OpenClaw, an npm package for managing developer workspaces and hooks, carries a high-severity vulnerability in versions up to 2026.3.28. Attackers can exploit a workspace’s .env file to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable. This swaps out trusted, bundled hooks—meant to run by default—with malicious code from an untrusted workspace.
The issue surfaced in a security advisory marked as high severity, with triage still open as of the latest check. Maintainers confirmed that even version 2026.3.28 fails to block this override. If you pull a malicious workspace into your project, its .env injects attacker-controlled hooks. These hooks execute automatically during common operations like cloning, installing dependencies, or running scripts.
How the Exploit Works
OpenClaw bundles hooks in a trusted directory for consistent behavior across workspaces. These handle tasks like pre-commit checks or post-install scripts. The vulnerability stems from OpenClaw reading OPENCLAW_BUNDLED_HOOKS_DIR from the workspace’s .env file without validation.
An attacker crafts a poisoned workspace: they set OPENCLAW_BUNDLED_HOOKS_DIR to point to a local directory containing malicious scripts. When you integrate this workspace—say, via npm workspace or yarn workspaces—the hooks load from there. Hooks run with your local privileges, potentially stealing credentials, installing malware, or exfiltrating data.
This mirrors classic supply chain risks, akin to the 2020 SolarWinds breach or recent npm typosquatting attacks. But here, it’s workspace-local: no need for package publication. A collaborator with push access to a shared repo suffices. In monorepos, where teams share codebases, this amplifies risk.
Affected Versions and Scope
The vulnerable range covers all versions of the openclaw npm package up to and including 2026.3.28. The latest published version sits at 2026.3.31, which patches the issue. Check your package.json or run
npm ls openclawto verify.
Over 10,000 weekly downloads as of recent npm stats put this in moderate adoption territory—not Ethereum-level, but enough for real exposure in dev tooling stacks. If your project uses OpenClaw for hook management in a multi-workspace setup, audit immediately.
Fix and Mitigation
Maintainers pushed the patch in commit 330a9f98cb29c79b1c16a2117e03d6276a0d6289 on March 31, 2026, at 19:25:12+09:00. The fix, credited to reporter @nexrin, likely hardens environment variable handling to ignore or sanitize workspace .env overrides for critical paths. Update to >=2026.3.31 via
npm update openclawor pin in your lockfile.
Until patched, mitigate by scanning workspaces for suspicious .env files—grep for OPENCLAW_BUNDLED_HOOKS_DIR. Run OpenClaw in a sandbox or VM for untrusted repos. Prefix your env with trusted values: export OPENCLAW_BUNDLED_HOOKS_DIR=/path/to/trusted/hooks before invoking.
Why this matters: Dev tools like OpenClaw sit at the trust boundary between your machine and external code. A single compromised workspace turns your local env into an attack vector. In 2024 alone, npm saw over 1,200 malicious packages; workspace poisoning adds a stealthier layer. Teams should treat .env as hostile by default—never trust user-supplied env in hooks.
Skeptically, the version numbering (2026.x) raises eyebrows—perhaps a forward-dated scheme or internal versioning—but the mechanics check out. OpenClaw’s maintainers acted fast post-report, a good sign. Still, this underscores a broader lesson: validate all env vars in security-sensitive paths. Devs, lock your hooks; don’t let workspaces rewrite your rules.
