OpenClaw’s host‑environment sanitization in host‑env‑security-policy.json and host‑env‑security.ts is incomplete, allowing attackers who control package‑manager environment variables to override how packages are resolved or how the runtime is bootstrapped. By injecting malicious overrides, an attacker can redirect package resolution or bootstrap to attacker‑controlled infrastructure and execute trojanized content. This flaw is a classic supply‑chain redirection and is mapped to CWE‑183, Unauthorized Modification of Code Execution Path.

All deployments of the OpenClaw framework older than version 2026.3.22 are potentially affected. The vulnerability exists in the OpenClaw core package and its configuration files. Any environment where host‑env‑security‑policy.json is not enforced or can be modified during runtime is at risk.

The CVSS score of 8.5 classifies this issue as high severity. With EPSS data unavailable and no indication that it has been recorded in the CISA KEV catalog, the established risk is not driven by active exploitation reports yet but by the high potential for widespread compromise, especially in environments that perform out‑of‑band package resolution. Attackers would need to supply a malicious package or manipulate installation scripts, but once the override is in place, execution of trojanized content is trivial. Because the vulnerability is a supply‑chain attack vector, the broad impact could extend to all data and services accessed by the affected applications. In short, the exploitability is medium‑low to early‑stage, but the severity remains high.