OpenClaw, an npm package billed as a user-controlled local assistant, shipped with a flaw in versions up to 2026.3.30. Developers overlooked Git plumbing environment variables like GIT_DIR, GIT_WORK_TREE, and others in the denylist for child process executions. Attackers with env var control could redirect Git operations to unintended repositories.
This mirrors GHSA-m866-6qv5-p2fg, a vulnerability class hitting multiple projects. In Node.js, child_process.exec or spawn inherits the parent’s environment by default unless explicitly cleared. OpenClaw executes host commands without scrubbing these vars, opening a path for manipulation.
Technical Breakdown
Git relies on environment variables for low-level “plumbing” commands. GIT_DIR points to the Git repository directory, overriding defaults. Set it to an attacker-controlled path, and a git clone or git push hits their server instead. Combine with GIT_WORK_TREE for working directory overrides, and you manipulate repo state remotely.
OpenClaw’s trust model assumes a single user on a local machine—no multi-tenant isolation. Impact stays within that scope: a malicious script or compromised extension could abuse this if OpenClaw runs Git commands. No remote code execution without prior access, but it amplifies local threats. For instance, if the assistant processes untrusted input leading to shell exec, tainted env vars turn a simple Git op into data exfiltration.
Affected package: openclaw npm, versions <= 2026.3.30. Patched in 2026.4.8. The fix lands in commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 on main. Developers verified it with regression tests targeting the exec boundary.
Fix Details
To replicate pre-patch, set export GIT_DIR=/tmp/evil, then trigger an OpenClaw exec involving Git. Post-patch, the denylist includes these vars, so child processes start clean. Example patch logic likely resembles:
const cleanEnv = { ...process.env };
delete cleanEnv.GIT_DIR;
delete cleanEnv.GIT_WORK_TREE;
// ... other git vars
child_process.exec(command, { env: cleanEnv }, callback);
They re-tested against main before release. Credits go to @boy-hack from Tencent’s zhuque Lab for the report—quick turnaround from disclosure to patch.
Update now if you’re on an affected version: npm install openclaw@2026.4.8. No zero-day exploitation reported, but Git’s ubiquity in dev tools makes this a repeat offender.
Why This Matters
Even in “user-controlled” setups, env var leaks erode defenses. Local assistants like OpenClaw often chain to shell tools—Git, curl, whatever—for tasks. One missed var turns privilege escalation into reality if upstream code is buggy. We’ve seen variants in GitHub Actions runners, IDE plugins, and CI pipelines; GHSA-m866-6qv5-p2fg flagged similar gaps in other repos.
Broader context: Node.js devs underestimate env inheritance. OWASP lists it under A8:2017 Software Integrity, but it’s basic hygiene. Stats from Snyk show thousands of env-related alerts yearly. Skeptically, OpenClaw’s versioning (2026.x?) raises eyebrows—non-standard, harder to track. Still, fair play: they scoped the advisory tightly, patched fast, and verified.
Implications for users: Audit your local toolchain. Run assistants in sandboxes (e.g., Firejail, Docker) to contain spills. For devs: Always explicit-env execs. Tools like safe-spawn or custom denylists prevent this. This vuln underscores Git’s power—and peril—in scripted environments. Patch, then harden.
