OpenClaw, an npm package used in CLI tools, exposes users to ANSI escape sequence injection in its ACP approval prompts. Versions from 2026.2.13 to 2026.3.24 let untrusted tool metadata inject control sequences that spoof terminal output. Developers fixed it in version 2026.3.25 via commit 464e2c10a5edceb380d815adb6ff56e1a4c50f60. If you run affected versions, update now—attackers could trick you into approving malicious actions.
The Vulnerability
ACP tool titles in OpenClaw previously passed directly into approval prompts and permission logs without sanitization. Attackers craft these titles with ANSI escape sequences—standard terminal control codes like CSI (Control Sequence Introducer) for colors, cursor movement, or screen clearing. In a vulnerable setup, a malicious title renders in your terminal, overlaying fake text over legitimate prompts.
Security researchers verified the issue on tag v2026.3.24. They injected sequences that spoofed the approval dialog, making it appear as if OpenClaw requested benign permissions while hiding the real, dangerous ones. The fix sanitizes titles at the source and expands stripping to cover full CSI sequences, not just partial escapes.
OpenClaw follows a YYYY.M.DD versioning scheme, explaining the 2026 dates—likely an internal or project-specific convention. At verification, npm’s latest was 2026.3.24, so many users pulled the vulnerable code automatically via dependency resolution.
Why This Matters
Terminal spoofing ranks among the sneakiest CLI attacks. Unlike web popups, terminals lack built-in UI isolation; ANSI codes manipulate the display directly. An attacker doesn’t need code execution—just metadata control, common if OpenClaw fetches tools from untrusted sources.
Implications hit developers hard. Imagine a prompt reading “Approve OpenClaw access to /etc/shadow?” but spoofed to show “Approve harmless config read?” You click yes, granting root-like access. Logs suffer too: fake entries could mislead audits or hide exploits. In chains like CI/CD pipelines, this escalates to supply-chain compromise.
Npm hosts over 2 million packages; vulns like this surface weekly. Snyk or Socket scanned this one as medium severity, but real-world risk depends on trust in tool metadata. OpenClaw’s ACP (possibly Apple Certificate Provider or similar CLI context) targets security-sensitive workflows, amplifying damage. Past incidents, like the 2021 Codecov breach or 2023 3Malware npm attacks, show metadata as a weak link.
Skeptically, the patch landed fast on main branch, but why ship unsanitized inputs in 2026.2.13+? Basic input validation should catch this. Still, credit the team for quick remediation—users updating via npm audit fix stay safe.
Fix and Protection Steps
Upgrade to 2026.3.25 or later. Run npm install openclaw@latest or npm audit fix. Verify the commit 464e2c10a5edceb380d815adb6ff56e1a4c50f60 in your local repo: git log --oneline | grep 464e2c10.
Beyond patching, audit your stack. Use tools like npm ls openclaw to find versions across projects. Enable npm’s audit and fund features for proactive scans. For terminals, pipe output through ANSI strippers like sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" as a stopgap.
Broader defenses: Lock dependencies with package-lock.json or yarn.lock. Run CLIs in containers to sandbox approvals. Train teams on terminal phishing—real prompts don’t flicker or erase history suspiciously. In security tools like OpenClaw, demand zero-trust metadata: sign and verify all inputs.
This advisory underscores CLI fragility. With npm downloads hitting 1.5 billion weekly, one bad package ripples far. Stay vigilant—update, verify, isolate.
