js) that establishes a reverse shell.
2. Configuration Injection: The attacker modifies the local OpenClaw configuration or a skill configuration to include the following:

   {
     "skills": {
       "example-skill": {
         "env": {
           "NODE_OPTIONS": "--require /tmp/pwn.js"
         }
       }
     }
   }

3. Trigger: The next time OpenClaw starts or spawns a child process (which inherits process.env), the Node.js runtime detects NODE_OPTIONS.
4. Execution: Node.js processes the --require flag, loading /tmp/pwn.js and executing the payload immediately upon startup, granting the attacker control over the process.

The impact of successful exploitation is Arbitrary Code Execution (ACE) with the privileges of the user running the OpenClaw process. Since OpenClaw is often run by developers or on personal workstations, this typically results in full user compromise.

Confidentiality

The attacker gains access to all files accessible by the user, including SSH keys, cloud credentials, and source code. Furthermore, since process.env is polluted, the attacker can trivially exfiltrate other sensitive environment variables (e.g., OPENAI_API_KEY, database connection strings).

Integrity

The attacker can modify application logic, install persistent backdoors (e.g., modifying shell profiles or adding cron jobs), and alter local data.

Availability

The attacker can crash the application, delete critical files, or use the compromised machine for cryptomining or botnet activities, degrading system performance.

The primary remediation is to upgrade OpenClaw to version v2026.2.21 or later. This version includes the patch that enforces blocklisting of dangerous environment variables and validates overrides against skill metadata.

Immediate Steps

1. Upgrade: Run npm install -g openclaw@latest (or the equivalent package manager command).
2. Audit Configuration: Manually inspect ~/.openclaw/openclaw.json and any skill-specific configuration files for suspicious env entries, particularly NODE_OPTIONS.
3. File Permissions: Restrict write access to the OpenClaw configuration directory to only the necessary user account to prevent unauthorized modification.

Developer Guidance

For developers maintaining forks or similar systems, ensure that any feature allowing environment variable overrides employs a strict allowlist approach. Never allow user-supplied input to define structural environment variables like NODE_OPTIONS, LD_PRELOAD, or PATH without rigorous sanitation.