Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.6
OpenClaw: Vulnerability in Skill Packaging Script Allows Unauthorized File Inclusion
CVE-2026-27485
GHSA-r6h2-5gqq-v5v6
Summary
A vulnerability in the OpenClaw skill packaging script allows an attacker to include unintended files in a skill archive when a user packages the skill locally. This could potentially expose sensitive files on the user's machine. To fix this, the packaging script will no longer follow symlinks, and the vulnerability will be patched in the next version of OpenClaw, due to be released soon.
What to do
- Update steipete openclaw to version 2026.2.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.18 | 2026.2.19 |
| openclaw | openclaw | <= 2026.2.17 | – |
Original title
OpenClaw: Reject symlinks in local skill packaging script
Original description
## Vulnerability
`skills/skill-creator/scripts/package_skill.py` (a local helper script used when authors package skills) previously followed symlinks while building `.skill` archives.
If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents.
## Severity and Exposure
- **Severity: Low**
- **Execution context:** local/manual workflow only (skill author packaging step)
- **No remote trigger:** this is not reachable via normal OpenClaw gateway/chat runtime paths
- **No extraction Zip Slip in this finding:** this issue is limited to packaging-time symlink following
## Impact
- Potential unintentional disclosure of local files from the packaging machine into a generated `.skill` artifact.
- Requires local execution of the packaging script on attacker-controlled skill contents.
## Affected Components
- `skills/skill-creator/scripts/package_skill.py`
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version during triage: `2026.2.17`
- Vulnerable version range: `<= 2026.2.17`
- Planned patched version (next release): `2026.2.18`
## Remediation
- Reject symlinks during skill packaging.
- Add regression tests for symlink file and symlink directory cases.
- Update packaging guidance to document the symlink restriction.
## Fix Commit(s)
- `c275932aa4230fb7a8212fe1b9d2a18424874b3f`
- `ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0`
## Related PR
- https://github.com/openclaw/openclaw/pull/20796
## Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.18`). Once npm `[email protected]` is published, this advisory is ready to publish without additional edits.
Thanks @aether-ai-agent for reporting.
`skills/skill-creator/scripts/package_skill.py` (a local helper script used when authors package skills) previously followed symlinks while building `.skill` archives.
If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents.
## Severity and Exposure
- **Severity: Low**
- **Execution context:** local/manual workflow only (skill author packaging step)
- **No remote trigger:** this is not reachable via normal OpenClaw gateway/chat runtime paths
- **No extraction Zip Slip in this finding:** this issue is limited to packaging-time symlink following
## Impact
- Potential unintentional disclosure of local files from the packaging machine into a generated `.skill` artifact.
- Requires local execution of the packaging script on attacker-controlled skill contents.
## Affected Components
- `skills/skill-creator/scripts/package_skill.py`
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version during triage: `2026.2.17`
- Vulnerable version range: `<= 2026.2.17`
- Planned patched version (next release): `2026.2.18`
## Remediation
- Reject symlinks during skill packaging.
- Add regression tests for symlink file and symlink directory cases.
- Update packaging guidance to document the symlink restriction.
## Fix Commit(s)
- `c275932aa4230fb7a8212fe1b9d2a18424874b3f`
- `ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0`
## Related PR
- https://github.com/openclaw/openclaw/pull/20796
## Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.18`). Once npm `[email protected]` is published, this advisory is ready to publish without additional edits.
Thanks @aether-ai-agent for reporting.
nvd CVSS3.1
4.4
nvd CVSS4.0
4.6
Vulnerability type
CWE-61
- https://nvd.nist.gov/vuln/detail/CVE-2026-27485
- https://github.com/advisories/GHSA-r6h2-5gqq-v5v6
- https://github.com/openclaw/openclaw/commit/c275932aa4230fb7a8212fe1b9d2a1842487... Patch
- https://github.com/openclaw/openclaw/commit/ee1d6427b544ccadd73e02b1630ea5c29ba9... Patch
- https://github.com/openclaw/openclaw/pull/20796 Issue Tracking
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.19 Release Notes
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r6h2-5gqq-v5v6 Mitigation Vendor Advisory
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026