Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-7ff8-xjh3-mgh6

OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt
Back to all
CVE

GHSA-7ff8-xjh3-mgh6

OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt

Summary

In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt.

When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skills allowlist segment, and run without prompting for approval.

Affected Packages / Versions

  • Package: npm openclaw
  • Affected versions: <= 2026.2.22-2
  • Patched versions: >= 2026.2.23 (released)

Configuration Scope (Not Default)

This behavior requires non-default settings and does not affect default installs.

Required conditions:

  • autoAllowSkills=true (default is false)
  • system.run with security=allowlist
  • ask=on-miss

Technical Details

The allowlist evaluator accepted skills satisfaction by bin-name match, so ./skill-bin could match skillBins.has("skill-bin") after resolution.

The fix hardens skill auto-allow matching by requiring:

  • a pathless invocation token (no / or `\`), and
  • a trusted resolved executable path for that skill bin on the machine where skills run.

This preserves normal skill-bin ... behavior while preventing ./<skill-bin> and absolute-path basename collisions from auto-satisfying skills.

Impact

In affected non-default configurations, approval prompts could be skipped for commands that should have required operator confirmation.

Fix Commit(s)

  • ffd63b7a2c4c6d5aeb4710ef951d5794ad7ad77b (fix(security): trust resolved skill-bin paths in allowlist auto-allow)

OpenClaw thanks @tdjackey for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6, https://github.com/openclaw/openclaw/commit/ffd63b7a2c4c6d5aeb4710ef951d5794ad7ad77b, https://github.com/openclaw/openclaw

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
2026.2.23

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading