Summary
Command injection in the maintainer/dev script scripts/update-clawtributors.ts.
Impact
Affects contributors/maintainers (or CI) who run bun scripts/update-clawtributors.ts in a source checkout that contains a malicious commit author email (e.g. crafted @users.noreply.github.com values).
Normal CLI usage is not affected (npm i -g openclaw): this script is not part of the shipped CLI and is not executed during routine operation.
Affected Versions
- Source checkouts: tags
v2026.1.8 through v2026.2.13 (inclusive)
- Version range (structured):
>= 2026.1.8, < 2026.2.14
Details
The script derived a GitHub login from git log author metadata and interpolated it into a shell command (via execSync). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run.
Fix
- Fix commit:
a429380e337152746031d290432a4b93aa553d55
- Planned patched version:
2026.2.14
Credits
Thanks @scanleale and @MegaManSec (https://joshua.hu) of AISLE Research Team for reporting.
References
Summary
Command injection in the maintainer/dev script
scripts/update-clawtributors.ts.Impact
Affects contributors/maintainers (or CI) who run
bun scripts/update-clawtributors.tsin a source checkout that contains a malicious commit author email (e.g. crafted@users.noreply.github.qkg1.topvalues).Normal CLI usage is not affected (
npm i -g openclaw): this script is not part of the shipped CLI and is not executed during routine operation.Affected Versions
v2026.1.8throughv2026.2.13(inclusive)>= 2026.1.8, < 2026.2.14Details
The script derived a GitHub login from
git logauthor metadata and interpolated it into a shell command (viaexecSync). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run.Fix
a429380e337152746031d290432a4b93aa553d552026.2.14Credits
Thanks @scanleale and @MegaManSec (https://joshua.hu) of AISLE Research Team for reporting.
References