Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
OpenClaw's autoAllowSkills setting can bypass exec prompts
GHSA-7ff8-xjh3-mgh6
Summary
OpenClaw's autoAllowSkills setting can be misused in some configurations to run certain commands without asking for approval. This can happen when a non-standard setting is used and a command's path is ambiguous. To fix this, you should update to OpenClaw version 2026.2.23 or later.
What to do
- Update openclaw to version 2026.2.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22-2 | 2026.2.23 |
Original title
OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt
Original description
### Summary
In `openclaw` versions up to and including `2026.2.22-2`, a non-default exec-approval configuration could allow a skill-name collision to bypass an `ask=on-miss` prompt.
When `autoAllowSkills=true`, a path-scoped executable such as `./skill-bin` could resolve to basename `skill-bin`, satisfy the `skills` allowlist segment, and run without prompting for approval.
### Affected Packages / Versions
- Package: `npm openclaw`
- Affected versions: `<= 2026.2.22-2`
- Patched versions: `>= 2026.2.23` (released)
### Configuration Scope (Not Default)
This behavior requires non-default settings and does not affect default installs.
Required conditions:
- `autoAllowSkills=true` (default is `false`)
- `system.run` with `security=allowlist`
- `ask=on-miss`
### Technical Details
The allowlist evaluator accepted `skills` satisfaction by bin-name match, so `./skill-bin` could match `skillBins.has("skill-bin")` after resolution.
The fix hardens skill auto-allow matching by requiring:
- a pathless invocation token (no `/` or `\\`), and
- a trusted resolved executable path for that skill bin on the machine where skills run.
This preserves normal `skill-bin ...` behavior while preventing `./<skill-bin>` and absolute-path basename collisions from auto-satisfying `skills`.
### Impact
In affected non-default configurations, approval prompts could be skipped for commands that should have required operator confirmation.
### Fix Commit(s)
- `ffd63b7a2c4c6d5aeb4710ef951d5794ad7ad77b` (`fix(security): trust resolved skill-bin paths in allowlist auto-allow`)
OpenClaw thanks @tdjackey for reporting.
In `openclaw` versions up to and including `2026.2.22-2`, a non-default exec-approval configuration could allow a skill-name collision to bypass an `ask=on-miss` prompt.
When `autoAllowSkills=true`, a path-scoped executable such as `./skill-bin` could resolve to basename `skill-bin`, satisfy the `skills` allowlist segment, and run without prompting for approval.
### Affected Packages / Versions
- Package: `npm openclaw`
- Affected versions: `<= 2026.2.22-2`
- Patched versions: `>= 2026.2.23` (released)
### Configuration Scope (Not Default)
This behavior requires non-default settings and does not affect default installs.
Required conditions:
- `autoAllowSkills=true` (default is `false`)
- `system.run` with `security=allowlist`
- `ask=on-miss`
### Technical Details
The allowlist evaluator accepted `skills` satisfaction by bin-name match, so `./skill-bin` could match `skillBins.has("skill-bin")` after resolution.
The fix hardens skill auto-allow matching by requiring:
- a pathless invocation token (no `/` or `\\`), and
- a trusted resolved executable path for that skill bin on the machine where skills run.
This preserves normal `skill-bin ...` behavior while preventing `./<skill-bin>` and absolute-path basename collisions from auto-satisfying `skills`.
### Impact
In affected non-default configurations, approval prompts could be skipped for commands that should have required operator confirmation.
### Fix Commit(s)
- `ffd63b7a2c4c6d5aeb4710ef951d5794ad7ad77b` (`fix(security): trust resolved skill-bin paths in allowlist auto-allow`)
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
7.3
Vulnerability type
CWE-266
Incorrect Privilege Assignment
CWE-863
Incorrect Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026