GHSA-xw4p-pw82-hqr7: Path Traversal in OpenClaw Skill Mirroring

The OpenClaw framework (also known as Moltbot) creates sandbox environments to safely execute AI "skills"—modular capabilities defined by users or third parties. A core component of this architecture is the skill mirroring mechanism, specifically the syncSkillsToWorkspace function, which copies skill source files from a repository into a designated workspace directory for execution.

A path traversal vulnerability (CWE-22) was identified in how this function handles destination paths. When syncing a skill, the system determines the target directory using metadata provided within the skill itself (specifically the name field in SKILL.md). Because this input was not validated or sanitized, a malicious skill definition could manipulate the destination path, effectively breaking out of the sandbox confinement. This flaw allows an attacker to write arbitrary files to the host system with the privileges of the OpenClaw process.

The root cause lies in the insecure concatenation of user-controlled input with a filesystem path without prior validation. The vulnerable code used the standard Node.js path.join() function to construct the destination directory for a skill. While path.join normalizes paths, it does not prevent directory traversal if the segments themselves contain traversal sequences like ../.

In the vulnerable implementation, the code extracted the name property directly from the skill's frontmatter configuration and appended it to the targetSkillsDir. A malicious actor could define a skill name such as ../../../etc/cron.d/, causing the subsequent copy operation (fsp.cp) to write files outside the intended targetSkillsDir. The application implicitly trusted that the metadata name would be a safe, valid directory name, rather than treating it as untrusted input.

Crucially, the system lacked a boundary check—such as resolving the final path and ensuring it starts with the expected root path—before performing the file operation.

The following analysis contrasts the vulnerable logic with the remediated code in src/agents/skills/workspace.ts.

Vulnerable Code: The original implementation directly joined the target directory with the potentially malicious skill name.

// src/agents/skills/workspace.ts (Pre-patch)
for (const entry of entries) {
  // VULNERABILITY: entry.skill.name is user-controlled and unsanitized.
  // If name is "../../escaped", dest becomes outside targetSkillsDir.
  const dest = path.join(targetSkillsDir, entry.skill.name);
  
  try {
    // Recursive copy writes files to the traversal path
    await fsp.cp(entry.skill.baseDir, dest, { recursive: true });
    // ...
  } catch (error) {
    // ...
  }
}

Fixed Code: The patch abandons the use of the user-defined name for filesystem operations. Instead, it derives the directory name from the source path's basename (which is local and trusted in this context) and employs a strict path resolution utility.

// src/agents/skills/workspace.ts (Patched)
function resolveSyncedSkillDestinationPath(params: { 
  targetSkillsDir: string; 
  entry: SkillEntry; 
  usedDirNames: Set<string>; 
}): string | null {
  // 1. Use filesystem basename instead of arbitrary metadata name
  const sourceDirName = path.basename(params.entry.skill.baseDir).trim();
  
  // 2. Reject suspicious directory names explicitly
  if (!sourceDirName || sourceDirName === "." || sourceDirName === "..") {
    return null;
  }
 
  // 3. Resolve a unique name to prevent collisions
  const uniqueDirName = resolveUniqueSyncedSkillDirName(sourceDirName, params.usedDirNames);
 
  // 4. SECURITY CHECK: resolveSandboxPath ensures the path stays inside root
  // If the resulting path escapes targetSkillsDir, this throws or returns null
  return resolveSandboxPath({
    filePath: uniqueDirName,
    cwd: params.targetSkillsDir,
    root: params.targetSkillsDir,
  }).resolved;
}

To exploit this vulnerability, an attacker requires the ability to introduce a new skill to the OpenClaw instance. This could occur in scenarios where the agent pulls skills from a public repository or processes a user-submitted skill bundle.

Attack Steps:

1. Craft Malicious Skill: The attacker creates a skill directory containing a SKILL.md file. In the frontmatter of this file, they set the name field to a traversal payload, e.g., name: "../../../.ssh".
2. Trigger Sync: The attacker instructs the OpenClaw agent to load or sync this skill. This invokes the syncSkillsToWorkspace function.
3. File Write: The agent calculates the destination path. Due to the vulnerability, the path resolves to [sandbox_root]/../../../.ssh (effectively ~/.ssh on the host).
4. Payload Execution: The agent copies the skill's contents (which could include a malicious authorized_keys file) to the target directory. The attacker now has SSH access to the host machine.

This vector is particularly dangerous because it bypasses the primary security mechanism of the agent—the sandbox—allowing for immediate escalation from agent control to host compromise.

The impact of this vulnerability is rated High due to the potential for arbitrary file write leading to Remote Code Execution (RCE).

• Confidentiality: Low direct impact, as this is primarily a write primitive. However, overwriting configuration files could disable security logging or access controls.
• Integrity: High. Attackers can overwrite system binaries, application code, or user configuration files. This allows for persistent compromise.
• Availability: High. An attacker could overwrite critical system files, causing the host or the application to crash or become unbootable.

The vulnerability is an "Arbitrary File Write via Path Traversal" (CWE-22). In containerized environments, this might allow escaping the application directory to the container root. In non-containerized deployments, it could lead to full host compromise.