OpenClaw, a personal AI assistant, was found to allow malicious actors to execute arbitrary shell commands on the SSH host when interacting with the sshNodeCommand function. The weakness stemmed from building a shell script that interpolated the user‑supplied Project Root Path directly into an echo statement in an error message without proper escaping. Likewise, the parseSSHTarget function accepted SSH target strings beginning with a dash, allowing an attacker to inject SSH configuration flags such as –oProxyCommand that would be interpreted as command‑line options rather than a hostname. Consequently, an attacker could run arbitrary commands on the remote machine or even the local machine. This vulnerability is classified as a severe OS Command Injection flaw (CWE‑78).

The affected product is OpenClaw as distributed by the vendor openclaw. All releases prior to version 2026.1.29 are vulnerable. The problem exists in the Node.js implementation of OpenClaw and does not depend on the operating system; however, the vulnerability is reported to affect macOS platforms as well due to the reliance on SSH utilities. Users should verify that they are running a patched version after 2026.1.29.

The CVSS score for this flaw is 7.8, indicating high severity, while the EPSS score is below 1%, suggesting low current exploit probability. The vulnerability is not listed in the CISA KEV catalog, implying that no widespread exploitation has been formally identified to date. Nevertheless, the flaw permits remote code execution through both a server‑side command injection vector and a client‑side SSH configuration injection vector, meaning that any user with the ability to specify a project path or SSH target string could potentially compromise the target machine if these inputs are not validated.