OpenClaw Zip Slip Path Traversal in Archive Extraction

OpenClaw, an open-source automation tool, utilizes archive extraction for managing "skills" (plugins) and handling browser-based file downloads. A vulnerability exists in the src/infra/archive.ts and src/agents/skills-install.ts components where the application fails to validate the destination path of extracted files.

This flaw is a classic instance of "Zip Slip" (CWE-22). When the application processes a compressed archive (ZIP or TAR), it extracts entries based on the filenames specified within the archive headers. If an attacker crafts an archive containing files with directory traversal sequences in their names (e.g., ../../../../root/.ssh/authorized_keys), OpenClaw blindly follows these paths during extraction.

The vulnerability extends to the browser tool's file handling, where the suggestedFilename from remote servers was not sanitized, allowing malicious websites to trigger downloads that write to arbitrary system locations relative to the OpenClaw execution context.

The root cause of this vulnerability is the absence of canonical path validation during file extraction and creation. The application relied on high-level extraction commands (tar.x, unzip) or naive file writing logic without verifying that the resolved destination path resided within the intended directory.

In a secure implementation, an extraction routine must:

1. Resolve the target directory to an absolute path.
2. Resolve the full path of the archive entry combined with the target directory.
3. Verify that the resolved entry path starts with the resolved target directory path.

OpenClaw skipped this verification step. Specifically, in src/agents/skills-install.ts, downloaded skill archives were extracted directly. Consequently, the filesystem API accepted relative paths in filenames, processing them relative to the current working directory or the extraction root, allowing escape from the intended sandbox.

The vulnerability was addressed in commit 3aa94afcfd12104c683c9cad81faf434d0dadf87 by introducing strict path confinement checks. The developers implemented a new validation layer that inspects every file entry before it is written to the disk.

The fix introduces validateArchiveEntryPath and resolveCheckedOutPath. These functions enforce that all filesystem operations are confined to a safe directory.

Conceptual Patch Logic:

// VULNERABLE LOGIC (Conceptual)
// Archives were extracted without checking entry paths
function extract(archivePath, targetDir) {
  // Implicitly trusts that archive entries are safe
  exec(`tar -xf ${archivePath} -C ${targetDir}`);
}
 
// PATCHED LOGIC (Conceptual)
function extractSecurely(archivePath, targetDir) {
  const resolvedTarget = path.resolve(targetDir);
  
  // Iterate entries and validate before extraction
  for (const entry of archiveEntries) {
    const destination = path.resolve(targetDir, entry.path);
    
    // CRITICAL FIX: Ensure the destination is inside the target
    if (!destination.startsWith(resolvedTarget)) {
       throw new Error("Zip Slip detected: Path traversal attempt");
    }
    
    // Additional hardening: Reject symlinks to prevent logical traversal
    if (entry.isSymlink()) {
       throw new Error("Symlinks not allowed in untrusted archives");
    }
  }
}

The patch also includes preflight scanning for TAR archives (using tar tf) to list and validate entries prior to invoking the extraction command, ensuring that the tar binary does not process malicious paths.

Exploitation requires an attacker to induce the OpenClaw instance to process a malicious file. This can be achieved through two primary vectors:

1. Malicious Skill Installation: The attacker hosts a "skill" archive containing traversal paths. When an administrator or automated process attempts to install this skill via URL, the extraction routine triggers the overwrite.
2. Browser Tool Interaction: If OpenClaw is directing a browser to interact with a malicious website, the site can initiate a download with a crafted suggestedFilename (e.g., ../../target).

Attack Scenario:

1. Preparation: The attacker creates a TAR archive containing a file named ../../../../home/node/.bashrc with a malicious payload (e.g., a reverse shell command).
2. Delivery: The attacker provides the URL of this archive to the OpenClaw installSkill function.
3. Execution: OpenClaw downloads the archive and pipes it to tar. The tar utility respects the relative path in the filename.
4. Compromise: The file is written to ~/.bashrc. The next time the user logs in or opens a shell, the payload executes.

The impact of this vulnerability is rated High (CVSS 8.8). The ability to write arbitrary files to the host filesystem effectively bridges the gap between limited application access and full system compromise.

• Confidentiality: Attackers may not be able to read arbitrary files directly via extraction, but they can overwrite configuration files to weaken security settings.
• Integrity: Critical system files, source code, or application logic can be overwritten. Overwriting application scripts (e.g., index.js) allows for persistent backdoor insertion.
• Availability: Overwriting critical system binaries or configuration files can render the host system or the OpenClaw application unstable or unusable.

Since OpenClaw is an automation tool often running with significant privileges (to install packages, manage browsers, etc.), the likelihood of successful privilege escalation to root or full user compromise is high.