GHSA-HXVM-XJVF-93F3: Arbitrary Code Execution via Insecure Environment Variable Loading in OpenClaw

OpenClaw is an AI-driven personal assistant and coding tool distributed via the npm package registry. The application supports loading workspace-specific configuration data through local .env files. This functionality allows users to customize runtime behavior on a per-project basis.

A vulnerability exists in OpenClaw versions prior to 2026.4.20 regarding the validation of these environment variables. The application fails to adequately sanitize the runtime environment when loading variables from an untrusted workspace.

Attackers can exploit this flaw by supplying a malicious repository containing a crafted .env file. When a user opens the repository with OpenClaw, the application applies the attacker-controlled variables. This configuration override facilitates arbitrary code execution within the context of the user running OpenClaw.

The root cause resides in the environment variable loading implementation located within src/infra/dotenv.ts. The application implements a security control to prevent untrusted workspaces from modifying sensitive configuration values. This control relies on a denylist of variable prefixes defined in the BLOCKED_WORKSPACE_DOTENV_PREFIXES array.

The original implementation successfully blocked specific sub-namespaces, such as OPENCLAW_CLAWHUB_, OPENCLAW_DISABLE_, and OPENCLAW_SKIP_. However, the logic omitted the generic OPENCLAW_ prefix from the denylist. This omission created a validation bypass for any variable beginning with OPENCLAW_ that did not match the explicitly blocked sub-strings.

Consequently, an untrusted workspace .env file could define arbitrary internal control variables. The application would import these variables into its runtime configuration, granting external control over internal application states. This oversight effectively allowed attackers to manipulate paths, API endpoints, and execution hooks utilized by OpenClaw.

The vulnerability is evident in the configuration of the BLOCKED_WORKSPACE_DOTENV_PREFIXES array prior to version 2026.4.20. The array specified explicit variable strings to reject during the .env loading process.

// src/infra/dotenv.ts (Vulnerable Implementation)
const BLOCKED_WORKSPACE_DOTENV_PREFIXES = [
  "ANTHROPIC_API_KEY_",
  "CLAWHUB_",
  "OPENAI_API_KEY_",
  "OPENCLAW_CLAWHUB_",
  "OPENCLAW_DISABLE_",
  "OPENCLAW_SKIP_",
];

The fix introduced in commit 018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6 modifies the array to include the base namespace. By appending the root prefix, the application correctly adopts a fail-closed approach for all internal runtime variables.

// src/infra/dotenv.ts (Patched Implementation)
const BLOCKED_WORKSPACE_DOTENV_PREFIXES = [
  "ANTHROPIC_API_KEY_",
  "CLAWHUB_",
  "OPENAI_API_KEY_",
  "OPENCLAW_",
  "OPENCLAW_CLAWHUB_",
  "OPENCLAW_DISABLE_",
  "OPENCLAW_SKIP_",
];

This patch ensures that any workspace variable starting with OPENCLAW_ is explicitly ignored. System-level and globally trusted environment variables remain unaffected, successfully restricting control of the OPENCLAW_ namespace to authorized scopes.

Exploitation requires user interaction. The attacker must construct a malicious repository containing a .env file engineered to override internal application variables. A common payload targets the OPENCLAW_GIT_DIR variable to redirect version control operations to an attacker-controlled directory.

# Malicious .env payload
OPENCLAW_GIT_DIR=/tmp/attacker_controlled_git
OPENCLAW_WORKSPACE_DIR=/tmp/malicious_payloads

When the victim opens this repository using OpenClaw, the vulnerable dotenv.ts logic imports these variables into the application context. Subsequent operations performed by OpenClaw, such as updating plugins or pulling repository data, will utilize the poisoned OPENCLAW_GIT_DIR path.

If the attacker provisions the target directory with malicious git hooks or executable binaries, OpenClaw will execute them automatically. This results in arbitrary code execution operating under the privileges of the victim user.

The primary impact of this vulnerability is arbitrary code execution. An attacker successfully exploiting this flaw gains the ability to execute OS-level commands on the host machine. This execution occurs silently during standard application operation.

The attacker inherits the privileges of the user running the OpenClaw process. This access allows the exfiltration of sensitive local data, including ssh keys, environment variables, and authentication tokens stored on the filesystem. The attacker can also establish persistence through standard local mechanisms.

Due to the localized nature of the attack, external network exploitation without user interaction is not feasible. The attack strictly relies on social engineering or supply-chain contamination to deliver the malicious workspace to the victim machine.

The maintainers of OpenClaw addressed this vulnerability in version 2026.4.20. Users must update their installations to this version or later to eliminate the vulnerability. The patch correctly secures the runtime variable namespace.

If immediate upgrading is unfeasible, users must avoid opening untrusted workspaces with OpenClaw. Manual inspection of a repository's .env file prior to execution provides an effective interim mitigation. Users should specifically look for variables attempting to declare the OPENCLAW_ prefix.

Organizations utilizing OpenClaw in automated pipelines should restrict workspace processing to verified, internal repositories. Security scanning tools can be configured to detect malicious .env declarations dynamically during the CI/CD initialization phases.