Description
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. If exploited, this vulnerability can lead to potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact, but requires local execution of the packaging script on attacker-controlled skill contents. This issue has been fixed in version 2026.2.18.
Published: 2026-02-21
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Disclosure via Symlink Manipulation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in OpenClaw’s packaging helper script, which, in versions 2026.2.17 and earlier, follows symbolic links when assembling skill archives. An attacker who controls the skill source directory can create a crafted structure that points to files outside the intended root. When the script runs locally, it will include those external files in the exported .skill package, allowing the attacker to exfiltrate local files from the packaging machine. The flaw is a classic path traversal issue and does not by itself provide remote code execution or cross‑site scripting capabilities.

Affected Systems

OpenClaw personal AI assistant, any installation running the openclaw software package before version 2026.2.18. The vulnerability affects the internal packaging tool used by skill authors, not the user-facing runtime.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity. Exploitation requires local execution of the packaging script with attacker‑controlled skill content, so the attack surface is limited to insiders or compromised build environments. The EPSS score of less than 1% reflects a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Since the flaw is confined to local file inclusion, it poses no immediate threat to end users but can enable information disclosure from the packaging host.

Generated by OpenCVE AI on April 17, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.18 or later where the symlink handling has been corrected.
  • Ensure that any skill source directories are verified and sanitized before being processed by the packaging script.
  • Limit execution of the packaging helper to trusted environments and restrict file system permissions to prevent unwarranted access to sensitive directories.

Generated by OpenCVE AI on April 17, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r6h2-5gqq-v5v6 OpenClaw: Reject symlinks in local skill packaging script
History

Tue, 24 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Sat, 21 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. If exploited, this vulnerability can lead to potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact, but requires local execution of the packaging script on attacker-controlled skill contents. This issue has been fixed in version 2026.2.18.
Title OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
Weaknesses CWE-61
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:15:59.411Z

Reserved: 2026-02-19T19:46:03.541Z

Link: CVE-2026-27485

cve-icon Vulnrichment

Updated: 2026-02-24T18:15:52.852Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T10:16:12.723

Modified: 2026-02-23T20:43:11.533

Link: CVE-2026-27485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses